907369 matches found
RUSTSEC-2022-0084 libp2p Lack of resource management DoS
libp2p allows a potential attacker to cause victim p2p node to run out of memory The out of memory failure can cause crashes where libp2p is intended to be used within large scale networks leading to potential Denial of Service DoS vector Users should upgrade or reference the DoS mitigation...
DSA-5169-1 openssl - security update
Bulletin has no description...
PYSEC-2022-207
An issue was discovered in Couchbase Sync Gateway 3.x before 3.0.2. Admin credentials are not verified when using X.509 client-certificate authentication from Sync Gateway to Couchbase Server. When Sync Gateway is configured to authenticate with Couchbase Server using X.509 client certificates, t...
GHSA-7PXG-6P87-8C9V Magento 2 Community Edition RCE via Unsafe File Upload
Magento versions 2.4.0 and 2.3.5p1 and earlier are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components...
GHSA-8864-PWHG-3MP2 Arbitrary file write vulnerability in Jenkins Fortify CloudScan Plugin
A arbitrary file write vulnerability exists in Jenkins Fortify CloudScan Plugin 1.5.1 and earlier in ArchiveUtil.java that allows attackers able to control rulepack zip file contents to overwrite any file on the Jenkins master file system, only limited by the permissions of the user the Jenkins...
CVE-2022-28739
There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including KernelFloat and Stringtof...
DSA-5131-1 openjdk-11 - security update
Bulletin has no description...
GHSA-X4JG-MJRX-434G Improper Verification of Cryptographic Signature in node-forge
Impact RSA PKCS1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. Patches The issue has been...
GHSA-H5RH-W6VM-9GHC Denial of service in Grafana
The snapshot feature in Grafana before 7.4.2 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set. Specific Go Packages Affected github.com/grafana/grafana/pkg/middleware...
GHSA-WF43-55JJ-VWQ8 DNS Rebinding in etcd
DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost or any other address...
DSA-5073-1 expat - security update
Bulletin has no description...
CVE-2022-21721 DOS Vulnerability in next.js
Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-...
DLA-2871-1 lxml - security update
Bulletin has no description...
GHSA-QH7X-J4V8-QW5W Clipboard-based XSS
Impact XSS against the user. Details jsuites is vulnerable to DOM based XSS if the user can be tricked into copying anything from a malicious and pasting it into the html editor. This is because a part of the clipboard content is directly written to innerHTML causing XSS. References The Curious...
PYSEC-2021-115
The package glances before 3.2.1 are vulnerable to XML External Entity XXE Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks...
GO-2021-0100 Denial of service via deadlock in github.com/containers/storage
Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream on a xz archive returns a reader which will hang indefinitely when Close is called. An attacker can use this to cause denial of service if they are able to cause the caller to attempt to decompress an...
GHSA-3P3G-VPW6-4W66 Authentication Bypass in hydra
Impact When using client authentication method "privatekeyjwt" 1, OpenId specification says the following about assertion jti: A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated betwe...
GHSA-FX8W-MJVM-HVPC Path Traversal in Buildah
A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTPs server and then write files to the user's system anywhere that the user has permissions. Specific Go Packages Affected...
GHSA-M496-X567-F98C Fixes a bug in Zend Framework's Stream HTTP Wrapper
Impact CVE-2021-3007: Backport of ZendHttpResponseStream, added certain type checking as a way to prevent exploitation. https://vulners.com/cve/CVE-2021-3007 This vulnerability is caused by the unsecured deserialization of an object. In versions higher than Zend Framework 3.0.0, the attacker abus...
DLA-2498-1 xerces-c - security update
Bulletin has no description...
RLSA-2020:4847 Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update
The Public Key Infrastructure PKI Core contains fundamental packages required by Rocky Enterprise Software Foundation Certificate System. Security Fixes: jquery: Cross-site scripting via cross-domain ajax requests CVE-2015-9251 bootstrap: XSS in the data-target attribute CVE-2016-10735 bootstrap:...
DLA-2369-1 libxml2 - security update
Bulletin has no description...
PYSEC-2020-173
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorizedkeys file. This occurs in downloadhttpurl in internal/download.py...
DLA-2211-1 log4net - security update
Bulletin has no description...
DLA-2209-1 tomcat8 - security update
Bulletin has no description...
DLA-2188-1 php5 - security update
Bulletin has no description...
DLA-2124-1 php5 - security update
Bulletin has no description...
DSA-4628-1 php7.0 - security update
Bulletin has no description...
RLSA-2019:3736 Critical: php:7.3 security update
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fixes: php: underflow in envpathinfo in fpmmain.c CVE-2019-11043 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to...
DSA-4511-1 nghttp2 - security update
Bulletin has no description...
DSA-4398-1 php7.0 - security update
Bulletin has no description...
GHSA-84Q7-P226-4X5W Jetty vulnerable to cache poisoning due to inconsistent HTTP request handling (HTTP Request Smuggling)
Eclipse Jetty, versions 9.2.x and older, 9.3.x all configurations, and 9.4.x non-default configuration with RFC2616 compliance enabled, contain an HTTP Request Smuggling Vulnerability that can result in cache poisoning...
DLA-1400-1 tomcat7 - security update
Bulletin has no description...
DLA-1397-1 php5 - security update
Bulletin has no description...
DLA-1326-1 php5 - security update
Bulletin has no description...
DSA-3908-1 nginx - security update
Bulletin has no description...
DLA-818-1 php5 - security update
Bulletin has no description...
CVE-2016-9936
The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service use-after-free or possibly have unspecified other impact via crafted serialized data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6834...
DLA-522-1 python2.7 - security update
Bulletin has no description...
DSA-3566-1 openssl - security update
Bulletin has no description...
DSA-2012-1 linux-2.6 - several issues
Bulletin has no description...
DSA-1534-1 iceape
Bulletin has no description...
DSA-1532-1 xulrunner
Bulletin has no description...
DSA-394 openssl095 - ASN.1 parsing vulnerability
Bulletin has no description...
CGA-8795-658Q-CCP9
Bulletin has no description...
BIT-ACTIVEMQ-2023-46604 Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to caus...
GHSA-PFXJ-GVQG-MJ44 Liferay Profile Widget does not prevent vCard extension spoofing
The Profile Widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows...
RHSA-2023:5980 Red Hat Security Advisory: Satellite 6.11.5.6 async security update
Bulletin has no description...
RHSA-2024:1141 Red Hat Security Advisory: mysql security update
Bulletin has no description...
RHSA-2023:7077 Red Hat Security Advisory: kernel security, bug fix, and enhancement update
Bulletin has no description...