6585 matches found
go -- multiple vulnerabilities
The Go project reports: net/http: handle server errors after sending GOAWAY A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service. net/url: JoinPath does...
Gitlab -- Multiple Vulnerabilities
Gitlab reports: Group members with developer role can escalate their privilege to maintainer on projects that they import When user registration is limited, external users that aren't developers shouldn't have access to the CI Lint API Collision in access memoization leads to potential elevated...
libssh -- possible heap-buffer overflow vulnerability
libssh security advisories: The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secrethash and and the other sessionid. Initially, both of them are the same, but after key re-exchange, previous sessionid is kept and used as an input to new...
go -- archive/zip: overflow in preallocation check can cause OOM panic
The Go project reports: An oversight in the previous fix still allows for an OOM panic when the indicated directory size in the archive header is so large that subtracting it from the archive size overflows a uint64, effectively bypassing the check that the number of files in the archive is...
mod_auth_mellon -- Redirect URL validation bypass
Jakub Hrozek reports: Version 0.17.0 and older of modauthmellon allows the redirect URL validation to be bypassed by specifying an URL formatted as ///fishing-site.example.com/logout.html...
Django -- multiple vulnerabilities
Django Release reports: CVE-2021-31542:Potential directory-traversal via uploaded files. MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via uploaded files with suitably crafted file names...
FreeBSD -- jail escape possible by mounting over jail root
Problem Description: Due to a race condition between lookup of ".." and remounting a filesystem, a process running inside a jail might access filesystem hierarchy outside of jail. Impact: A process with superuser privileges running inside a jail configured with the allow.mount permission not...
mdbook -- XSS in mdBook's search page
Rust Security Response Working Group reports: The search feature of mdBook introduced in version 0.1.4 was affected by a cross site scripting vulnerability that allowed an attacker to execute arbitrary JavaScript code on an user's browser by tricking the user into typing a malicious search query,...
asterisk -- Remote attacker could prematurely tear down SRTP calls
The Asterisk project reports: An unauthenticated remote attacker could replay SRTP packets which could cause an Asterisk instance configured without strict RTP validation to tear down calls prematurely...
cacti -- SQL Injection was possible due to incorrect validation order
Cati team reports: Due to a lack of validation, datadebug.php can be the source of a SQL injection...
FreeBSD -- bhyve SVM guest escape
Problem Description: A number of AMD virtualization instructions operate on host physical addresses, are not subject to nested page table translation, and guest use of these instructions was not trapped. Impact: From kernel mode a malicious guest can write to arbitrary host memory with some...
ark -- extraction outside of extraction directory
Albert Astals Cid reports: Overview A maliciously crafted TAR archive containing symlink entries would install files anywhere in the user's home directory upon extraction. Proof of concept For testing, an example of malicious archive can be found at dirsymlink.tar Impact Users can unwillingly...
chromium -- heap buffer overflow
Chrome Releases reports: This release contains one security fix: 1115345 High CVE-2020-6556: Heap buffer overflow in SwiftShader. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-08-12...
mail/dovecot -- multiple vulnerabilities
Aki Tuomi reports: When imap hibernation is active, an attacker can cause Dovecot to discover file system directory structure and access other users' emails using specially crafted command. The attacker must have valid credentials to access the mail server. Mail delivery / parsing crashed when th...
Python -- multiple vulnerabilities
Python reports: bpo-41162:Audit hooks are now cleared later during finalization to avoid missing events. bpo-29778:Ensure python3.dll is loaded from correct locations when Python is embedded...
Several issues in Lynis
lynis update: This release resolves two security issues CVE-2020-13882 - Discovered by Sander Bos, code submission by Katarina Durechova CVE-2019-13033 - Discovered by Sander Bos...
Machine-in-the-middle response injection attack when using STARTTLS with IMAP, POP3, and SMTP
mutt 1.14.4 updates: CVE-2020-14954 - Machine-in-the-middle response injection attack when using STARTTLS with IMAP, POP3, and SMTP...
