Lucene search
K
OsvMost viewed

907914 matches found

OSV
OSV
•added 2023/01/23 12:0 a.m.•51 views

ALSA-2023:0333 Moderate: curl security update

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fixes: curl: POST following PUT confusion CVE-2022-32221 For more details about the security issues, including the impact, a CVSS...

9.8CVSS7.9AI score0.04325EPSS
Exploits1References4
OSV
OSV
•added 2023/01/12 8:25 a.m.•51 views

RLSA-2023:0089 Moderate: libreoffice security update

LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and...

8.8CVSS7.7AI score0.04354EPSS
Exploits0References5
OSV
OSV
•added 2022/12/31 12:0 a.m.•51 views

DSA-5309-1 wpewebkit - security update

Bulletin has no description...

8.8CVSS7.5AI score0.34574EPSS
Exploits2
OSV
OSV
•added 2022/12/31 12:0 a.m.•51 views

DLA-3258-1 node-loader-utils - security update

Bulletin has no description...

9.8CVSS8.8AI score0.02601EPSS
Exploits1
OSV
OSV
•added 2022/12/13 7:44 p.m.•51 views

GHSA-G8Q8-FGGX-9R3Q Keycloak vulnerable to path traversal via double URL encoding

Keycloak does not properly validate URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks...

9.1CVSS8.6AI score0.05796EPSS
Exploits0References5
OSV
OSV
•added 2022/12/07 10:15 p.m.•51 views

PYSEC-2022-42986

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust...

7.5CVSS7.4AI score0.00535EPSS
Exploits0References2
OSV
OSV
•added 2022/12/07 6:45 p.m.•51 views

GO-2022-1113 Server-side request forgery in github.com/oam-dev/kubevela

When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability...

6.5CVSS5.6AI score0.00376EPSS
Exploits0References2
OSV
OSV
•added 2022/12/05 10:15 p.m.•51 views

CVE-2022-43548

A OS Command Injection vulnerability exists in Node.js versions 14.21.1, 16.18.1, 18.12.1, 19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.Th...

8.1CVSS1.8AI score
Exploits0References5
OSV
OSV
•added 2022/12/05 10:15 p.m.•51 views

CVE-2022-35260

curl can be told to parse a .netrc file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause ...

6.5CVSS2AI score0.01761EPSS
Exploits1References7
OSV
OSV
•added 2022/11/25 7:15 p.m.•51 views

PYSEC-2022-42996

MPXJ is an open source library to read and write project plans from a variety of file formats and databases. On Unix-like operating systems not Windows or macos, MPXJ's use of File.createTempFile.. results in temporary files being created with the permissions -rw-r--r--. This means that any other...

3.3CVSS6.5AI score0.00208EPSS
Exploits0References2
OSV
OSV
•added 2022/11/14 7:15 a.m.•51 views

PYSEC-2022-42980

Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL...

7.5CVSS3.7AI score0.01102EPSS
Exploits0References5
OSV
OSV
•added 2022/11/01 5:45 p.m.•51 views

GHSA-8RWR-X37P-MX23 X.509 Email Address 4-byte Buffer Overflow

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate...

9.8CVSS8.4AI score0.89804EPSS
Exploits6References50
OSV
OSV
•added 2022/10/29 2:15 a.m.•51 views

CVE-2022-42916

In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure cleartext HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the host nam...

7.5CVSS0.1AI score0.01644EPSS
Exploits0References11
OSV
OSV
•added 2022/10/18 9:46 p.m.•51 views

GHSA-C6W8-7MP3-34J9 .NET Remote Code Execution Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0, and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A Remote Code Execution vulnerability exis...

6.3CVSS7.3AI score0.01556EPSS
Exploits0References11
OSV
OSV
•added 2022/10/14 11:59 p.m.•51 views

GO-2022-1052 Uncontrolled resource consumption during consensus in github.com/tendermint/tendermint

Mishandling of timestamps during consensus process can cause a denial of service. While reaching consensus, different tendermint nodes can observe a different timestamp for a consensus evidence. This mismatch can cause the evidence to be invalid, upon which the node producing the evidence will be...

