Lucene search
+L
AlpinelinuxRecent

13063 matches found

AlpineLinux
AlpineLinux
•added 2025/07/04 8:16 a.m.•13 views

CVE-2025-5351

A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free issue if an additiona...

6.5CVSS6.6AI score0.00494EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2025/07/04 6:1 a.m.•14 views

CVE-2025-5372

A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the sshkdf function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenl...

8.8CVSS6.2AI score0.00407EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2025/07/04 12:0 a.m.•6 views

CVE-2025-49600

In MbedTLS 3.3.0 before 3.6.4, mbedtlslmsverify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS Leighton-Micali Signature forgery in a fault scenario. Specifically, unchecked return values in mbedtlslmsverify allow an attacker who can induce ...

4.9CVSS6.9AI score0.00125EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2025/07/04 12:0 a.m.•3 views

CVE-2025-49601

In MbedTLS 3.3.0 before 3.6.4, mbedtlslmsimportpublickey does not check that the input buffer is at least 4 bytes before reading a 32-bit field, allowing a possible out-of-bounds read on truncated input. Specifically, an out-of-bounds read in mbedtlslmsimportpublickey allows context-dependent...

6.5CVSS6.5AI score0.00259EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2025/07/04 12:0 a.m.•5 views

CVE-2025-49809

mtr through 0.95, in certain privileged contexts, mishandles execution of a program specified by the MTRPACKET environment variable. NOTE: mtr on macOS may often have Sudo rules, as an indirect consequence of Homebrew not installing setuid binaries...

7.8CVSS7.2AI score0.00142EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2025/07/04 12:0 a.m.•6 views

CVE-2025-52497

Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtlspemreadbuffer and two mbedtlspkparse functions, via untrusted PEM input...

4.8CVSS6.7AI score0.00277EPSS
Exploits0References2
AlpineLinux
AlpineLinux
•added 2025/07/04 12:0 a.m.•5 views

CVE-2025-52496

Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery...

7.8CVSS6.3AI score0.00189EPSS
Exploits1References2
AlpineLinux
AlpineLinux
•added 2025/07/03 9:7 p.m.•5 views

CVE-2025-53367

DjVuLibre is a GPL implementation of DjVu, a web-centric format for distributing documents and images. Prior to version 3.5.29, the MMRDecoder::scanruns method is affected by an OOB-write vulnerability, because it does not check that the xr pointer stays within the bounds of the allocated buffer...

8.4CVSS7.4AI score0.00741EPSS
Exploits0References9
AlpineLinux
AlpineLinux
•added 2025/07/02 3:46 p.m.•5 views

CVE-2025-52886

Poppler is a PDF rendering library. Versions prior to 25.06.0 use std::atomicint for reference counting. Because std::atomicint is only 32 bits, it is possible to overflow the reference count and trigger a use-after-free. Version 25.06.0 patches the issue...

6.9CVSS7.5AI score0.00371EPSS
Exploits1References7
AlpineLinux
AlpineLinux
•added 2025/07/02 11:23 a.m.•4 views

CVE-2024-35164

The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate console codes received from servers via text-based protocols like SSH. If a malicious user has access to a text-based connection, a specially-crafted sequence of console codes could allow arbitrary code to be...

7.5CVSS7.7AI score0.00424EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2025/07/01 4:16 p.m.•7 views

CVE-2025-6297

It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and...

8.2CVSS6.6AI score0.00341EPSS
Exploits0References2
AlpineLinux
AlpineLinux
•added 2025/06/30 9:14 p.m.•7 views

CVE-2025-6554

Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. Chromium security severity: High...

8.1CVSS6.7AI score0.06564EPSS
Exploits5
AlpineLinux
AlpineLinux
•added 2025/06/30 12:0 a.m.•5 views

CVE-2025-32463

Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option...

9.3CVSS6.3AI score0.47467EPSS
Exploits70
AlpineLinux
AlpineLinux
•added 2025/06/30 12:0 a.m.•3 views

CVE-2025-32462

Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines...

8.8CVSS6.9AI score0.03239EPSS
Exploits76
AlpineLinux
AlpineLinux
•added 2025/06/27 2:15 p.m.•6 views

CVE-2025-52993

A race condition in the Nix, Lix, and Guix package managers enables changing the ownership of arbitrary files to the UID and GID of the build user e.g., nixbld or guixbuild. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before...

5.6CVSS7.3AI score0.00115EPSS
Exploits0References6
AlpineLinux
AlpineLinux
•added 2025/06/27 2:15 p.m.•4 views

CVE-2025-52991

The Nix, Lix, and Guix package managers default to using temporary build directories in a world-readable and world-writable location. This allows standard users to deceive the package manager into using directories with pre-existing content, potentially leading to unauthorized actions or data...

3.2CVSS7.2AI score0.00144EPSS
Exploits0References6
AlpineLinux
AlpineLinux
•added 2025/06/27 2:15 p.m.•2 views

CVE-2025-52992

The Nix, Lix, and Guix package managers fail to properly set permissions when a derivation build fails. This may allow arbitrary processes to modify the content of a store outside of the build sandbox. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and...

3.2CVSS7.3AI score0.00144EPSS
Exploits0References6
AlpineLinux
AlpineLinux
•added 2025/06/27 2:15 p.m.•4 views

CVE-2025-46416

The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account e.g., nixbld or guixbuild. This affects Nix through 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix through 2.91.2, 2.92.2, and 2.93.1; and Guix before...

2.9CVSS7.2AI score0.00157EPSS
Exploits0References6
AlpineLinux
AlpineLinux
•added 2025/06/27 2:15 p.m.•6 views

CVE-2025-46415

A race condition in the Nix, Lix, and Guix package managers allows the removal of content from arbitrary folders. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b...

3.2CVSS7.3AI score0.00118EPSS
Exploits0References6
AlpineLinux
AlpineLinux
•added 2025/06/26 10:15 a.m.•3 views

CVE-2024-6174

When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration...

8.8CVSS7.1AI score0.00205EPSS
Exploits0References1
AlpineLinux
AlpineLinux
•added 2025/06/26 10:15 a.m.•4 views

CVE-2024-11584

cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands...

5.9CVSS7.3AI score0.00125EPSS
Exploits0References2
AlpineLinux
AlpineLinux
•added 2025/06/25 5:15 p.m.•7 views

CVE-2025-6442

Ruby WEBrick readheader HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions. The...

6.5CVSS7AI score0.00422EPSS
Exploits0References2
AlpineLinux
AlpineLinux
•added 2025/06/25 4:59 p.m.•16 views

CVE-2025-52894

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of...

7.5CVSS7.1AI score0.00331EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2025/06/25 4:54 p.m.•10 views

CVE-2025-52893

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. Th...

4.5CVSS6.8AI score0.00275EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2025/06/25 4:51 p.m.•8 views

CVE-2025-52890

Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options security.macfiltering, security.ipv4filtering and security.ipv6filtering. This can lead to ARP...

8.1CVSS7.3AI score0.00195EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2025/06/25 4:49 p.m.•29 views

CVE-2025-52889

Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services DHCP, DNS... that partially bypass security options security.macfiltering, security.ipv4filtering and...

3.4CVSS7.3AI score0.00202EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2025/06/24 8:3 p.m.•6 views

CVE-2025-6557

Insufficient data validation in DevTools in Google Chrome on Windows prior to 138.0.7204.49 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. Chromium security severity: Low...

5.4CVSS7.5AI score0.00177EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2025/06/24 8:3 p.m.•5 views

CVE-2025-6556

Insufficient policy enforcement in Loader in Google Chrome prior to 138.0.7204.49 allowed a remote attacker to bypass content security policy via a crafted HTML page. Chromium security severity: Low...

5.4CVSS6.5AI score0.00157EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2025/06/24 2:10 p.m.•3 views

CVE-2025-5318

A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftphandle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in...

8.1CVSS6.1AI score0.02449EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2025/06/24 1:15 p.m.•5 views

CVE-2025-6436

Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox 140 and Thunderbird 140...

8.1CVSS7.7AI score0.02917EPSS
Exploits0References4
AlpineLinux
AlpineLinux
•added 2025/06/24 1:15 p.m.•7 views

CVE-2025-6433

If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This...

9.8CVSS6.5AI score0.00242EPSS
Exploits0References3
AlpineLinux
AlpineLinux
•added 2025/06/24 1:15 p.m.•9 views

CVE-2025-6434

The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability affects Firefox 140 and Thunderbird 140...

4.3CVSS6.5AI score0.00227EPSS
Exploits0References3
AlpineLinux
AlpineLinux
•added 2025/06/24 1:15 p.m.•6 views

CVE-2025-6435

If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the .download file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability affects Firefox 140 and...

8.1CVSS6.6AI score0.00372EPSS
Exploits0References4
AlpineLinux
AlpineLinux
•added 2025/06/24 1:15 p.m.•6 views

CVE-2025-6431

When a link can be opened in an external application, Firefox for Android will, by default, prompt the user before doing so. An attacker could have bypassed this prompt, potentially exposing the user to security vulnerabilities or privacy leaks in external applications. This bug only affects...