Anydesk -- Multiple Vulnerabilities
Anydesk reports: AnyDesk before 5.5.3 on Linux and FreeBSD has a format string vulnerability that can be exploited for remote code execution...
Django -- multiple vulnerabilities
Django security release reports: CVE-2020-13254: Potential data leakage via malformed memcached keys In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability,...
mediawiki -- multiple vulnerabilities
Mediawikwi reports: T285159, CVE-2023-PENDING SECURITY: X-Forwarded-For header allows brute-forcing autoblocked IP addresses. T326946, CVE-2020-36649 SECURITY: Bundled PapaParse copy in VisualEditor has known ReDos. T330086, CVE-2023-PENDING SECURITY: OATHAuth allows replay attacks when MediaWiki...
FreeBSD -- Insufficient oce(4) ioctl(2) privilege checking
Problem Description: The driver-specific ioctl2 command handlers in oce4 failed to check whether the caller has sufficient privileges to perform the corresponding operation. Impact: The oce4 handler permits unprivileged users to send passthrough commands to device firmware...
Django -- potential SQL injection vulnerability
MITRE CVE reports: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was...
OpenSMTPd -- LPE and RCE in OpenSMTPD's default install
OpenSMTPD developers reports: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the smtpq group. An unprivileged local...
pkg -- vulnerability in libfetch
A programming error allows an attacker who can specify a URL with a username and/or password components to overflow libfetch3 buffers...
FreeBSD -- libfetch buffer overflow
Problem Description: A programming error allows an attacker who can specify a URL with a username and/or password components to overflow libfetch3 buffers. Impact: An attacker in control of the URL to be fetched possibly via HTTP redirect may cause a heap buffer overflow, resulting in program...
Client/server denial of service when handling AES-CTR ciphers
The libssh team reports originally reported by Yasheng Yang from Google: A malicious client or server could crash the counterpart implemented with libssh AES-CTR ciphers are used and don't get fully initialized. It will crash when it tries to cleanup the AES-CTR ciphers when closing the connectio...
dovecot -- multiple vulnerabilities
Aki Tuomi reports: lib-smtp doesn't handle truncated command parameters properly, resulting in infinite loop taking 100% CPU for the process. This happens for LMTP where it doesn't matter so much and also for submission-login where unauthenticated users can trigger it. Aki also reports: Snippet...
rack -- information leak / session hijack vulnerability
National Vulnerability Database: There's a possible information leak / session hijack vulnerability in Rack RubyGem rack. This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are...
asterisk -- SIP request can change address of a SIP peer
The Asterisk project reports: A SIP request can be sent to Asterisk that can change a SIP peers IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peers name; authentication details such as passwords do not need to be...
file -- Heap buffer overflow possible
mitre reports cdfreadpropertyinfo in cdf.c in file through 5.37 does not restrict the number of CDFVECTOR elements, which allows a heap-based buffer overflow 4-byte out-of-bounds write...
xymon-server -- multiple vulnerabilities
Japheth Cleaver reports: Several buffer overflows were reported by University of Cambridge Computer Security Incident Response Team...
asterisk -- Remote Crash Vulnerability in chan_sip channel driver
The Asterisk project reports: When T.38 faxing is done in Asterisk a T.38 reinvite may be sent to an endpoint to switch it to T.38. If the endpoint responds with an improperly formatted SDP answer including both a T.38 UDPTL stream and an audio or video stream containing only codecs not allowed o...
asterisk -- Remote crash vulnerability with MESSAGE messages
The Asterisk project reports: A specially crafted SIP in-dialog MESSAGE message can cause Asterisk to crash...
Gitlab -- Information Disclosure
Gitlab reports: Information Disclosure with Limited Scope Token...
moodle -- Login CSRF vulnerability
moodle reports: The login form is not protected by a token to prevent login cross-site request forgery...
advancecomp -- multiple vulnerabilities
Joonun Jang reports: heap buffer overflow running advzip with "-l poc" option Running 'advzip -l poc' with the attached file raises heap buffer overflow which may allow a remote attacker to cause unspecified impact including denial-of-service attack. I expected the program to terminate without...
