Lucene search
K
OsvMost viewed

909148 matches found

OSV
OSV
added 2023/11/08 5:52 p.m.57 views

GHSA-3VPF-MCJ7-5H38 Ethyca Fides HTML Injection Vulnerability in HTML-Formatted DSR Packages

Impact The Fides web application allows data subject users to request access to their personal data. If the request is approved by the data controller user operating the Fides web application, the data subject's personal data can then retrieved from connected systems and data stores before being...

4.3CVSS5.5AI score0.00609EPSS
Exploits0References5
OSV
OSV
added 2023/11/01 12:0 a.m.57 views

ASB-A-274006187

Bulletin has no description...

5.5CVSS7.2AI score0.00182EPSS
Exploits0References1
OSV
OSV
added 2023/10/22 4:15 a.m.57 views

CVE-2023-46301

iTerm2 before 3.4.20 allow potentially remote code execution because of mishandling of certain escape sequences related to upload...

9.8CVSS7.6AI score
Exploits0References4
OSV
OSV
added 2023/10/19 6:17 a.m.57 views

BIT-2023-42780

Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dagids and the stack-traces of import errors for those DAGs with import...

6.5CVSS6.6AI score0.01071EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2023/10/16 12:0 a.m.57 views

ALSA-2023:5749 Important: .NET 7.0 security update

.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 7.0 to SDK 7.0.112 and Runtime 7.0.12...

7.5CVSS8.1AI score0.99999EPSS
Exploits19References4
OSV
OSV
added 2023/10/11 8:35 p.m.57 views

GHSA-4374-P667-P6C8 HTTP/2 rapid reset can cause excessive work in net/http

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

7.5CVSS7.3AI score0.03796EPSS
Exploits0References46
OSV
OSV
added 2023/10/10 4:53 p.m.57 views

CVE-2023-36478 HTTP/2 HPACK integer overflow and buffer allocation

Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in MetaDataBuilder.checkSize allows for HTTP/2 HPACK header values to exceed their size limit. MetaDataBuilder.java determines if a...

7.5CVSS6.7AI score0.03754EPSS
Exploits1References12
OSV
OSV
added 2023/09/12 5:31 p.m.57 views

GO-2023-2052 IsFromLocal local address check can be circumvented in github.com/gofiber/fiber/v2

The Ctx.IsFromLocal function can incorrectly report a request as being sent from localhost when the request contains an X-Forwarded-For header containing a localhost IP address...

5.3CVSS5.2AI score0.00531EPSS
Exploits0References2
OSV
OSV
added 2023/06/01 2:15 a.m.57 views

PYSEC-2023-83

Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette...

7.5CVSS7.4AI score0.02032EPSS
Exploits1References3
OSV
OSV
added 2023/05/03 9:57 p.m.57 views

GHSA-R97Q-GHCH-82J9 Ghost vulnerable to information disclosure of private API fields

Impact Due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack. GhostPro has already been patched. We can find no evidence that the issue was exploited on GhostPro prior to the patch being added. Self-hosters are...

7.5CVSS7.4AI score0.45713EPSS
Exploits0References5
OSV
OSV
added 2023/03/01 12:0 a.m.57 views

ASB-A-234442700

In sendHalfSheetCancelBroadcast of HalfSheetActivity.java, there is a possible way to learn nearby BT MAC addresses due to an unrestricted broadcast intent. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

5.5CVSS5.1AI score0.00091EPSS
Exploits0References2
OSV
OSV
added 2023/02/27 12:0 a.m.57 views

DLA-3346-1 python-werkzeug - security update

Bulletin has no description...

7.5CVSS6AI score0.0142EPSS
Exploits0
OSV
OSV
added 2023/02/23 12:0 a.m.57 views

DSA-5358-1 asterisk - security update

Bulletin has no description...

9.8CVSS7.3AI score0.01809EPSS
Exploits0
OSV
OSV
added 2023/01/31 12:0 a.m.57 views

DLA-3295-1 node-moment - security update

Bulletin has no description...

7.5CVSS7.7AI score0.05664EPSS
Exploits1
OSV
OSV
added 2022/12/05 10:15 p.m.57 views

CVE-2022-32221

When doing HTTPS transfers, libcurl might erroneously use the read callback CURLOPTREADFUNCTION to ask for data to send, even when the CURLOPTPOSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the...

9.8CVSS8.7AI score0.04325EPSS
Exploits1References11
OSV
OSV
added 2022/10/01 12:0 a.m.57 views

ASB-A-205130886

In createPresentationContext of Presentation.java, there is a possible way to start a foreground activity from background due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

7.8CVSS7.8AI score0.00098EPSS
Exploits0References2
OSV
OSV
added 2022/09/30 12:40 a.m.57 views

GHSA-6263-X97C-C4GG matrix-js-sdk subject to impersonated messages due to permissive key forwarding

Impact An attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others. This attack is possible due to the matrix-js-sdk implementing a too...

