Lucene search
K
AmazonMost viewed

8850 matches found

Amazon
Amazon
added 2018/04/19 12:0 a.m.76 views

Low: openssl

Issue Overview: RSA key generation cache timing vulnerability in crypto/rsa/rsagen.c allows attackers to recover private keys: OpenSSL RSA key generation was found to be vulnerable to cache side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key...

5.9CVSS6.5AI score0.12046EPSS
Exploits0
Amazon
Amazon
added 2018/04/05 12:0 a.m.76 views

Medium: mod_wsgi

Issue Overview: Failure to handle errors when attempting to drop group privileges: modwsgi before 4.2.4 for Apache, when creating a daemon process group, does not properly handle when group privileges cannot be dropped, which might allow attackers to gain privileges via unspecified vectors...

6.9CVSS7.1AI score0.00403EPSS
Exploits0
Amazon
Amazon
added 2017/10/03 12:0 a.m.76 views

Medium: openssh

Issue Overview: A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. CVE-2016-6210 It was found that OpenSSH...

7.8CVSS8.3AI score0.88944EPSS
Exploits23
Amazon
Amazon
added 2017/08/31 12:0 a.m.76 views

Important: subversion, mod_dav_svn

Issue Overview: Command injection through clients via malicious svn+ssh URLs A shell command injection flaw related to the handling of "svn+ssh" URLs has been discovered in Subversion. An attacker could use this flaw to execute shell commands with the privileges of the user running the Subversion...

9.8CVSS10AI score0.18892EPSS
Exploits3
Amazon
Amazon
added 2016/12/15 12:0 a.m.76 views

Important: tomcat8

Issue Overview: CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests CVE-2016-8735 tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener Affected Packages: tomcat8 Issue Correction: Run yum update tomcat8 or yum update...

9.8CVSS8.1AI score0.90338EPSS
Exploits7
Amazon
Amazon
added 2016/04/27 12:0 a.m.76 views

Critical: java-1.7.0-openjdk

Issue Overview: It was discovered that the ObjectInputStream class in the Serialization component of OpenJDK failed to properly ensure thread consistency when deserializing serialized input. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions...

10CVSS8.8AI score0.92334EPSS
Exploits1
Amazon
Amazon
added 2014/09/24 12:0 a.m.76 views

Critical: bash

Issue Overview: This ALAS is superceded by ALAS-2014-419 https://alas.aws.amazon.com/ALAS-2014-419.html". A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell...

10CVSS9.4AI score0.99999EPSS
Exploits130
Amazon
Amazon
added 2012/09/22 12:0 a.m.76 views

Important: libxslt

Issue Overview: A heap-based buffer overflow flaw was found in the way libxslt applied templates to nodes selected by certain namespaces. An attacker could use this flaw to create a malicious XSL file that, when used by an application linked against libxslt to perform an XSL transformation, could...

6.8CVSS10AI score0.02467EPSS
Exploits1References1
Amazon
Amazon
added 2024/08/15 12:0 a.m.75 views

Important: httpd

Issue Overview: A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosu...

6.2CVSS6.7AI score0.04134EPSS
Exploits3
Amazon
Amazon
added 2023/09/07 12:0 a.m.75 views

Important: amazon-ssm-agent

Issue Overview: The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. CVE-2021-43565 A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentification with R...

7.5CVSS7.7AI score0.04561EPSS
Exploits0
Amazon
Amazon
added 2023/03/07 12:0 a.m.75 views

Important: batik

Issue Overview: Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests...

8.2CVSS7.2AI score0.13635EPSS
Exploits1
Amazon
Amazon
added 2022/06/15 12:0 a.m.75 views

Important: log4j-cve-2021-44228-hotpatch

Issue Overview: Versions of the Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3-5 are affected by a race condition that could lead to a local privilege escalation. The Apache Log4j Hotpatch is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 o...