Flash Player -- multiple vulnerabilities
Adobe reports: This update resolves a use-after-free vulnerability that could lead to remote code execution CVE-2018-4932. This update resolves out-of-bounds read vulnerabilities that could lead to information disclosure CVE-2018-4933, CVE-2018-4934. This update resolves out-of-bounds write...
rails-html-sanitizer -- possible XSS vulnerability
OSS-Security list: There is a possible XSS vulnerability in rails-html-sanitizer. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is...
irssi -- multiple vulnerabilities
Irssi reports: Use after free when server is disconnected during netsplits. Found by Joseph Bisch. Use after free when SASL messages are received in unexpected order. Found by Joseph Bisch. Null pointer dereference when an “empty” nick has been observed by Irssi. Found by Joseph Bisch. When the...
LibreOffice -- Remote arbitrary file disclosure vulnerability via WEBSERVICE formula
LibreOffice reports: LibreOffice Calc supports a WEBSERVICE function to obtain data by URL. Vulnerable versions of LibreOffice allow WEBSERVICE to take a local file URL e.g file:// which can be used to inject local files into the spreadsheet without warning the user. Subsequent formulas can opera...
mbed TLS (PolarSSL) -- remote code execution
Simon Butcher reports: When the truncated HMAC extension is enabled and CBC is used, sending a malicious application packet can be used to selectively corrupt 6 bytes on the peer's heap, potentially leading to a crash or remote code execution. This can be triggered remotely from either side in bo...
w3m - multiple vulnerabilities
Tatsuya Kinoshita reports: CVE-2018-6196 table.c: Prevent negative indent value in feedtableblocktag. CVE-2018-6197 form.c: Prevent invalid columnPos call in formUpdateBuffer. CVE-2018-6198 config.h.dist, config.h.in, configure, configure.ac, main.c, rc.c: Make temporary directory safely when /.w...
powerdns-recursor -- insufficient validation of DNSSEC signatures
PowerDNS Security Advisory reports: An issue has been found in the DNSSEC validation component of PowerDNS Recursor, allowing an ancestor delegation NSEC or NSEC3 record to be used to wrongfully prove the non-existence of a RR below the owner name of that record. This would allow an attacker in...
ruby -- Command injection vulnerability in Net::FTP
Etienne Stalmans from the Heroku product security team reports: There is a command injection vulnerability in Net::FTP bundled with Ruby. Net::FTPget, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernelopen to open a local file. If the localfile argument starts with the pip...
chromium -- multiple vulnerabilities
Google Chrome releases reports: 3 security fixes in this release, including: 765433 High CVE-2017-5121: Out-of-bounds access in V8. Reported by Jordan Rabet, Microsoft Offensive Security Research and Microsoft ChakraCore team on 2017-09-14 752423 High CVE-2017-5122: Out-of-bounds access in V8...
libraw -- buffer overflow
libraw developers report: LibRaw before 0.18.4 has a heap-based Buffer Overflow in the processCanonCameraInfo function via a crafted file...
libsndfile -- out-of-bounds reads
Xin-Jiang on Github reports: CVE-2017-14245 Medium: An out of bounds read in the function d2alawarray in alaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values. CVE-2017-14246 Medium: An out of...
FFmpeg -- multiple vulnerabilities
FFmpeg security reports: Multiple vulnerabilities have been fixed in FFmpeg 3.3.4. Please refer to the CVE list for details...
ansible -- information disclosure flaw
ansible developers report: Ansible versions 2.2.3 and earlier are vulnerable to an information disclosure flaw due to the interaction of call back plugins and the nolog directive where the information may not be sanitized properly...
Cacti -- Cross-site scripting (XSS) vulnerability in link.php
kimiizhang reports: Cross-site scripting XSS vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter...