6585 matches found
OpenSSL -- integer conversions result in memory corruption
OpenSSL security team reports: A potentially exploitable vulnerability has been discovered in the OpenSSL function asn1d2ireadbio. Any application which uses BIO or FILE based functions to read untrusted DER format data is vulnerable. Affected functions are of the form d2ibio or d2ifp, for exampl...
openoffice.org -- Multiple vulnerabilities
OpenOffice.org Security Team reports: Fixed in OpenOffice.org 3.3 CVE-2010-2935 / CVE-2010-2936: Security Vulnerability in OpenOffice.org related to PowerPoint document processing CVE-2010-3450: Security Vulnerability in OpenOffice.org related to Extensions and filter package files CVE-2010-3451 ...
png -- unknown chunk processing uninitialized memory access
Secunia reports: Tavis Ormandy has reported a vulnerability in libpng, which can be exploited by malicious people to cause a Denial of Service, disclose potentially sensitive information, or potentially compromise an application using the library. The vulnerability is caused due to the improper...
postgresql -- multiple vulnerabilities
The PostgreSQL developers report: PostgreSQL allows users to create indexes on the results of user-defined functions, known as "expression indexes". This provided two vulnerabilities to privilege escalation: 1 index functions were executed as the superuser and not the table owner during VACUUM an...
gtar -- GNU TAR safer_name_suffix Remote Denial of Service Vulnerability
SecurityFocus reports: GNUs tar and cpio utilities are prone to a denial-of-service vulnerability because of insecure use of the alloca function. Successfully exploiting this issue allows attackers to crash the affected utilities and possibly to execute code but this has not been confirmed...
net-snmp -- fixproc insecure temporary file creation
A Gentoo advisory reports: Net-SNMP creates temporary files in an insecure manner, possibly allowing the execution of arbitrary code. A malicious local attacker could exploit a race condition to change the content of the temporary files before they are executed by fixproc, possibly leading to the...
apache13-modssl -- format string vulnerability in proxy support
A OpenPKG Security Advisory reports: Triggered by a report to Packet Storm from Virulent, a format string vulnerability was found in modssl, the Apache SSL/TLS interface to OpenSSL, version up to and including 2.8.18 for Apache 1.3. The modssl in Apache 2.x is not affected. The vulnerability coul...
subversion date parsing vulnerability
Stefan Esser reports: Subversion versions up to 1.0.2 are vulnerable to a date parsing vulnerability which can be abused to allow remote code execution on Subversion servers and therefore could lead to a repository compromise. NOTE: This vulnerability is similar to the date parsing issue that...
Gitlab -- vulnerabilities
Gitlab reports: An attacker can run pipeline jobs as an arbitrary user Developer user with admincomplianceframework permission can change group URL Admin push rules custom role allows creation of project level deploy token Package registry vulnerable to manifest confusion User with admingroupmemb...
Apache httpd -- source code disclosure
The Apache httpd project reports: isource code disclosure with handlers configured via AddType CVE-2024-39884 Important. A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under so...
varnish -- HTTP/2 Rapid Reset Attack
Varnish Cache Project reports: A denial of service attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker can create a large volume of streams and immediately reset them without ever reaching the maximum number of concurrent streams allowed for the...
curl -- HTTP headers eat all memory
selmelc on hackerone reports: When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stre...
postgresql-server -- Row security policies disregard user ID changes after inlining
PostgreSQL Project reports While CVE-2016-2193 fixed most interaction between row security and user ID changes, it missed a scenario involving function inlining. This leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned...
chromium -- multiple vulnerabilities
Chrome Releases reports: This update includes 16 security fixes: 1414018 High CVE-2023-1810: Heap buffer overflow in Visuals. Reported by Weipeng Jiang @Krace of VRI on 2023-02-08 1420510 High CVE-2023-1811: Use after free in Frames. Reported by Thomas Orlita on 2023-03-01 1418224 Medium...
go -- multiple vulnerabilities
The Go project reports: go/parser: infinite loop in parsing Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow. html/template: backticks not treated as string delimiters Templates di...
FreeBSD -- OpenSSH pre-authentication double free
Problem Description: A flaw in the backwards-compatibility key exchange route allows a pointer to be freed twice. Impact: A remote, unauthenticated attacker may be able to cause a denial of service, or possibly remote code execution. Note that FreeBSD 12.3 and FreeBSD 13.1 include older versions ...
chromium -- multiple vulnerabilities
Chrome Releases reports: This release contains 1 security fix: 1392715 High CVE-2022-4135: Heap buffer overflow in GPU. Reported by Clement Lecigne of Google's Threat Analysis Group on 2022-11-22 Google is aware that an exploit for CVE-2022-4135 exists in the wild...
unbound -- Non-Responsive Delegation Attack
A vulnerability named 'Non-Responsive Delegation Attack' NRDelegation Attack has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for...
Grafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
Grafana Labs reports: On September 7th as a result of an internal security audit we have discovered that Grafana could leak the authentication cookie of users to plugins. After further analysis the vulnerability impacts data source and plugin proxy endpoints under certain conditions. We believe...
chromium -- multiple vulnerabilities
Chrome Releases reports: This release contains 11 security fixes, including: 1349322 Critical CVE-2022-2852: Use after free in FedCM. Reported by Sergei Glazunov of Google Project Zero on 2022-08-02 1337538 High CVE-2022-2854: Use after free in SwiftShader. Reported by Cassidy Kim of Amber Securi...
chromium -- multiple vulnerabilities
Chrome Releases reports: This release contains 11 security fixes, including: 1290008 High CVE-2022-0603: Use after free in File Manager. Reported by Chaoyuan Peng @ret2happy on 2022-01-22 1273397 High CVE-2022-0604: Heap buffer overflow in Tab Groups. Reported by Krace on 2021-11-24 1286940 High...
Node.js -- January 2022 Security Releases
Node.js reports: Improper handling of URI Subject Alternative Names MediumCVE-2021-44531 Accepting arbitrary Subject Alternative Name SAN types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN...
chromium -- multiple vulnerabilities
Chrome Releases reports: This release contains 19 security fixes, including: 1246631 High CVE-2021-37981: Heap buffer overflow in Skia. Reported by Yangkang @dnpushme of 360 ATA on 2021-09-04 1248661 High CVE-2021-37982: Use after free in Incognito. Reported by Weipeng Jiang @Krace from Codesafe...
FreeBSD -- Xen grant mapping error handling issues
Problem Description: Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on...
chromium -- multiple vulnerabilities
Chrome Releases reports: This release contains 10 security fixes, including: 1138143 High CVE-2021-21149: Stack overflow in Data Transfer. Reported by Ryoya Tsukasaki on 2020-10-14 1172192 High CVE-2021-21150: Use after free in Downloads. Reported by Woojin Oh@pwnexpoit of STEALIEN on 2021-01-29...
chromium -- multiple vulnerabilities
Chrome Releases reports: This release includes 16 security fixes, including: 1148749 High CVE-2021-21106: Use after free in autofill. Reported by Weipeng Jiang @Krace from Codesafe Team of Legendsec at Qi'anxin Group on 2020-11-13 1153595 High CVE-2021-21107: Use after free in drag and drop...
ImageMagick7 -- multiple vulnerabilities
CVE reports: Several vulnerabilities have been discovered in ImageMagick: CVE-2021-20313: A flaw was found in ImageMagick in versions before 7.0.11. A potential cipher leak when the calculate signatures in TransformSignature is possible. CVE-2021-20312: A flaw was found in ImageMagick in versions...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: This update contains 8 security fixes. 1062247 High CVE-2020-6450: Use after free in WebAudio. Reported by Man Yue Mo of Semmle Security Research Team on 2020-03-17 1061018 High CVE-2020-6451: Use after free in WebAudio. Reported by Man Yue Mo of Semmle Security...
tauthon -- Regular Expression Denial of Service
The :class:urllib.request.AbstractBasicAuthHandler class of the :mod:urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service...
sudo -- Potential bypass of Runas user restrictions
Todd C. Miller reports: Sudo's pwfeedback option can be used to provide visual feedback when the user is inputting their password. For each key press, an asterisk is printed. This option was added in response to user confusion over how the standard Password: prompt disables the echoing of key...
Payara -- path trasversal flaw via either loc/con parameters in Eclipse Mojarra
Payara Releases reports: The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases: CVE-2020-6950 Eclipse Mojarra vulnerable to path trasversal flaw via either loc/con parameters...
Python -- CRLF injection via the host part of the url passed to urlopen()
Python reports: An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the host component...
webkit-gtk -- Multiple vulnerabilities
The Webkitgtk project reports: CVE-2019-6212 - Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6215 - Processing maliciously crafted web content may lead to arbitrary code...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 42 security fixes in this release, including: 850350 High CVE-2018-6153: Stack buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2018-06-07 848914 High CVE-2018-6154: Heap buffer overflow in WebGL. Reported by Omair on 2018-06-01 842265 Hig...
wireshark -- multiple security issues
wireshark developers reports: wnpa-sec-2018-05. IEEE 802.11 dissector crash. CVE-2018-7335 wnpa-sec-2018-06. Large or infinite loops in multiple dissectors. CVE-2018-7321 through CVE-2018-7333 wnpa-sec-2018-07. UMTS MAC dissector crash. CVE-2018-7334 wnpa-sec-2018-08. DOCSIS dissector crash...
isc-dhcp -- Multiple vulnerabilities
ISC reports: Failure to properly bounds check a buffer used for processing DHCP options allows a malicious server or an entity masquerading as a server to cause a buffer overflow and resulting crash in dhclient by sending a response containing a specially constructed options section. A malicious...
