Lucene search
K
OsvMost viewed

908393 matches found

OSV
OSV
added 2021/04/14 8:4 p.m.61 views

GO-2020-0026 Arbitrary file write via archive extraction in github.com/openshift/source-to-image

Due to improper path sanitization, archives containing relative file paths can cause files to be written or overwritten outside of the target directory...

6.5CVSS6.3AI score0.01338EPSS
Exploits0References2
OSV
OSV
added 2019/01/12 2:29 a.m.61 views

CVE-2018-20699

Docker Engine before 18.09 allows attackers to cause a denial of service dockerd memory consumption via a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemonunix.go, pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go...

4.9CVSS6.5AI score
Exploits0References3
OSV
OSV
added 2015/04/26 12:0 a.m.61 views

DSA-3237-1 linux - security update

Bulletin has no description...

9.3CVSS6.8AI score0.10108EPSS
Exploits1
OSV
OSV
added 2008/03/28 12:0 a.m.61 views

DSA-1534-1 iceape

Bulletin has no description...

9.3CVSS9.8AI score0.06055EPSS
Exploits3
OSV
OSV
added 2003/04/17 12:0 a.m.61 views

DSA-288 openssl - several vulnerabilities

Bulletin has no description...

7.5CVSS8.4AI score0.06393EPSS
Exploits0
OSV
OSV
added 2026/05/12 12:19 a.m.60 views

MAL-2026-3435 Malicious code in @squawk/airport-data (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a12035131eafd29a07572751653f857706ac1b113fcbd498a70f54d96d5276cc The package @squawk/airport-data was found to contain malicious code. Source: ghsa-malware...

5.8AI score
Exploits0References6
OSV
OSV
added 2026/05/11 6:6 p.m.60 views

EEF-CVE-2026-43969 Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1

Summary Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields. cowcookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value...

2.1CVSS6AI score0.00145EPSS
Exploits0References3
OSV
OSV
added 2024/08/30 8:0 a.m.60 views

OPENSUSE-SU-2024:0269-1 Security update for trivy

trivy was updated to fix the following issues: Update to version 0.54.1: fixflag: incorrect behavior for deprected flag --clear-cache backport: release/v0.54 7285 fixjava: Return error when trying to find a remote pom to avoid segfault backport: release/v0.54 7283 fixplugin: do not call GitHub...

8.8CVSS7.6AI score0.00973EPSS
Exploits1References6
OSV
OSV
added 2024/08/21 4:4 p.m.60 views

GO-2022-1219 usememos/memos Denial of Service vulnerability in github.com/usememos/memos

usememos/memos Denial of Service vulnerability in github.com/usememos/memos...

7.6CVSS7.4AI score0.00678EPSS
Exploits1References4
OSV
OSV
added 2024/07/11 3:15 a.m.60 views

UBUNTU-CVE-2016-15039

A vulnerability classified as critical was found in mhuertos phpLDAPadmin up to 665dbc2690ebeb5392d38f1fece0a654225a0b38. Affected by this vulnerability is the function makeHttpRequest of the file htdocs/js/ajaxfunctions.js. The manipulation leads to http request smuggling. The attack can be...

6.3CVSS5.2AI score0.00426EPSS
Exploits0References6
OSV
OSV
added 2024/05/06 1:4 p.m.60 views

RLSA-2024:1782 Important: bind and dhcp security update

The Berkeley Internet Name Domain BIND is an implementation of the Domain Name System DNS protocols. BIND includes a DNS server named; a resolver library routines for applications to use when interfacing with DNS; and tools for verifying that the DNS server is operating correctly. The Dynamic Hos...

7.5CVSS7.4AI score0.99995EPSS
Exploits1References4
OSV
OSV
added 2024/04/01 2:15 a.m.60 views

CVE-2024-31033

JJWT aka Java JWT through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey method within the DefaultJwtParser class and the signWith method within the DefaultJwtBuilder class. NOTE: the vendor disputes thi...

