Dulwich 路径遍历漏洞

Dulwich is a Python-based Git repository management interface developed by Jelmer Vernooij. Versions of Dulwich prior to 1.2.5 contained a path traversal vulnerability. This vulnerability occurred when deriving patch file names from the commit message, without properly cleaning path separators an...

Directus 安全漏洞

Directus is an open-source real-time API and application dashboard developed by Directus. It is used to manage SQL database content. Versions of Directus prior to 11.17.0 contained a security vulnerability. This vulnerability stemmed from the PATCH /files/id endpoint accepting a user-controlled...

JLSEC-2026-12

GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITORPROGRAM invocation using ed can result in code execution. This attack appear to be exploitable via a patch file processed via the patch utility. This is similar to FreeBSD's...

MiracleLinux 4 : patch-2.6-8.AXS4 (AXSA:2018-2973:01)

The remote MiracleLinux 4 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2018-2973:01 advisory. patch: Malicious patch files cause ed to execute arbitrary commands CVE-2018-1000156 Tenable has extracted the preceding description block directly from the...

EUVD-2019-5066

Malware in sbrugna...

EUVD-2011-0438

Malware in sbrugna...

EUVD-2015-1553

Malware in sbrugna...

EUVD-2024-42735

Malicious code in bioql PyPI...

CVE-2024-47943

The firmware upgrade function in the admin web interface of the Rittal IoT Interface & CMC III Processing Unit devices checks if the patch files are signed before executing the containing run.sh script. The signing process is kind of an HMAC with a long string as key which is hard-coded in the...

CVE-2024-47943 Improper signature verification of firmware upgrade files

The firmware upgrade function in the admin web interface of the Rittal IoT Interface & CMC III Processing Unit devices checks if the patch files are signed before executing the containing run.sh script. The signing process is kind of an HMAC with a long string as key which is hard-coded in the...

CVE-2024-47943 Improper signature verification of firmware upgrade files

The firmware upgrade function in the admin web interface of the Rittal IoT Interface & CMC III Processing Unit devices checks if the patch files are signed before executing the containing run.sh script. The signing process is kind of an HMAC with a long string as key which is hard-coded in the...

CVE-2024-47943

CVE-2024-47943 affects the Rittal IoT Interface & CMC III Processing Unit. The firmware upgrade feature does not properly verify patch signatures: the signing uses an HMAC-like mechanism with a hard-coded key, which is publicly available, allowing attackers to craft malicious signed .patch files ...

RHEL 5 : patch (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - patch: Malicious patch files cause ed to execute arbitrary commands CVE-2018-1000156 - Directory traversa...

Amazon Linux 2 : rust (ALAS-2023-1959)

The version of rust installed on the remote host is prior to 1.66.1-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-1959 advisory. Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code ...

CVE-2022-36114

Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size also known as a...

CVE-2022-36113 Extracting malicious crates can corrupt arbitrary files

Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the /.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the...

CVE-2022-36114

Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size also known as a...

CVE-2022-36114 Extracting malicious crates can fill the file system

Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size also known as a...

CLSA-2022-1653506357 Fixed 5 CVEs in java-1.8.0-openjdk

Upgrade to openjdk-shenandoah-jdk8u-shenandoah-jdk8u332-b09. That fixes following CVEs: - CVE-2022-21476: Defective secure validation in Apache Santuario - CVE-2022-21496: URI parsing inconsistencies - CVE-2022-21434: Improper object-to-string conversion in AnnotationInvocationHandler -...

CLSA-2021-1640700710 Fix CVE(s): CVE-2021-3517, CVE-2021-3516, CVE-2020-24977, CVE-2021-3541, CVE-2021-3537, CVE-2021-3518, CVE-2019-20388, CVE-2017-8872

SECURITY UPDATE: Out-of-bounds array access - debian/patches/CVE-2021-3517.patch: Validate UTF8 in xmlEncodeEntities - CVE-2021-3517 SECURITY UPDATE: Use-after-free error - debian/patches/CVE-2021-3518.patch: Fix use-after-free with 'xmllint --xinclude --dropdtd' - CVE-2021-3518 SECURITY UPDATE:...