10CVSS8.9AI score0.99999EPSS
Exploits349
Amazon
Amazon
added 2022/04/28 12:0 a.m.75 views

Important: httpd24

Issue Overview: A flaw was found in the modlua module of httpd. A crafted request body can cause a read to a random memory area due to an uninitialized value in functions called by the parsebody function. The highest treat of this vulnerability is availability. CVE-2022-22719 A flaw was found in...

9.8CVSS8.8AI score0.69803EPSS
Exploits0
Amazon
Amazon
added 2022/04/27 12:0 a.m.75 views

Important: java-17-amazon-corretto

Issue Overview: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: JAXP. Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily...

7.5CVSS5.2AI score0.46677EPSS
Exploits6
Amazon
Amazon
added 2021/07/02 12:0 a.m.75 views

Medium: libxml2

Issue Overview: There's a flaw in libxml2's xmllint. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability. CVE-2021-3516 There's a flaw in libxml2. An attacke...

8.8CVSS7.8AI score0.03653EPSS
Exploits1
Amazon
Amazon
added 2021/05/19 12:0 a.m.75 views

Medium: python36

Issue Overview: The package python/cpython is vulnerable to Web Cache Poisoning via urllib.parse.parseqsl and urllib.parse.parseqs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon ;, they can cause a difference in the interpretation of...

5.9CVSS8AI score0.35963EPSS
Exploits1
Amazon
Amazon
added 2020/12/09 12:0 a.m.75 views

Important: kernel

Issue Overview: A use-after-free flaw was found in the debugfsremove function in the Linux kernel. The flaw could allow a local attacker with special user or root privilege to crash the system at the time of file or directory removal. This vulnerability can lead to a kernel information leak. The...

8.2CVSS6.6AI score0.02447EPSS
Exploits6
Amazon
Amazon
added 2020/09/02 12:0 a.m.75 views

Medium: python

Issue Overview: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because procpax lacks header validation. CVE-2019-20907 Affected Packages: python Note: This advisory is applicable to Amazon Linux 2 AL2...

7.5CVSS8AI score0.06304EPSS
Exploits0
Amazon
Amazon
added 2020/03/09 12:0 a.m.75 views

Important: tomcat

Issue Overview: The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. CVE-2018-8034 The URL pattern of "" the empty string which...

9.8CVSS8.7AI score0.9927EPSS
Exploits47
Amazon
Amazon
added 2020/02/24 12:0 a.m.75 views

Medium: php73

Issue Overview: When using fgetss function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash...

9.1CVSS7.5AI score0.08888EPSS
Exploits2
Amazon
Amazon
added 2020/01/14 12:0 a.m.75 views

Important: java-11-amazon-corretto

Issue Overview: Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: Security. Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network...

8.1CVSS7.7AI score0.06457EPSS
Exploits0
Amazon
Amazon
added 2019/12/13 12:0 a.m.75 views

Medium: file

Issue Overview: cdfreadpropertyinfo in cdf.c in file through 5.37 does not restrict the number of CDFVECTOR elements, which allows a heap-based buffer overflow 4-byte out-of-bounds write. CVE-2019-18218 Affected Packages: file Issue Correction: Run yum update file or yum update --advisory...

7.8CVSS9AI score0.0185EPSS
Exploits1
Amazon
Amazon
added 2019/08/07 12:0 a.m.75 views

Important: python3

Issue Overview: A security regression of CVE-2019-9636 was discovered in python, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of...

9.8CVSS8.3AI score0.08811EPSS
Exploits0
Amazon
Amazon
added 2014/10/14 12:0 a.m.75 views

Important: openssl

Issue Overview: Bodo Moller, Thai Duong and Krzysztof Kotowicz of Google discovered a flaw in the design of SSL version 3.0 that would allow an attacker to calculate the plaintext of secure connections, allowing, for example, secure HTTP cookies to be stolen...

4.3CVSS7AI score0.99999EPSS
Exploits7
Amazon
Amazon
added 2026/01/07 12:0 a.m.74 views

Important: httpd

Issue Overview: Apache HTTP Server 2.4.65 and earlier with Server Side Includes SSI enabled and modcgid but not modcgi passes the shell-escaped query string to exec cmd="..." directives. CVE-2025-58098 Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Serv...

