6585 matches found
fsp buffer overflow and directory traversal vulnerabilities
The Debian security team reported a pair of vulnerabilities in fsp: A vulnerability was discovered in fsp, client utilities for File Service Protocol FSP, whereby a remote user could both escape from the FSP root directory CAN-2003-1022, and also overflow a fixed-length buffer to execute arbitrar...
Gitlab -- Vulnerabilities
Gitlab reports: XSS in k8s proxy endpoint XSS Maven Dependency Proxy HTML injection leads to XSS on self hosted instances Improper Authorisation Check Allows Guest User to Read Security Policy Planner role can read code review analytics in private projects...
FreeBSD -- umtx Kernel panic or Use-After-Free
Problem Description: Concurrent removals of such a mapping by using the UMTXSHMDESTROY sub-request of UMTXOPSHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early. Impact: A malicious code exercizing the UMTXSHMDESTRO...
firefox -- multiple vulnerabilities
[email protected] reports: CVE-2024-7531: Calling PK11Encrypt in NSS using CKMCHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy Bridge processor. In Firefox this only affects the QUIC header protection feature when the connection is using the...
MySQL -- Multiple vulnerabilities
Oracle reports: 36 new security patches for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 9.8...
qt6-webengine -- Multiple vulnerabilities
Qt qtwebengine-chromium repo reports: Backports for 16 security bugs in Chromium: CVE-2024-2625: Object lifecycle issue in V8 CVE-2024-2626: Out of bounds read in Swiftshader CVE-2024-2885: Use after free in Dawn CVE-2024-2887: Type Confusion in WebAssembly CVE-2024-3157: Out of bounds write in...
Gitlab -- vulnerabilities
Gitlab reports: Stored-XSS injected in Wiki page via Banzai pipeline DOS using crafted emojis...
jenkins -- HTTP/2 denial of service vulnerability in bundled Jetty
Jenkins Security Advisory: Description High SECURITY-3379 / CVE-2024-22201 HTTP/2 denial of service vulnerability in bundled Jetty...
electron{26,27} -- multiple vulnerabilities
Electron developers report: This update fixes the following vulnerabilities: Security: backported fix for CVE-2024-0224. Security: backported fix for CVE-2024-0225. Security: backported fix for CVE-2024-0223. Security: backported fix for CVE-2024-0222...
electron{26,27} -- multiple vulnerabilities
Electron developers report: This update fixes the following vulnerabilities: Security: backported fix for CVE-2023-6508. Security: backported fix for CVE-2023-7024...
electron25 -- multiple vulnerabilities
Electron developers report: This update fixes the following vulnerabilities: Security: backported fix for CVE-2023-6350. Security: backported fix for CVE-2023-6351...
electron{25,26} -- use after free in Garbage Collection
Electron developers report: This update fixes the following vulnerability: Security: backported fix for CVE-2023-5997...
chromium -- multiple security fixes
Chrome Releases reports: This update includes 4 security fixes: 1497997 High CVE-2023-5997: Use after free in Garbage Collection. Reported by Anonymous on 2023-10-31 1499298 High CVE-2023-6112: Use after free in Navigation. Reported by Sergei Glazunov of Google Project Zero on 2023-11-04...
chromium -- security update
Chrome Releases reports: This update includes 1 security fix: 1497859 High CVE-2023-5996: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab via Tianfu Cup 2023 on 2023-10-30...
electron25 -- Use after free in extensions vulnerability
Electron developers report: This update fixes the following vulnerability: Security: backported fix for CVE-2023-5187...
apache -- Apache ZooKeeper: Authorization bypass in SASL Quorum Peer Authentication
[email protected] reports: Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper quorum.auth.enableSasl=true, the authorization is done by verifying that the instance part in SASL authentication ID is liste...
chromium -- multiple vulnerabilities
Chrome Releases reports: This update includes 5 security fixes: 1469542 High CVE-2023-4430: Use after free in Vulkan. Reported by Cassidy Kim@cassidy6564 on 2023-08-02 1469754 High CVE-2023-4429: Use after free in Loader. Reported by Anonymous on 2023-08-03 1470477 High CVE-2023-4428: Out of boun...
postgresql-server -- Extension script @substitutions@ within quoting allow SQL injection
PostgreSQL Project reports An extension script is vulnerable if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct dollar quoting, '', or "". No bundled extension is vulnerable. Vulnerable uses do appear in a documentation example and in non-bundled extensions. Hence,...
chromium -- multiple vulnerabilities
Chrome Releases reports: This update includes 17 security fixes: 1466183 High CVE-2023-4068: Type Confusion in V8. Reported by Jerry on 2023-07-20 1465326 High CVE-2023-4069: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2023-07-17 1462951 High CVE-2023-4070: Type Confusi...
electron22 -- multiple vulnerabilities
Electron developers report: This update fixes the following vulnerabilities: Security: backported fix for CVE-2023-3422. Security: backported fix for CVE-2023-3421. Security: backported fix for CVE-2023-3420...
chromium -- multiple vulnerabilities
Chrome Releases reports: This update includes 12 security fixes: 1444360 Critical CVE-2023-2721: Use after free in Navigation. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2023-05-10 1400905 High CVE-2023-2722: Use after free in Autofill UI. Reported by Rong Jian of VRI on 2022-12-14 1435166...
vscode -- Visual Studio Code Information Disclosure Vulnerability
[email protected] reports: Visual Studio Code Information Disclosure Vulnerability A information disclosure vulnerability exists in VS Code 1.78.0 and earlier versions on Windows when file system operations are performed on malicious UNC paths. Examples include reading or resolving metadata of...