7.5CVSS8AI score0.00946EPSS
Exploits0References8
OSV
OSV
added 2022/09/26 5:15 a.m.57 views

PYSEC-2022-288

The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the predispatch flag in Parallel class due to the eval statement...

9.8CVSS4.7AI score0.01893EPSS
Exploits1References5
OSV
OSV
added 2022/08/29 12:0 a.m.57 views

DLA-3085-1 curl - security update

Bulletin has no description...

8.1CVSS6.6AI score0.3197EPSS
Exploits10
OSV
OSV
added 2022/08/06 12:0 a.m.57 views

DSA-5199-1 xorg-server - security update

Bulletin has no description...

7.8CVSS7.9AI score0.00573EPSS
Exploits0
OSV
OSV
added 2022/05/17 4:17 a.m.57 views

GHSA-FMMQ-J7PQ-F85C JRuby denial of service via Hash Collision

JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service CPU consumption via crafted input to an application that maintains a hash table, as demonstrated by a universal...

5CVSS5.1AI score0.02249EPSS
Exploits0References5
OSV
OSV
added 2022/05/14 2:19 a.m.57 views

GHSA-R58R-74GX-6WX3 Nokogiri gem, via libxml, is affected by DoS vulnerabilities

Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page...

8.8CVSS8.5AI score0.02963EPSS
Exploits1References12
OSV
OSV
added 2022/04/11 9:18 p.m.57 views

GHSA-CRJR-9RC5-GHW8 Nokogiri Inefficient Regular Expression Complexity

Summary Nokogiri = 1.13.4. Severity The Nokogiri maintainers have evaluated this as High Severity 7.5 CVSS3.1. References CWE-1333 Inefficient Regular Expression Complexity Credit This vulnerability was reported by HackerOne user oooooooq ななおく...

7.5CVSS7.4AI score0.03549EPSS
Exploits0References15
OSV
OSV
added 2022/02/12 12:0 a.m.57 views

DLA-2919-1 python2.7 - security update

Bulletin has no description...

9.8CVSS7.8AI score0.23293EPSS
Exploits1
OSV
OSV
added 2022/02/01 12:51 a.m.57 views

GHSA-9FP7-4FJM-Q3MF Prototype Pollution in keyget

The package keyget from 0.0.0 are vulnerable to Prototype Pollution via the methods set, push, and at which could allow an attacker to cause a denial of service and may lead to remote code execution. Note: This vulnerability derives from an incomplete fix to CVE-2020-28272...

5.6CVSS9.6AI score0.01678EPSS
Exploits1References4
OSV
OSV
added 2022/01/27 12:1 a.m.57 views

GHSA-77RM-9X9H-XJ3G Withdrawn Advisory: NULL Pointer Dereference in Protocol Buffers

Withdrawn Advisory This advisory has been withdrawn because the protobuf vulnerability comes from the compiler rather that the code. This link is maintained to preserve external references. Original Description Nullptr dereference when a null char is present in a proto symbol. The symbol is parse...

8.7CVSS6.6AI score0.0266EPSS
Exploits0References15
OSV
OSV
added 2021/12/09 12:0 a.m.57 views

DSA-5018-1 python-babel - security update

Bulletin has no description...

7.8CVSS7.8AI score0.00716EPSS
Exploits1
OSV
OSV
added 2021/11/15 11:28 p.m.57 views

GHSA-WMPV-C2JP-J2XG ERC1155Supply vulnerability in OpenZeppelin Contracts

When ERC1155 tokens are minted, a callback is invoked on the receiver of those tokens, as required by the spec. When including the ERC1155Supply extension, total supply is not updated until after the callback, thus during the callback the reported total supply is lower than the real number of...

6.9AI score
Exploits0References2
OSV
OSV
added 2021/11/09 12:0 a.m.57 views

DLA-2814-1 openjdk-8 - security update

Bulletin has no description...

7.1CVSS6.3AI score0.14839EPSS
Exploits0
OSV
OSV
added 2021/10/07 4:15 p.m.57 views

CVE-2021-42013

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default...

9.8CVSS1.5AI score0.99964EPSS
Exploits62References31
OSV
OSV
added 2021/09/25 12:0 a.m.57 views

DSA-4978-1 linux - security update

Bulletin has no description...

8.8CVSS7AI score0.01692EPSS
Exploits8
OSV
OSV
added 2021/06/27 12:0 a.m.57 views

DLA-2692-1 bluez - security update

Bulletin has no description...

5.7CVSS6.4AI score0.00872EPSS
Exploits0
OSV
OSV
added 2021/06/15 4:5 p.m.57 views

GHSA-29QJ-RVV6-QRMV Cross-site scripting in RESTEasy

A cross-site scripting XSS flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack...

