6294 matches found
K000152932: libxml2 vulnerability CVE-2024-56171
Security Advisory Description libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or ...
K000152930: libxml2 vulnerability CVE-2025-24928
Security Advisory Description libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047. CVE-2025-24928 Impact...
K000152931: Multiple PostgreSQL vulnerabilities
Security Advisory Description CVE-2023-2455 Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other...
K000152911: Apache Tomcat vulnerability CVE-2025-52520
Security Advisory Description For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1...
K000152924: Apache HTTP Server vulnerability CVE-2024-43204
Security Advisory Description SSRF in Apache HTTP Server with modproxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where modheaders is configured to modify the Content-Type request or response header with a valu...
K000152922: Apache HTTP server vulnerability CVE-2025-49630
Security Advisory Description In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in modproxyhttp2. Configurations affected are a reverse proxy is configured for an HTTP...
K000152923: Apache Tomcat vulnerability CVE-2025-48988
Security Advisory Description Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are...
K000152908: Apache Tomcat vulnerabilities CVE-2025-52434 and CVE-2025-53506
Security Advisory Description CVE-2025-52434 Concurrent Execution using Shared Resource with Improper Synchronization 'Race Condition' vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issu...
K000152917: GNU C Library vulnerabilities CVE-2025-5702 and CVE-2025-5745
Security Advisory Description CVE-2025-5702 The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller those registers are defined as non-volatile registers by the...
K000152889: Gigabyte UEFI firmware vulnerabilities CVE-2025-7026, CVE-2025-7027, CVE-2025-7028, CVE-2025-7029
Security Advisory Description CVE-2025-7026 A vulnerability in the Software SMI handler SwSmiInputValue 0xB2 allows a local attacker to control the RBX register, which is used as an unchecked pointer in the CommandRcx0 function. If the contents at RBX match certain expected values e.g., '$DB$' or...
K000152876: libuv vulnerability CVE-2024-24806
Security Advisory Description libuv is a multi-platform support library with a focus on asynchronous I/O. The uvgetaddrinfo function in src/unix/getaddrinfo.c and its windows counterpart src/win/getaddrinfo.c, truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be...
K000152873: libxml2 vulnerabilities CVE-2019-19956, CVE-2019-20388
Security Advisory Description CVE-2019-19956 xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc-oldNs. CVE-2019-20388 xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak. Impact There is no impact...
K000152843: Erlang/OTP vulnerabilities CVE-2025-26618, CVE-2025-30211, and CVE-2025-46712
Security Advisory Description CVE-2025-26618 Erlang is a programming language and runtime system for building massively scalable soft real-time systems with requirements on high availability. OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use...
K000152832: Oracle Java SE vulnerability CVE-2025-30754
Security Advisory Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: JSSE. Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for...
K000152831: Oracle Java SE vulnerability CVE-2025-50059
Security Advisory Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Networking. Supported versions that are affected are Oracle Java SE: 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for...
K000152805: Apache HTTPD vulnerability CVE-2025-53020
Security Advisory Description Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue. CVE-2025-53020 Impact There is no impact; ...
K000152803: Oracle Java SE vulnerability CVE-2025-50106
Security Advisory Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: 2D. Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JD...
K000152802: Oracle Java SE vulnerability CVE-2025-30752
Security Advisory Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK product of Oracle Java SE component: Compiler. The supported version that is affected is Oracle Java SE: 24.0.1; Oracle GraalVM for JDK: 24.0.1. Difficult to exploit vulnerability allows unauthenticated...
K000152799: Spring Security vulnerability CVE-2024-38810
Security Advisory Description Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective. CVE-2024-38810 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Stat...
K000152788: Golang net/http vulnerability CVE-2025-22871
Security Advisory Description The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext...
K000152785: Linux kernel vulnerability CVE-2023-31436
Security Advisory Description qfqchangeclass in net/sched/schqfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQMINLMAX. CVE-2023-31436 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product...
K000152749: AMI’s SPx vulnerability CVE-2024-54085
Security Advisory Description AMI's SPx contains a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability. CVE-2024-5408...
K000152727: Golang vulnerabilities CVE-2023-34231, CVE-2024-34155, CVE-2024-34156, and CVE-2024-34158
Security Advisory Description CVE-2023-34231 gosnowflake is the Snowflake Golang driver. Prior to version 1.6.19, a command injection vulnerability exists in the Snowflake Golang driver via single sign-on SSO browser URL authentication. In order to exploit the potential for command injection, an...
K000152723: Golang crypto/tls vulnerabilities CVE-2023-39321 and CVE-2023-39322
Security Advisory Description CVE-2023-39321 Processing an incomplete post-handshake message for a QUIC connection can cause a panic. CVE-2023-39322 QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection...
K000152716: Oracle Java SE vulnerability CVE-2025-30761
Security Advisory Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Scripting. Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf and 11.0.27; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to...
K000152715: Oracle Java SE vulnerability CVE-2025-30749
Security Advisory Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: 2D. Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JD...
K000152714: Oracle Java SE vulnerability CVE-2025-50063
Security Advisory Description Vulnerability in Oracle Java SE component: Install. The supported version that is affected is Oracle Java SE: 8u451. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE executes to compromise Oracle Ja...
K000152702: Node.js vulnerability CVE-2025-27209
Security Advisory Description The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can...
K000152700: BIND vulnerability CVE-2025-40775
Security Advisory Description When an incoming DNS protocol message includes a Transaction Signature TSIG, BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure. This issue affects BIND 9 versions 9.20.0 through 9.20...
K000152694: Apache HTTPD vulnerability CVE-2025-54090
Security Advisory Description A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue. CVE-2025-54090 Impact There is no impact; F5 products are not affected by this vulnerabilit...
K000152680: BusyBox vulnerability CVE-2024-58251
Security Advisory Description In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv0 containing an ANSI terminal escape sequence, leading to a denial of service terminal locked up when netstat is used by a victim. CVE-2024-58251 Impact Attackers can laun...
K000152678: BusyBox vulnerability CVE-2025-46394
Security Advisory Description In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences. CVE-2025-46394 Impact An attacker could exploit this vulnerability by creating a TAR archive containing malicious files with names...
K000152677: Golang net/http vulnerabilities CVE-2023-39326 and CVE-2024-24791
Security Advisory Description CVE-2023-39326 A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to...
K000152676: Golang net vulnerabilities CVE-2023-45290 and CVE-2024-24784
Security Advisory Description CVE-2023-45290 When parsing a multipart form either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile, limits on the total size of the parsed form were not applied to the memory consumed while...
K000152675: Golang crypto vulnerabilities CVE-2024-24783 and CVE-2025-22866
Security Advisory Description CVE-2024-24783 Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or...
K000152672: SQLite vulnerabilities CVE-2024-0232 and CVE-2025-29088
Security Advisory Description CVE-2024-0232 A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a cras...
K000152671: Golang html/template vulnerabilities CVE-2023-39318,CVE-2023-39319, and CVE-2024-24785
Security Advisory Description CVE-2023-39318 The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "!" comment tokens, in contexts. This may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped...
K000152669: Apache HTTPD vulnerability CVE-2025-23048
Security Advisory Description In some modssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when modssl is configured for multiple virtual hosts, with each...
K000152658: Golang vulnerability CVE-2024-45341
Security Advisory Description A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make...
K000152659: Golang vulnerabilities CVE-2024-45336, CVE-2024-45337, CVE-2024-45338, and CVE-2024-45339
Security Advisory Description CVE-2024-45336 The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a . com/ containing an Authorization header which is redirected to b . com/ will not send that header to b . com. In the event that the client...
K000152655: Apache Commons vulnerability CVE-2025-48734
Security Advisory Description Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this...
K000152630: Node.js vulnerability CVE-2025-27210
Security Advisory Description The cve record for the cve id does not exist. CVE-2025-27210 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluated the currently supported releases for potential vulnerability, and...
K000152614: Apache Commons vulnerability CVE-2025-48976
Security Advisory Description Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to...
K000152613: Secure Boot Bypass vulnerability CVE-2025-3052
Security Advisory Description An arbitrary write vulnerability in Microsoft signed UEFI firmware allows for code execution of untrusted software. This allows an attacker to control its value, leading to arbitrary memory writes, including modification of critical firmware settings stored in NVRAM...
K000152607: Go vulnerability CVE-2023-39323
Security Advisory Description Line directives "//line" can be used to bypass the restrictions on "//go:cgo" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive...
K000152608: Golang vulnerabilities CVE-2023-39320, CVE-2023-39323, CVE-2023-45289, and CVE-2024-24788
Security Advisory Description CVE-2023-39320 The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command...
K000152602: Multiple Moby vulnerabilities
Security Advisory Description CVE-2023-28840 Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component dockerd, which is developed as moby/moby, is common...
K000152599: Python tarfile vulnerability CVE-2024-12718
Security Advisory Description Allows modifying some file metadata e.g. last modified with filter="data" or file permissions chmod with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using...
K000152594: Apache HTTP server vulnerability CVE-2024-43394
Security Advisory Description Server-Side Request Forgery SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via modrewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63...
K000152592: Apache Tomcat vulnerability CVE-2025-46701
Security Advisory Description Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1...