8.3CVSS6.7AI score0.015EPSS
Exploits0
Amazon
Amazon
added 2025/08/08 12:0 a.m.74 views

Important: httpd

Issue Overview: HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included ...

9.1CVSS6.7AI score0.04409EPSS
Exploits2
Amazon
Amazon
added 2025/08/04 12:0 a.m.74 views

Important: httpd

Issue Overview: HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included ...

9.1CVSS6.7AI score0.04409EPSS
Exploits2
Amazon
Amazon
added 2024/07/22 12:0 a.m.74 views

Important: httpd

Issue Overview: Encoding problem in modproxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue...

9.8CVSS8.5AI score0.99957EPSS
Exploits2
Amazon
Amazon
added 2024/02/19 12:0 a.m.74 views

Important: kernel

Issue Overview: A use-after-free vulnerability in the Linux kernel's netfilter: nftables component can be exploited to achieve local privilege escalation. The nftverdictinit function allows positive values as drop error within the hook verdict, and hence the nfhookslow function can cause a double...

7.8CVSS8.3AI score0.28058EPSS
Exploits16
Amazon
Amazon
added 2023/10/03 12:0 a.m.74 views

Important: containerd

Issue Overview: http2/hpack: avoid quadratic complexity in hpack decoding CVE-2022-41723 The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send...

7.5CVSS7.1AI score0.04561EPSS
Exploits0
Amazon
Amazon
added 2023/06/27 12:0 a.m.74 views

Important: kernel

Issue Overview: It was discovered that a nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted. CVE-2022-2586 A heap buffer overflow flaw was found in the Linux kernel's Netfilter subsystem in the way a user provides...

7.8CVSS6.9AI score0.12746EPSS
Exploits18
Amazon
Amazon
added 2023/04/20 12:0 a.m.74 views

Important: golang

Issue Overview: Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset. CVE-2022-30580 Infinite loop in...

9.8CVSS7.9AI score0.05623EPSS
Exploits2
Amazon
Amazon
added 2023/03/22 12:0 a.m.74 views

Important: httpd

Issue Overview: There's a null pointer dereference and server-side request forgery flaw in httpd's modproxy module, when it is configured to be used as a forward proxy. A crafted packet could be sent on the adjacent network to the forward proxy that could cause a crash, or potentially SSRF via...

9.8CVSS8.5AI score0.97108EPSS
Exploits6
Amazon
Amazon
added 2023/03/22 12:0 a.m.74 views

Important: httpd

Issue Overview: Some modproxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when modproxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion o...

9.8CVSS6.7AI score0.8377EPSS
Exploits5
Amazon
Amazon
added 2023/03/06 12:0 a.m.74 views

Important: vim

Issue Overview: A heap buffer overflow vulnerability was found in vim's inscomplinfercasegettext function of the src/insexpand.c file. This flaw occurs when vim tries to access uninitialized memory when completing a long line. This flaw allows an attacker to trick a user into opening a specially...

7.8CVSS7.8AI score0.00797EPSS
Exploits21
Amazon
Amazon
added 2022/04/25 3:47 a.m.74 views

Medium: containerd

Issue Overview: A flaw was found in Moby Docker Engine, where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when...

5.9CVSS3.2AI score0.00492EPSS
Exploits0
Amazon
Amazon
added 2021/12/10 12:0 a.m.74 views

Important: java-1.8.0-openjdk

Issue Overview: Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: JSSE. Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows...

7.1CVSS5.7AI score0.14839EPSS
Exploits0
Amazon
Amazon
added 2021/08/05 12:0 a.m.74 views

Important: java-1.8.0-openjdk

Issue Overview: Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Libraries. Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1...

7.5CVSS6.2AI score0.04238EPSS
Exploits0
Amazon
Amazon
added 2021/06/23 12:0 a.m.74 views

Medium: python-lxml

Issue Overview: A Cross-site Scripting XSS vulnerability was found in the python-lxml's clean module. The module's parser did not properly imitate browsers, causing different behaviors between the sanitizer and the user's page. This flaw allows a remote attacker to run arbitrary HTML/JS code. The...

