6583 matches found
sudo -- Privilege escalation with sudoedit
Todd Miller reports: When sudo performs its command matching, there is a special case for pseudo-commands in the sudoers file currently, the only pseudo-command is sudoedit. Unlike a regular command, pseudo-commands do not begin with a slash '/'. The flaw is that sudo's the matching code would on...
OpenSSL -- Multiple vulnerabilities
The OpenSSL project reports: Possible denial of service in X.509 name checks Moderate severity Applications performing certificate name checks e.g., TLS clients checking server certificates may attempt to read an invalid memory address resulting in abnormal termination of the application process...
MySQL -- Multiple vulnerabilities
Oracle reports: This Critical Patch Update contains 37 new security patches, plus additional third party patches noted below, for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials...
ghostscript -- exploitable buffer overflow in (T)BCP in PS interpreter
[email protected] reports: In Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less...
node_exporter -- bypass security with cache poisoning
Prometheus team reports: Prometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back...
polkit -- local privilege escalation using polkit_system_bus_name_get_creds_sync
Cedric Buissart reports: The function polkitsystembusnamegetcredssync is used to get the uid and pid of the process requesting the action. It does this by sending the unique bus name of the requesting process, which is typically something like ":1.96", to dbus-daemon. These unique names are...
Apache Tomcat Remote Code Execution via session persistence
The Apache Software Foundation reports: Under certain circumstances an attacker will be able to trigger remote code execution via deserialization of the file under their control...
CUPS -- memory corruption
Apple reports: CVE-2019-8842: The ippReadIO function may under-read an extension. CVE-2020-3898: The ppdOpen function did not handle invalid UI constraint. ppdcSource::getresolution function did not handle invalid resolution strings. An application may be able to gain elevated privileges...
php -- env_path_info underflow in fpm_main.c can lead to RCE
The PHP project reports: The PHP development team announces the immediate availability of PHP 7.3.11. This is a security release which also contains several bug fixes. The PHP development team announces the immediate availability of PHP 7.2.24. This is a security release which also contains sever...
Node.js -- multiple vulnerabilities
Node.js reports: Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information. Updates are now available for all active Node....
PostgresSQL -- TYPE in pg_temp execute arbitrary SQL during `SECURITY DEFINER` execution
The PostgreSQL project reports: Versions Affected: 9.4 - 11 Given a suitable SECURITY DEFINER function, an attacker can execute arbitrary SQL under the identity of the function owner. An attack requires EXECUTE permission on the function, which must itself contain a function call having inexact...
jenkins -- multiple vulnerabilities
Jenkins Security Advisory: Description Medium SECURITY-1289 Jenkins accepted cached legacy CLI authentication Medium SECURITY-1327 XSS vulnerability in form validation button...
libgcrypt -- side-channel attack vulnerability
GnuPG reports: Mitigate a local side-channel attack on ECDSA signature as described in the white paper "Return on the Hidden Number Problem"...
tomcat -- Security constraints ignored or applied too late
The Apache Software Foundation reports: Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order...
OpenVPN -- two remote denial-of-service vulnerabilities
Samuli Seppänen reports: OpenVPN v2.4.0 was audited for security vulnerabilities independently by Quarkslabs funded by OSTIF and Cryptography Engineering funded by Private Internet Access between December 2016 and April 2017. The primary findings were two remote denial-of-service vulnerabilities...
haproxy -- information leak vulnerability
HAProxy reports: A vulnerability was found when HTTP pipelining is used. In some cases, a client might be able to cause a buffer alignment issue and retrieve uninitialized memory contents that exhibit data from a past request or session. I want to address sincere congratulations to Charlie...
rt42 -- vulnerabilities related to shellshock
Best Practical reports: RT 4.2.0 and above may be vulnerable to arbitrary execution of code by way of CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, or CVE-2014-6271 -- collectively known as "Shellshock." This vulnerability requires a privileged user with access to an RT instance...