6.8CVSS7AI score
Exploits0References4
OSV
OSV
added 2024/03/21 10:10 p.m.60 views

CVE-2024-28863 node-tar vulnerable to denial of service while parsing a tar file due to lack of folders count validation

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few...

6.5CVSS6.1AI score0.00929EPSS
Exploits1References5
OSV
OSV
added 2024/03/06 10:51 a.m.60 views

BIT-ELASTICSEARCH-2023-31418 Elasticsearch uncontrolled resource consumption

An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests. The issue was identified by Elastic Engineering and...

7.5CVSS7.3AI score0.01232EPSS
Exploits0References4
OSV
OSV
added 2024/03/05 12:0 a.m.60 views

ALSA-2024:1141 Moderate: mysql security update

MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon mysqld and many client programs and libraries. Security Fixes: mysql: InnoDB unspecified vulnerability CPU Apr 2023 CVE-2023-21911 mysql: Server: DDL unspecified vulnerability CPU Apr 2023...

7.5CVSS6.5AI score0.01782EPSS
Exploits0References152
OSV
OSV
added 2024/01/25 7:15 p.m.60 views

CVE-2023-6267

A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed deserialized prior to the security constraints being evaluated and applied. This does not happen with configuration based security...

9.8CVSS9.3AI score0.00719EPSS
Exploits0References4
OSV
OSV
added 2024/01/23 12:50 p.m.60 views

GHSA-HCVP-2CC7-JRWR changedetection.io API endpoint is not secured with API token

Summary API endpoint /api/v1/watch//history can be accessed by any unauthorized user. Details WatchHistory resource does not have @auth.checktoken annotation, which means it can be accessed without providing x-api-key header...

6.3CVSS3.9AI score0.00587EPSS
Exploits1References6
OSV
OSV
added 2023/08/18 9:50 p.m.60 views

GHSA-68XG-GQQM-VGJ8 Puma HTTP Request/Response Smuggling vulnerability

Impact Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling. The following vulnerabilities are addressed by this advisory: Incorrect parsing of trailing fields in...

9.8CVSS8.5AI score0.00738EPSS
Exploits0References9
OSV
OSV
added 2023/07/11 6:44 p.m.60 views

GO-2023-1733 Timing attack from non-constant time scalar arithmetic in github.com/bnb-chain/tss-lib

Timing attack from non-constant time scalar arithmetic in github.com/bnb-chain/tss-lib...

7.5CVSS7.4AI score0.00864EPSS
Exploits0References1
OSV
OSV
added 2023/03/17 6:24 p.m.60 views

GHSA-GQ6W-Q6WH-JGGC PHAR deserialization allowing remote code execution

Description snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the fileexists function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitra...

9.8CVSS9.9AI score0.0276EPSS
Exploits2References11
OSV
OSV
added 2023/03/09 8:18 p.m.60 views

CVE-2023-27483 fieldpath's Paved.SetValue allows growing arrays up to arbitrary sizes in crossplane-runtime

crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. An out of memory panic vulnerability has been discovered in affected versions. Applications that use the Paved type's SetValue method with user provided input without proper...

5.9CVSS7.3AI score0.00798EPSS
Exploits0References4
OSV
OSV
added 2023/02/16 9:56 p.m.60 views

GO-2023-1549 Improper input validation in github.com/openshift/apiserver-library-go

Low-privileged users can set the seccomp profile for pods they control to "unconfined." By default, the seccomp profile used in the restricted-v2 Security Context Constraint SCC is "runtime/default," allowing users to disable seccomp for pods they can create and modify...

6.3CVSS6.3AI score0.00647EPSS
Exploits0References3
OSV
OSV
added 2023/02/07 9:30 p.m.60 views

GHSA-26F8-X7CC-WQPC Apache Kafka Connect vulnerable to Deserialization of Untrusted Data

A possible security vulnerability has been identified in Apache Kafka Connect API. This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka...

