PYSEC-2021-807

TensorFlow is an open source platform for machine learning. In affected versions if tf.image.resize is called with a large input argument then the TensorFlow process will crash due to a CHECK-failure caused by an overflow. The number of elements in the output tensor is too much for the int64t typ...

Rucky 加密问题漏洞

Rucky is an Android application that performs the Usb Hid attack Rubber Duck in multiple ways. Rucky is vulnerable to an encryption issue that stems from the use of weak encryption algorithms RSA/ECB/PKCS1Padding. The issue will be patched in v2.3 for releases and after 426 for nightly releases. ...

CVE-2021-39229

Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. In affected versions users who use Apprise granting them access to the IFTTT plugin which just comes out of the box are subject to a denial of service attac...

CVE-2021-39228

Tremor is an event processing system for unstructured data. A vulnerability exists between versions 0.7.2 and 0.11.6. This vulnerability is a memory safety Issue when using patch or merge on state and assign the result back to state. In this case, affected versions of Tremor and the tremor-script...

GHSA-HPH2-M3G5-XXV4 XStream is vulnerable to an Arbitrary Code Execution attack

Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required...

PYSEC-2021-290

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause denial of service in applications serving models using tf.rawops.UnravelIndex by triggering a division by 0. The implementation does not check that the tensor subsumed by dims is not...

PYSEC-2021-554

TensorFlow is an end-to-end open source platform for machine learning. In affected versions if the arguments to tf.rawops.RaggedGather don't determine a valid ragged tensor code can trigger a read from outside of bounds of heap allocated buffers. The implementation directly reads the first...

CVE-2021-32736 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in think-helper

think-helper defines a set of helper functions for ThinkJS. In versions of think-helper prior to 1.1.3, the software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes...

PT-2021-18726

Name of the Vulnerable Software and Affected Versions Checkov versions 2.0.0 through 2.0.138 Description An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. Recommendations For Checkov versions...

PT-2021-4288 · Ruby +2 · Bindata +2

Name of the Vulnerable Software and Affected Versions: bindata RubyGem versions prior to 2.4.10 Description: The issue is related to a potential denial-of-service vulnerability in the bindata RubyGem. In affected versions, it is very slow for certain classes in BinData to be created, such as...

PYSEC-2021-12

Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to...

PT-2021-5238 · Pulse Secure · Pulse Connect Secure

Name of the Vulnerable Software and Affected Versions: Pulse Connect Secure versions prior to 9.1R11.4 Description: A buffer overflow issue exists, allowing a remote authenticated attacker to execute arbitrary code as the root user via maliciously crafted meeting room data. This can be exploited ...

CVE-2021-29455 Missing validation of JWT signature in `grassrootza/grassroot-platform`

Grassroot Platform is an application to make it faster, cheaper and easier to persistently organize and mobilize people in low-income communities. Grassroot Platform before master deployment as of 2021-04-16 did not properly verify the signature of JSON Web Tokens when refreshing an existing JWT...

GHSA-4FC4-CHG7-H8GH Unprotected dynamically loaded chunks

Impact All dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-level chunks are unaffected. Patches This issue is...

DEBIAN-CVE-2020-11043

In FreeRDP less than or equal to 2.0.0, there is an out-of-bounds read in rfxprocessmessagetileset. Invalid data fed to RFX decoder results in garbage on screen as colors. This has been patched in 2.1.0...

Exploit for Deserialization of Untrusted Data in Oracle Access_Manager

CVE-2020-2555 is a remote code execution RCE vulnerability in Oracle WebLogic Server. It is caused by a deserialization bug in the com.tangosol.util.extractor.ReflectionExtractor class. The vulnerability allows an attacker to execute arbitrary code on the server by sending a specially crafted...

DEBIAN-CVE-2020-11023

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods i.e. .html, .append, and others may execute untrusted code. This problem is patched in jQuery 3.5.0...

PT-2020-6213 · Openexr +5 · Openexr +5

Name of the Vulnerable Software and Affected Versions: OpenEXR versions prior to 2.4.1 Description: An issue in OpenEXR is related to an off-by-one error in the use of the ImfXdr.h read function by DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read. This could potentially all...

PT-2019-4285 · Linux +5 · Linux Kernel +5

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 5.3.11 Description: The issue is related to a memory leak in the Linux kernel, specifically in the ath9k wmi cmd function. This memory leak can be exploited by a remote attacker to cause a denial of service due ...

Debian DLA-1348-1 : patch security update

It was discovered that there was an input validation vulnerability in the patch1 utility where an ed1 script embedded in a regular input file could result in arbitrary code execution. This was reported by Rachel Kroll 0 et al. For Debian 7 'Wheezy', this issue has been fixed in patch version...