FreeBSD -- Denial of Service in TCP packet processing
Problem Description: When a segment with the SYN flag for an already existing connection arrives, the TCP stack tears down the connection, bypassing a check that the sequence number in the segment is in the expected window. Impact: An attacker who has the ability to spoof IP traffic can tear down...
nginx -- Request line parsing vulnerability
The nginx project reports: Ivan Fratric of the Google Security Team discovered a bug in nginx, which might allow an attacker to bypass security restrictions in certain configurations by using a specially crafted request, or might have potential other impact CVE-2013-4547...
sudo -- Authentication bypass when clock is reset
Todd Miller reports: The flaw may allow someone with physical access to a machine that is not password-protected to run sudo commands without knowing the logged in user's password. On systems where sudo is the principal way of running commands as root, such as on Ubuntu and Mac OS X, there is a...
php -- multiple vulnerabilities
The PHP Development Team reports: The release of PHP 5.4.13 and 5.4.3 complete a fix for the vulnerability in CGI-based setups as originally described in CVE-2012-1823. CVE-2012-2311 Note: modphp and php-fpm are not vulnerable to this attack. PHP 5.4.3 fixes a buffer overflow vulnerability in the...
php -- NULL byte poisoning
PHP-specific version of NULL-byte poisoning was briefly described by ShAnKaR: Poison NULL byte vulnerability for perl CGI applications was described in 1. ShAnKaR noted, that same vulnerability also affects different PHP applications. PHP developers report that branch 5.3 received a fix: Paths wi...
mozilla -- multiple vulnerabilities
Mozilla Project reports: MFSA 2010-33 User tracking across sites using Math.random MFSA 2010-32 Content-Disposition: attachment ignored if Content-Type: multipart also present MFSA 2010-31 focus behavior can be used to inject or steal keystrokes MFSA 2010-30 Integer Overflow in XSLT Node Sorting...
TCP denial-of-service attacks against long lived connections
NISCC / UNIRAS has published an advisory that re-visits the long discussed spoofed TCP RST denial-of-service vulnerability. This new look emphasizes the fact that for some applications such attacks are practically feasible...
mailman -- brute-force vuln on list admin password, and CSRF vuln in releases before 2.1.35
Mark Sapiro reports: A potential for for a list member to carry out an off-line brute force attack to obtain the list admin password has been reported by Andre Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed. A CSRF attack via the user options page could allow takeover of a users...
jenkins -- multiple vulnerabilities
Jenkins Security Advisory: Description Low SECURITY-1721 / CVE-2021-21639 Lack of type validation in agent related REST API Medium SECURITY-1871 / CVE-2021-21640 View name validation bypass...
chromium -- multiple vulnerabilities
Chrome Releases reports: This update contains 8 security fixes, including: 1181228 High CVE-2021-21194: Use after free in screen capture. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-02-23 1182647 High CVE-2021-21195: Use after free in V8. Reported by Bohan Liu @P4nda20371774 and...
Gitlab -- multiple vulnerabilities
Gitlab reports: Vendor Cross-Account Assume-Role Attack Stored XSS on the Vulnerability Page Outdated Job Token Can Be Reused to Access Unauthorized Resources File Disclosure Via Workhorse File Upload Bypass Unauthorized Maintainer Can Edit Group Badge Denial of Service Within Wiki Functionality...
glpi -- Remote Code Execution (RCE) via the backup functionality
MITRE Corporation reports: In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only...
h2o -- multiple HTTP/2 vulnerabilities
Jonathon Loomey of Netflix reports: HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion Recently, a series of DoS attack vulnerabilities have been reported on a broad range of HTTP/2 stacks. Among the vulnerabilities, H2O is exposed to the following: CVE-2019-95...
mozilla -- multiple vulnerabilities
Mozilla Foundation reports: CVE-2018-18500: Use-after-free parsing HTML5 stream CVE-2018-18503: Memory corruption with Audio Buffer CVE-2018-18504: Memory corruption and out-of-bounds read of texture client buffer CVE-2018-18505: Privilege escalation through IPC channel messages CVE-2018-18506:...
php -- multiple vulnerabilities
The PHP Group reports: Please reference CVE/URL list for details...
joomla -- multiple vulnerabilities
The JSST and the Joomla! Security Center report: 20151201 - Core - Remote Code Execution Vulnerability Browser information is not filtered properly while saving the session values into the database which leads to a Remote Code Execution vulnerability. 20151202 - Core - CSRF Hardening Add addition...
elasticsearch -- remote OS command execution via Groovy scripting engine
Elastic reports: Vulnerability Summary: Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine that were introduced in 1.3.0. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the...