6.5CVSS6.3AI score0.01742EPSS
Exploits0References3
OSV
OSV
•added 2022/10/06 8:1 p.m.•51 views

GHSA-745P-R637-7VVP Codeigniter4's Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued

Impact Setting $secure or $httponly value to true in Config\Cookie is not reflected in setcookie or Response::setCookie. Note This vulnerability does not affect session cookies. The following code does not issue a cookie with the secure flag even if you set $secure = true in Config\Cookie. php...

2.6CVSS4.2AI score0.00825EPSS
Exploits1References9
OSV
OSV
•added 2022/09/29 5:25 p.m.•51 views

GO-2022-1026 Incorrect validation of root DNSSEC public keys in github.com/peterzen/goresolver

DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. Root DNSSEC public keys are not validated, permitting an attacker to present a self-signed root key and delegation chain...

7.5CVSS7.4AI score0.00242EPSS
Exploits0References1
OSV
OSV
•added 2022/09/16 12:0 a.m.•51 views

GHSA-PQW5-JMP5-PX4V parse-url parses http URLs incorrectly, making it vulnerable to host name spoofing

parse-url prior to 8.1.0 is vulnerable to Misinterpretation of Input. parse-url parses certain http or https URLs incorrectly, identifying the URL's protocol as ssh. It may also parse the host name incorrectly...

6.1CVSS6.3AI score0.00586EPSS
Exploits1References4
OSV
OSV
•added 2022/09/08 7:15 p.m.•51 views

PYSEC-2022-268

Improper Restriction of Rendered UI Layers or Frames in GitHub repository ikus060/rdiffweb prior to 2.4.1...

10CVSS3.1AI score0.00933EPSS
Exploits1References3
OSV
OSV
•added 2022/08/15 6:2 p.m.•51 views

GO-2022-0564 Signature forgery in github.com/biscuit-auth/biscuit-go

An attacker can forge Biscuit v1 tokens with any access level. There is no known workaround for Biscuit v1. The Biscuit v2 specification avoids this vulnerability...

9.8CVSS9.4AI score0.0096EPSS
Exploits1References1
OSV
OSV
•added 2022/08/11 6:12 p.m.•51 views

GHSA-PCJH-6R5H-R92R django-sendfile2 before 0.7.0 contains reflected file download vulnerability

Similar to CVE-2022-36359 for Django, django-sendfile2 did not protect against a reflected file download attack in version 0.6.1 and earlier. If the file name used by django-sendfile2 was derived from user input, then it would be possible to perform a such an attack. A new version of...

8.5AI score
Exploits0References4
OSV
OSV
•added 2022/07/20 8:52 p.m.•51 views

GO-2022-0524 Stack exhaustion when reading certain archives in compress/gzip

Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion...

7.5CVSS7.8AI score0.01615EPSS
Exploits0References4
OSV
OSV
•added 2022/06/28 12:0 a.m.•51 views

GHSA-6Q8V-2HVM-FX37 Apache Tika contains incomplete fix for regex DoS

The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1...

3.3CVSS4.8AI score0.01892EPSS
Exploits0References4
OSV
OSV
•added 2022/06/24 12:0 a.m.•51 views

GHSA-X95W-QF3M-PQPX Cross-site Scripting in Jenkins Filesystem List Parameter Plugin

Jenkins Filesystem List Parameter Plugin 0.0.7 and earlier does not escape the name and description of File system objects list parameters on views displaying parameters, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

8CVSS5.8AI score0.00738EPSS
Exploits0References3
OSV
OSV
•added 2022/05/10 8:7 a.m.•51 views

ALSA-2022:1915 Moderate: httpd:2.4 security and bug fix update

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fixes: httpd: Request splitting via HTTP/2 method injection and modproxy CVE-2021-33193 httpd: modproxyuwsgi: out-of-bounds read via a crafted request uri-path CVE-2021-36160 httpd:...

8.2CVSS8.9AI score0.82295EPSS
Exploits1References5
OSV
OSV
•added 2022/04/18 12:0 a.m.•51 views

DSA-5122-1 gzip - security update

Bulletin has no description...

8.8CVSS8.5AI score0.04271EPSS
Exploits0
OSV
OSV
•added 2022/04/10 12:0 a.m.•51 views

DSA-5118-1 thunderbird - security update

Bulletin has no description...