6.5CVSS6.8AI score0.0021EPSS
Exploits0References2
AlpineLinux
AlpineLinux
•added 2025/06/24 1:15 p.m.•8 views

CVE-2025-6432

When Multi-Account Containers was enabled, DNS requests could have bypassed a SOCKS proxy when the domain name was invalid or the SOCKS proxy was not responding. This vulnerability affects Firefox 140 and Thunderbird 140...

8.6CVSS6.5AI score0.00287EPSS
Exploits0References3
AlpineLinux
AlpineLinux
•added 2025/06/24 1:15 p.m.•2 views

CVE-2025-6425

An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox 140, Firefox ESR 115.25, Firefox ESR 128.12,...

4.3CVSS6.4AI score0.00249EPSS
Exploits0References8
AlpineLinux
AlpineLinux
•added 2025/06/24 1:15 p.m.•1 views

CVE-2025-6424

A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox 140, Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12...

9.8CVSS6.8AI score0.03123EPSS
Exploits0References8
AlpineLinux
AlpineLinux
•added 2025/06/24 1:15 p.m.•3 views

CVE-2025-6429

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an embed tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox 140, Firefox ESR...

6.5CVSS6.5AI score0.00285EPSS
Exploits0References7
AlpineLinux
AlpineLinux
•added 2025/06/24 1:15 p.m.•7 views

CVE-2025-6426

The executable file warning did not warn users before opening files with the terminal extension. This bug only affects Firefox for macOS. Other versions of Firefox are unaffected. This vulnerability affects Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12...

8.8CVSS6.5AI score0.00173EPSS
Exploits0References5
AlpineLinux
AlpineLinux
•added 2025/06/24 1:15 p.m.•3 views

CVE-2025-6430

When a file download is specified via the Content-Disposition header, that directive would be ignored if the file was included via a embed or object tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox 140, Firefox ESR 128.12, Thunderbi...

6.1CVSS5.8AI score0.00215EPSS
Exploits0References7
AlpineLinux
AlpineLinux
•added 2025/06/24 1:15 p.m.•8 views

CVE-2025-6428

When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. This bug only affects Firefox for Android. Other versions of Firefox are unaffected. This vulnerability affects Firefox 140...

4.3CVSS6.6AI score0.00189EPSS
Exploits1References2
AlpineLinux
AlpineLinux
•added 2025/06/24 1:15 p.m.•4 views

CVE-2025-6427

An attacker was able to bypass the connect-src directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability affects Firefox 140 and Thunderbird 140...

9.1CVSS6.5AI score0.003EPSS
Exploits0References3
AlpineLinux
AlpineLinux
•added 2025/06/23 10:15 a.m.•2 views

CVE-2025-52936

Improper Link Resolution Before File Access 'Link Following' vulnerability in yrutschle sslh.This issue affects sslh: before 2.2.2...

9.3CVSS7.3AI score0.00162EPSS
Exploits0References2
AlpineLinux
AlpineLinux
•added 2025/06/23 12:0 a.m.•9 views

CVE-2025-52968

xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie...

2.7CVSS7.3AI score0.00183EPSS
Exploits0References2
AlpineLinux
AlpineLinux
•added 2025/06/21 12:31 a.m.•6 views

CVE-2025-6375

A vulnerability was found in poco up to 1.14.1. It has been rated as problematic. Affected by this issue is the function MultipartInputStream of the file Net/src/MultipartReader.cpp. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The exploit has bee...

5.5CVSS3.3AI score0.00212EPSS
Exploits1References7
AlpineLinux
AlpineLinux
•added 2025/06/19 5:15 p.m.•9 views

CVE-2025-50200

RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which...

6.7CVSS7.3AI score0.00194EPSS
Exploits1References1
AlpineLinux
AlpineLinux
•added 2025/06/19 4:31 p.m.•3 views

CVE-2025-6270

A vulnerability, which was classified as critical, has been found in HDF5 up to 1.14.6. Affected by this issue is the function H5FSsectfindnode of the file H5FSsection.c. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has...

5.3CVSS7.2AI score0.00209EPSS
Exploits1References5
AlpineLinux
AlpineLinux
•added 2025/06/19 4:0 p.m.•4 views

CVE-2025-6269

A vulnerability classified as critical was found in HDF5 up to 1.14.6. Affected by this vulnerability is the function H5Creconstructcacheentry of the file H5Cimage.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the...

5.3CVSS7.4AI score0.00209EPSS
Exploits1References5
AlpineLinux
AlpineLinux
•added 2025/06/19 3:8 p.m.•7 views

CVE-2025-49014

jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function fstrflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication...

6.9CVSS7AI score0.00321EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2025/06/19 1:42 a.m.•5 views

CVE-2025-50182

urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means...

6.1CVSS5.5AI score0.0032EPSS
Exploits0References3
Total number of security vulnerabilities13063