8.8CVSS8.7AI score0.95302EPSS
Exploits8References6
OSV
OSV
added 2022/12/27 3:15 p.m.60 views

PYSEC-2022-43009

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.5...

6.5CVSS6.9AI score0.00632EPSS
Exploits1References5
OSV
OSV
added 2022/11/29 4:33 p.m.60 views

GO-2022-1130 Authentication bypass in github.com/prometheus/exporter-toolkit

If an attacker has access to a Prometheus web.yml file and users' bcrypted passwords, it would be possible to bypass security via the built-in authentication cache...

8.8CVSS8.3AI score0.01166EPSS
Exploits1References2
OSV
OSV
added 2022/09/21 11:15 a.m.60 views

CVE-2022-38178

By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources...

7.5CVSS2.1AI score0.02176EPSS
Exploits0References9
OSV
OSV
added 2022/06/30 12:0 a.m.60 views

CVE-2022-2056

Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010...

5.5CVSS4.9AI score0.01206EPSS
Exploits1References10
OSV
OSV
added 2022/06/26 12:0 a.m.60 views

DSA-5169-1 openssl - security update

Bulletin has no description...

10CVSS9.1AI score0.95764EPSS
Exploits1
OSV
OSV
added 2022/06/21 8:7 p.m.60 views

GHSA-Q559-8M2M-G699 Change in port should be considered a change in origin

Impact Authorization and Cookie headers on requests are sensitive information. On making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the Authorization and Cookie headers from the request, before containing. Previously, we...

7.7CVSS7.4AI score0.0138EPSS
Exploits0References7
OSV
OSV
added 2022/06/20 9:8 p.m.60 views

MAL-2022-6354 Malicious code in superset-websocket (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 71368c8e29fe057fcc95335932ec6248b0a21541c5be1c4f54aa8fa03167a152 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

7AI score
Exploits0References1
OSV
OSV
added 2022/05/14 1:10 a.m.60 views

GHSA-87W9-X2C3-HRJJ Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, .jspx, .tagx, or .tld XML document containing an external entity declaration ...

4.3CVSS7.9AI score0.09487EPSS
Exploits1References29
OSV
OSV
added 2022/05/13 1:12 a.m.60 views

GHSA-H6C8-X5R3-PM88 Apache Tomcat Unrestricted file upload vulnerability

Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file...

6.8CVSS8.5AI score0.1399EPSS
Exploits0References12
OSV
OSV
added 2022/05/09 6:15 p.m.60 views

CVE-2022-28739

There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including KernelFloat and Stringtof...

7.5CVSS3.7AI score0.04127EPSS
Exploits0References15
OSV
OSV
added 2022/05/05 12:0 a.m.60 views

DSA-5131-1 openjdk-11 - security update

Bulletin has no description...

7.5CVSS6.6AI score0.03825EPSS
Exploits0
OSV
OSV
added 2022/04/24 9:53 p.m.60 views

GSD-2022-1001906 ext4: make mb_optimize_scan performance mount option work with extents

ext4: make mboptimizescan performance mount option work with extents This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.15.33 by commit...

7.2AI score
Exploits0
OSV
OSV
added 2022/04/01 5:26 p.m.60 views

GHSA-R9W3-G83Q-M6HQ Prototype Pollution in deepmerge-ts

deepmerge-ts is used to merge 2 or more objects respecting type information. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords. A fix was released in version 4.0.2. Currently, there is no known workaround...

8.1CVSS8.8AI score0.01612EPSS
Exploits0References5
OSV
OSV
added 2022/02/28 12:0 p.m.60 views

RUSTSEC-2022-0011 Miscomputation when performing AES encryption in rust-crypto

The following Rust program demonstrates some strangeness in AES encryption - if you have an immutable key slice and then operate on that slice, you get different encryption output than if you operate on a copy of that key. For these functions, we expect that extending a 16 byte key to a 32 byte k...