OpenSSL -- multiple vulnerabilities
OpenSSL project reports: DTLS segmentation fault in dtls1getrecord CVE-2014-3571 DTLS memory leak in dtls1bufferrecord CVE-2015-0206 no-ssl3 configuration sets method to NULL CVE-2014-3569 ECDHE silently downgrades to ECDH Client CVE-2014-3572 RSA silently downgrades to EXPORTRSA Client...
Joomla! -- Core - Unauthorized Login vulnerability
The JSST and the Joomla! Security Center report: 20140902 - Core - Unauthorized Logins Inadequate checking allowed unauthorized logins via LDAP authentication...
Java 1.7 -- security manager bypass
US-CERT reports: Oracle Java Runtime Environment JRE 1.7 contains a vulnerability that may allow an applet to call setSecurityManager in a way that allows setting of arbitrary permissions. By leveraging the public, privileged getField function, an untrusted Java applet can escalate its privileges...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 109574 Medium CVE-2011-3058: Bad interaction possibly leading to XSS in EUC-JP. Credit to Masato Kinugawa. 112317 Medium CVE-2011-3059: Out-of-bounds read in SVG text handling. Credit to Arthur Gerkis. 114056 Medium CVE-2011-3060: Out-of-bounds read in text fragmen...
apache -- multiple vulnerabilities
CVE MITRE reports: An exposure was found when using modproxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from...
gallery -- remote code injection via HTTP_POST_VARS
A web server running Gallery can be exploited for arbitrary PHP code execution through the use of a maliciously crafted URL...
cURL -- Multiple vulnerabilities
The cURL project reports: CVE-2022-32205: Set-Cookie denial of service CVE-2022-32206: HTTP compression denial of service CVE-2022-32207: Unpreserved file permissions CVE-2022-32208: FTP-KRB bad message verification...
RDoc -- command injection vulnerability
Alexandr Savca reports: RDoc used to call Kernelopen to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user...
typo3 -- multiple vulnerabilities
Typo3 News: CVE-2020-11063: TYPO3-CORE-SA-2020-001: Information Disclosure in Password Reset It has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to verify whether a backend user account with a given email...
samba -- multiple vulnerabilities
The samba project reports: Malicious servers can cause Samba client code to return filenames containing path separators to calling code. When the password contains multi-byte non-ASCII characters, the check password script does not receive the full password string. Users with the "get changes"...
OpenSSL -- Client DoS due to large DH parameter
The OpenSSL project reports: During key agreement in a TLS handshake using a DHE based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until...
mozilla -- multiple vulnerabilities
Mozilla Foundation reports: CVE-2018-5183: Backport critical security fixes in Skia CVE-2018-5154: Use-after-free with SVG animations and clip paths CVE-2018-5155: Use-after-free with SVG animations and text paths CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files...
php -- multiple vulnerabilities
PHP development team reports: Security Enhancements and Fixes in PHP 5.3.7: Updated cryptblowfish to 1.2. CVE-2011-2483 Fixed crash in errorlog. Reported by Mateusz Kocielski Fixed buffer overflow on overlog salt in crypt. Fixed bug 54939 File path injection vulnerability in RFC1867 File upload...
OpenSSL -- Remote Data Injection / DoS
Applications that use SSLMODERELEASEBUFFERS, such as nginx, are prone to a race condition which may allow a remote attacker to inject random data into other connections...
OpenSSL -- Multiple vulnerabilities
The OpenSSL project reports: Severity: low Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. The function X509VERIFYPARAMadd0policy is documented to implicitly enable the certificate policy check...
go -- multiple vulnerabilities
The Go project reports: crypto/rand: rand.Read hangs with extremely large buffers On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 32 - 1 bytes. crypto/tls: session tickets lack random ticketageadd Session tickets generated by crypto/tls did not contain a randomly...