OpenJPEG -- multiple vulnerabilities
OpenJPEG reports: Multiple vulnerabilities have been found in OpenJPEG, the opensource JPEG 2000 codec. Please consult the CVE list for further details. CVE-2017-17479 and CVE-2017-17480 were fixed in r477112. CVE-2018-5785 was fixed in r480624. CVE-2018-6616 was fixed in r489415...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 37 security fixes in this release, including: 778505 Critical CVE-2017-15407: Out of bounds write in QUIC. Reported by Ned Williamson on 2017-10-26 762374 High CVE-2017-15408: Heap buffer overflow in PDFium. Reported by Ke Liu of Tencent's Xuanwu LAB on 2017-09-06...
solr -- Code execution via entity expansion
Solr developers report: Lucene XML parser does not explicitly prohibit doctype declaration and expansion of external entities which leads to arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions. Solr "RunExecutableListener" class can be used to execute...
perl -- multiple vulnerabilities
Meta CPAN reports: CVE-2017-12814: $ENV$key stack buffer overflow on Windows A possible stack buffer overflow in the %ENV code on Windows has been fixed by removing the buffer completely since it was superfluous anyway. CVE-2017-12837: Heap buffer overflow in regular expression compiler Compiling...
krb5 -- Multiple vulnerabilities
MIT reports: CVE-2017-11368: In MIT krb5 1.7 and later, an authenticated attacker can cause an assertion failure in krb5kdc by sending an invalid S4U2Self or S4U2Proxy request. CVE-2017-11462: RFC 2744 permits a GSS-API implementation to delete an existing security context on a second or subseque...
mysql -- denial of service vulnerability
Openwall reports: C client library for MySQL libmysqlclient.so has use-after-free defect which can cause crash of applications using that MySQL client...
tomcat -- information disclosure vulnerability
The Apache Software Foundation reports: Important: Information Disclosure CVE-2016-8745...
RabbitMQ -- Authentication vulnerability
Pivotal.io reports: MQTT MQ Telemetry Transport connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected...
mailman -- CSRF protection enhancements
Mark Sapiro reports: CSRF protection has been extended to the user options page. This was actually fixed by Tokio Kikuchi as part of the fix for LP: 775294 and intended for Mailman 2.1.15, but that fix wasn't completely merged at the time. The full fix also addresses the admindb, and edithtml pag...
pcre -- heap overflow vulnerability
Mitre reports: The pcrecompile2 function in pcrecompile.c in PCRE 8.38 mishandles the /?:F?+?:^?Ra+"99-?J?'R'?'R'?'RR'?'R'\97?J?J?'R'?'R'\99|:?|?'R'\k'R'|?'R'H'R'RH'R/ pattern and related patterns with named subgroups, which allows remote attackers to cause a denial of service heap-based buffer...
xen-kernel -- VMX: guest user mode may crash guest with non-canonical RIP
The Xen Project reports: VMX refuses attempts to enter a guest with an instruction pointer which doesn't satisfy certain requirements. In particular, the instruction pointer needs to be canonical when entering a guest currently in 64-bit mode. This is the case even if the VM entry information...
openssl -- multiple vulnerabilities
OpenSSL project reports: BNmodexp may produce incorrect results on x8664 CVE-2015-3193 Certificate verify crash with missing PSS parameter CVE-2015-3194 X509ATTRIBUTE memory leak CVE-2015-3195 Race condition handling PSK identify hint CVE-2015-3196 Anon DH ServerKeyExchange with 0 p parameter...
libraw -- memory objects not properly initialized
ChenQin reports: The LibRaw raw image decoder has multiple vulnerabilities that can cause memory errors which may lead to code execution or other problems. In CVE-2015-8367, LibRaw's phaseonecorrect function does not handle memory initialization correctly, which may cause other problems...
libvirt -- ACL bypass using ../ to access beyond storage pool
Libvit development team reports: Various virStorageVol API operate on user-supplied volume names by concatenating the volume name to the pool location. Note that the virStoragePoolListVolumes API, when used on a storage pool backed by a directory in a file system, will only list volumes immediate...