5.4CVSS6AI score0.01394EPSS
Exploits1References5
OSV
OSV
added 2021/05/14 8:15 p.m.57 views

CVE-2021-29614

TensorFlow is an end-to-end open source platform for machine learning. The implementation of tf.io.decoderaw produces incorrect results and crashes the Python interpreter when combining fixedlength and wider datatypes. The implementation of the padded...

7.8CVSS7.7AI score
Exploits0References2
OSV
OSV
added 2021/05/01 12:0 a.m.57 views

ASB-A-175451802

In tiocspgrp of ttyjobctrl.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

7.8CVSS8.2AI score0.01129EPSS
Exploits2References2
OSV
OSV
added 2021/04/01 12:0 a.m.57 views

DSA-4882-1 openjpeg2 - security update

Bulletin has no description...

8.8CVSS7AI score0.04932EPSS
Exploits3
OSV
OSV
added 2021/03/22 12:0 a.m.57 views

DLA-2604-1 dnsmasq - security update

Bulletin has no description...

8.3CVSS6.7AI score0.86692EPSS
Exploits2
OSV
OSV
added 2021/01/01 12:0 a.m.57 views

ASB-A-170658976

In fillthreadcoreinfo of binfmtelf.c, there is a possible leak of kernel heap memory due to uninitialized data. This could lead to local information disclosure to an application core dump with no additional execution privileges needed. User interaction is not needed for exploitation...

4.4CVSS5.4AI score0.00617EPSS
Exploits0References2
OSV
OSV
added 2021/01/01 12:0 a.m.57 views

ASB-A-169505740

In speculationctrlupdate of process.c, there is a possible way to disable Speculative Store Bypass Disable due to a logic error, which allows for side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction i...

5.5CVSS5.9AI score0.00463EPSS
Exploits0References2
OSV
OSV
added 2020/12/14 12:0 a.m.57 views

DLA-2492-1 openssl - security update

Bulletin has no description...

5.9CVSS6AI score0.06968EPSS
Exploits3
OSV
OSV
added 2020/11/02 12:0 p.m.57 views

RUSTSEC-2020-0081 `mio` invalidly assumes the memory layout of std::net::SocketAddr

The mio crate has assumed std::net::SocketAddrV4 and std::net::SocketAddrV6 have the same memory layout as the system C representation sockaddr. It has simply casted the pointers to convert the socket addresses to the system representation. The standard library does not say anything about the...

5.5CVSS5.3AI score0.00389EPSS
Exploits1References3
OSV
OSV
added 2020/10/31 12:0 p.m.57 views

RUSTSEC-2020-0072 GenericMutexGuard allows data races of non-Sync types across threads

GenericMutexGuard was given the Sync auto trait as long as T is Send due to its contained members. However, since the guard is supposed to represent an acquired lock and allows concurrent access to the underlying data from different threads, it should only be Sync when the underlying data is. Thi...

5.5CVSS5.3AI score0.00374EPSS
Exploits1References3
OSV
OSV
added 2020/10/08 10:11 p.m.57 views

GHSA-82RF-Q3PR-4F6P Sensitive data exposure in NATS

Preview versions of two NPM packages and one Deno package from the NATS project contain an information disclosure flaw, leaking options to the NATS server; for one package, this includes TLS private credentials. The connection configuration options in these JavaScript-based implementations were...

7.5CVSS7.5AI score0.01476EPSS
Exploits0References5
OSV
OSV
added 2020/08/03 12:0 a.m.57 views

DSA-4739-1 webkit2gtk - security update

Bulletin has no description...

9.8CVSS7.3AI score0.04138EPSS
Exploits0
OSV
OSV
added 2020/08/01 12:0 a.m.57 views

ASB-A-156071259

In usbsgcancel of message.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

7.2CVSS6.8AI score0.00802EPSS
Exploits1References2
OSV
OSV
added 2020/07/17 12:0 a.m.57 views

DSA-4727-1 tomcat9 - security update

Bulletin has no description...

7.5CVSS7.7AI score0.87553EPSS
Exploits16
OSV
OSV
added 2020/07/05 12:0 a.m.57 views

DSA-4717-1 php7.0 - security update

Bulletin has no description...

7.5CVSS6.6AI score0.06264EPSS
Exploits6
OSV
OSV
added 2020/06/15 6:51 p.m.57 views

GHSA-334P-WV2M-W3VP Denial of service in Apache Xerces2

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment JRE in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service infinite loop and application hang via malformed XML input, as...

5CVSS6.8AI score0.3038EPSS
Exploits2References66
OSV
OSV
added 2020/06/09 12:0 a.m.57 views

DSA-4699-1 linux - security update

Bulletin has no description...

7.8CVSS6.6AI score0.04505EPSS
Exploits2
OSV
OSV
added 2020/03/06 12:0 a.m.57 views

DLA-2135-1 jackson-databind - security update

Bulletin has no description...

9.8CVSS9.6AI score0.18671EPSS
Exploits0
Total number of security vulnerabilities5000