7.3AI score
Exploits0References2
OSV
OSV
added 2022/02/12 12:0 a.m.60 views

DSA-5073-1 expat - security update

Bulletin has no description...

9.8CVSS8.1AI score0.04829EPSS
Exploits2
OSV
OSV
added 2021/12/30 12:0 a.m.60 views

DLA-2871-1 lxml - security update

Bulletin has no description...

8.2CVSS7.7AI score0.02456EPSS
Exploits0
OSV
OSV
added 2021/11/01 12:0 a.m.60 views

ASB-A-195630721

In enforceCrossUserOrProfilePermission of PackageManagerService.java, there is a possible bypass of INTERACTACROSSPROFILES permission due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed...

7.8CVSS7.8AI score0.00105EPSS
Exploits0References2
OSV
OSV
added 2021/09/29 5:11 p.m.60 views

GHSA-H73Q-5WMJ-Q8PJ Cross site scripting in datatables.net

This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped...

6.1CVSS5.5AI score0.01837EPSS
Exploits1References9
OSV
OSV
added 2021/06/30 12:39 a.m.60 views

UVI-2021-1001091 mm/slub: actually fix freelist pointer vs redzoning

mm/slub: actually fix freelist pointer vs redzoning This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.12.13 by commit...

7.2AI score
Exploits0
OSV
OSV
added 2021/05/18 6:8 a.m.60 views

RLSA-2021:1809 Moderate: httpd:2.4 security, bug fix, and enhancement update

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fixes: httpd: modsessioncookie does not respect expiry time CVE-2018-17199 httpd: modproxyuwsgi buffer overflow CVE-2020-11984 httpd: modhttp2 concurrent pool usage CVE-2020-11993 For mor...

9.8CVSS7.4AI score0.90039EPSS
Exploits4References12
OSV
OSV
added 2020/12/17 12:0 a.m.60 views

DLA-2498-1 xerces-c - security update

Bulletin has no description...

8.1CVSS8.2AI score0.09503EPSS
Exploits0
OSV
OSV
added 2020/12/01 12:0 a.m.60 views

ASB-A-158854097

In smpkeydistribution of smpact.cc, there are possible vulnerabilities in Cross-Transport Key Derivation due to weaknesses in the Bluetooth standard. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...

5.9CVSS5.9AI score0.07137EPSS
Exploits1References2
OSV
OSV
added 2020/11/29 12:0 p.m.60 views

RUSTSEC-2020-0075 Unexpected panic when decoding tokens

Prior to 0.10.0 it was possible to have both decoding functions panic unexpectedly, by supplying tokens with an incorrect base62 encoding. The documentation stated that an error should have been reported instead...

5.5CVSS5.4AI score0.00465EPSS
Exploits1References3
OSV
OSV
added 2020/11/03 12:29 p.m.60 views

RLSA-2020:4847 Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update

The Public Key Infrastructure PKI Core contains fundamental packages required by Rocky Enterprise Software Foundation Certificate System. Security Fixes: jquery: Cross-site scripting via cross-domain ajax requests CVE-2015-9251 bootstrap: XSS in the data-target attribute CVE-2016-10735 bootstrap:...

8.6CVSS9.1AI score0.9927EPSS
Exploits65References41
OSV
OSV
added 2020/10/19 12:0 a.m.60 views

DSA-4774-1 linux - security update

Bulletin has no description...

8.8CVSS7.8AI score0.07693EPSS
Exploits8
OSV
OSV
added 2020/09/09 12:0 a.m.60 views

DLA-2369-1 libxml2 - security update

Bulletin has no description...

9.1CVSS6.6AI score0.07836EPSS
Exploits1
OSV
OSV
added 2020/09/01 12:0 a.m.60 views

ASB-A-150693748

In lockswakeupblocks of locks.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

6.7CVSS7.1AI score0.01337EPSS
Exploits0References3
Total number of security vulnerabilities5000