rack -- possible denial of service vulnerability in header parsing
oooooooq reports: Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack virtually all Rails applications are impacted...
git -- "git apply" overwriting paths outside the working tree
git team reports: By feeding a crafted input to "git apply", a path outside the working tree can be overwritten as the user who is running "git apply"...
py-cryptography -- allows programmers to misuse an API
alex reports: Previously, Cipher.updateinto would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects such as bytes to be mutated, thus violating fundamental rules of Python. This is a soundness bug -- it allows...
prometheus2 -- basic authentication bypass
Prometheus team reports: Prometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back...
krb5 -- Integer overflow vulnerabilities in PAC parsing
MITKRB5-SA-2022-001 Vulnerabilities in PAC parsing: Due to an integer overflow vulnerabilities in PAC parsing An authenticated attacker may be able to cause a KDC or kadmind process to crash by reading beyond the bounds of allocated memory, creating a denial of service. On 32-bit platforms an...
go -- syscall, os/exec: unsanitized NUL in environment variables
The Go project reports: syscall, os/exec: unsanitized NUL in environment variables On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this behavior to set a value for a different...
go -- multiple vulnerabilities
The Go project reports: net/http: improper sanitization of Transfer-Encoding header The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also...
mediawiki -- multiple vulnerabilities
Mediawiki reports: T297543, CVE-2022-28202 Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete. T297571, CVE-2022-28201 Title::newMainPage goes into an infinite recursion loop if it points to a local interwiki. T297731, CVE-2022-28203 Requestin...
mailman -- 2.1.37 fixes XSS via user options, and moderator offline brute-force vuln against list admin password
Mark Sapiro reports: A potential XSS attack via the user options page has been reported by Harsh Jaiswal. This is fixed. CVE-2021-43331 LP: 1949401. A potential for for a list moderator to carry out an off-line brute force attack to obtain the list admin password has been reported by Andre Protas...
pjsip -- Race condition in SSL socket server
pjsip reports: There are a couple of issues found in the SSL socket: A race condition between callback and destroy, due to the accepted socket having no group lock. SSL socket parent/listener may get destroyed during handshake...
fail2ban -- possible RCE vulnerability in mailing action using mailutils
Jakub Żoczek reports: Command mail from mailutils package used in mail actions like mail-whois can execute command if unescaped sequences \n are available in "foreign" input for instance in whois output...
Bacula-Web -- Multiple Vulnerabilities
Bacula-Web reports: Address Smarty CVE...
go -- net/http: panic due to racy read of persistConn after handler panic
The Go project reports: A net/http/httputil ReverseProxy can panic due to a race condition if its Handler aborts with ErrAbortHandler, for example due to an error in copying the response body. An attacker might be able to force the conditions leading to the race condition...
libxml2 -- Possible denial of service
Daniel Veillard reports: A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service...
clamav -- Multiple vulnerabilites
Micah Snyder reports: CVE-2021-1252 Excel XLM parser infinite loop CVE-2021-1404 PDF parser buffer over-read; possible crash. CVE-2021-1405 Mail parser NULL-dereference crash...
openvpn -- deferred authentication can be bypassed in specific circumstances
Gert Döring reports: OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks...
consul -- Fix Consul Connect CA private key configuration
Hashicorp reports: Increase the permissions to read from the /connect/ca/configuration endpoint to operator:write. Previously Connect CA configuration, including the private key, set via this endpoint could be read back by an operator with operator:read privileges...
glpi -- Insecure Direct Object Reference on ajax/getDropdownValue.php
MITRE Corporation reports: In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference IDOR vulnerability that allows an attacker to read data from any itemType e.g., Ticket, Users, etc...
chromium -- multiple vulnerabilities
Chrome Releases reports: This update includes 20 security fixes, including: 1109120 High CVE-2020-6558: Insufficient policy enforcement in iOS. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-07-24 1116706 High CVE-2020-6559: Use after free in presentation API. Report...
trafficserver -- resource consumption
Bryan Call reports: ATS is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread...
BIND -- Remote Denial of Service vulnerability
ISC reports: The asterisk character "" is allowed in DNS zone files, where it is most commonly present as a wildcard at a terminal node of the Domain Name System graph. However, the RFCs do not require and BIND does not enforce that an asterisk character be present only at a terminal node. A...
Apache Ant leaks sensitive information via the java.io.tmpdir
Apache reports: Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back...
json-c -- integer overflow and out-of-bounds write via a large JSON file
Tobias Stöckmann reports: I have discovered a way to trigger an out of boundary write while parsing a huge json file through a malicious input source. It can be triggered if an attacker has control over the input stream or if a huge load during filesystem operations can be triggered...
Zabbix -- Remote code execution
Zabbix reports: Fixed security vulnerability cve-2020-11800 remote code execution. ZBX-17600...
Dovecot -- Multiple vulnerabilities
Aki Tuomi reports: Vulnerability Details: Sending malformed NOOP command causes crash in submission, submission-login or lmtp service. Risk: Remote attacker can keep submission-login service down, causing denial of service attack. For lmtp the risk is neglible, as lmtp is usually behind a trusted...
Python -- multiple vulnerabilities
Python reports: gh-95778: Converting between int and str in bases other than 2 binary, 4, 8 octal, 16 hexadecimal, or 32 such as base 10 decimal now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic...
ansible - subversion password leak from PID
Borja Tarraso reports: A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading...
glpi -- Public GLPIKEY can be used to decrypt any data
MITRE Corporation reports: GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on...