6.1CVSS6.5AI score0.03934EPSS
Exploits1
Amazon
Amazon
added 2021/01/15 12:0 a.m.74 views

Medium: qemu-kvm

Issue Overview: A use-after-free issue was found in the SLiRP networking implementation of the QEMU emulator. The issue occurs in ipreass routine while reassembling incoming packets, if the first fragment is bigger than the m-mdat buffer. A user or process could use this flaw to crash the QEMU...

7.5CVSS7.3AI score0.04027EPSS
Exploits0
Amazon
Amazon
added 2019/09/13 12:0 a.m.74 views

Medium: mariadb

Issue Overview: Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Connection Handling. Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Difficult to exploit vulnerability allows low privileged attacker with access to...

6.5CVSS6.7AI score0.0436EPSS
Exploits0
Amazon
Amazon
added 2019/08/07 12:0 a.m.74 views

Important: python

Issue Overview: A security regression of CVE-2019-9636 was discovered in python, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of...

9.8CVSS8.3AI score0.08811EPSS
Exploits0
Amazon
Amazon
added 2019/05/16 12:0 a.m.74 views

Low: python-urllib3

Issue Overview: urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect i.e., a redirect that differs in host, port, or scheme. This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in...

9.8CVSS8.3AI score0.04488EPSS
Exploits0
Amazon
Amazon
added 2018/12/06 12:0 a.m.74 views

Low: poppler

Issue Overview: There is a NULL pointer dereference in the AnnotPath::getCoordsLength function in Annot.h. A crafted input will lead to a remote denial of service attack.CVE-2018-10768 The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler allows remote attackers to cause a denial of...

6.5CVSS6.6AI score0.0315EPSS
Exploits3
Amazon
Amazon
added 2017/01/19 12:0 a.m.74 views

Medium: httpd24

Issue Overview: The following security-related issues were fixed: Padding oracle vulnerability in Apache modsessioncrypto CVE-2016-0736 DoS vulnerability in modauthdigest CVE-2016-2161 Apache HTTP request parsing whitespace defects CVE-2016-8743 Affected Packages: httpd24 Issue Correction: Run yu...

7.5CVSS7.1AI score0.49024EPSS
Exploits4
Amazon
Amazon
added 2016/08/01 12:0 a.m.74 views

Medium: kernel

Issue Overview: It was found that nfsd is missing permissions check when setting ACL on files, this may allow a local users to gain access to any file by setting a crafted ACL. CVE-2016-1237 A flaw was found in the Linux kernel's keyring handling code, where in keyrejectandlink an uninitialised...

7.5CVSS7AI score0.15073EPSS
Exploits3
Amazon
Amazon
added 2015/10/27 12:0 a.m.74 views

Important: java-1.8.0-openjdk

Issue Overview: Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883,...

10CVSS7.4AI score0.09991EPSS
Exploits0References1
Amazon
Amazon
added 2015/03/13 12:0 a.m.74 views

Medium: postgresql92

Issue Overview: A buffer overflow flaw was found in the way PostgreSQL handled certain numeric formatting. An authenticated database user could use a specially crafted timestamp formatting template to cause PostgreSQL to crash or, under certain conditions, execute arbitrary code with the...

9.8CVSS8.5AI score0.05533EPSS
Exploits1
Amazon
Amazon
added 2015/03/13 12:0 a.m.74 views

Low: kernel

Issue Overview: It was reported that stack address is not properly randomized on some 64 bit architectures due to an integer overflow. The stack entropy of the processes is reduced by four. Affected Packages: kernel Issue Correction: Run yum update kernel or yum update --advisory ALAS-2015-491 to...

5CVSS7.1AI score0.03742EPSS
Exploits1
Amazon
Amazon
added 2015/01/08 12:0 a.m.74 views

Medium: php54

Issue Overview: Use-after-free vulnerability in the processnesteddata function in ext/standard/varunserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of...

10CVSS8.6AI score0.53166EPSS
Exploits8
Total number of security vulnerabilities5000