8.8CVSS7.5AI score0.1446EPSS
Exploits7
OSV
OSV
•added 2022/04/02 12:0 a.m.•51 views

GHSA-7627-MP87-JF6Q Command injection in cocoapods-downloader

The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocessoptions function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a...

8.1CVSS9.9AI score0.02713EPSS
Exploits0References8
OSV
OSV
•added 2022/03/07 12:0 a.m.•51 views

DLA-2935-1 expat - security update

Bulletin has no description...

9.8CVSS8.4AI score0.34174EPSS
Exploits1
OSV
OSV
•added 2021/12/08 7:55 p.m.•51 views

GHSA-25F5-GC4H-HC22 Improper Privilege Management in devise_masquerade

The devisemasquerade gem before 1.3 allows certain attacks when a password's salt is unknown. An application that uses this gem to let administrators masquerade/impersonate users loses one layer of security protection compared to a situation where Devise without this extension is used. If the...

8.1CVSS8AI score0.0121EPSS
Exploits1References6
OSV
OSV
•added 2021/10/22 4:24 p.m.•51 views

GHSA-5H9G-X5RV-25WG Cross-site scripting vulnerability in TinyMCE

Impact A cross-site scripting XSS vulnerability was discovered in the schema validation logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or editor APIs. This malicious content...

6.1CVSS6AI score0.01066EPSS
Exploits1References3
OSV
OSV
•added 2021/10/01 12:0 a.m.•51 views

ASB-A-184622099

In qrtrrecvmsg of qrtr.c, there is a possible leak of kernel memory due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...

5.5CVSS6.3AI score0.00366EPSS
Exploits0References2
OSV
OSV
•added 2021/09/01 12:0 a.m.•51 views

ASB-A-188554048

In the SELinux policy configured in systemapp.te, there is a possible way for systemapp to gain code execution in other processes due to an overly-permissive SELinux policy. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed fo...

6.7CVSS7AI score0.00109EPSS
Exploits0References2
OSV
OSV
•added 2021/06/30 12:38 a.m.•51 views

UVI-2021-1001089 net: bridge: fix vlan tunnel dst null pointer dereference

net: bridge: fix vlan tunnel dst null pointer dereference This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.12.13 by commit...

7.2AI score
Exploits0
OSV
OSV
•added 2021/06/29 1:42 p.m.•51 views

ALSA-2021:2569 Moderate: libxml2 security update

The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fixes: libxml2: Use-after-free in xmlEncodeEntitiesInternal in entities.c CVE-2021-3516 libxml2: Heap-based buffer overflow in xmlEncodeEntitiesInternal in entities.c CVE-2021-3517 libxml2...

8.8CVSS7.8AI score0.0828EPSS
Exploits1References5
OSV
OSV
•added 2020/12/31 9:15 a.m.•51 views

CVE-2020-35911

An issue was discovered in the lockapi crate before 0.4.2 for Rust. A data race can occur because of MappedRwLockReadGuard unsoundness...

4.7CVSS7.1AI score0.00324EPSS
Exploits0References1
OSV
OSV
•added 2020/11/23 12:0 a.m.•51 views

DSA-4797-1 webkit2gtk - security update

Bulletin has no description...

8.8CVSS7.9AI score0.04528EPSS
Exploits2
OSV
OSV
•added 2020/11/17 12:0 a.m.•51 views

DSA-4792-1 openldap - security update

Bulletin has no description...

7.5CVSS7.7AI score0.02858EPSS
Exploits0
OSV
OSV
•added 2020/11/06 2:15 p.m.•51 views

PYSEC-2020-26

Synopsys hub-rest-api-python aka blackduck on PyPI version 0.0.25 - 0.0.52 does not validate SSL certificates in certain cases...

7.5CVSS3.4AI score0.01112EPSS
Exploits1References6
OSV
OSV
•added 2020/07/22 12:0 a.m.•51 views

DLA-2286-1 tomcat8 - security update

Bulletin has no description...

7.5CVSS7.8AI score0.87553EPSS
Exploits1
OSV
OSV
•added 2020/07/11 12:0 a.m.•51 views

DLA-2277-1 openjpeg2 - security update

Bulletin has no description...

8.8CVSS7.3AI score0.04932EPSS
Exploits2
OSV
OSV
•added 2020/05/08 12:0 a.m.•51 views

DSA-4682-1 squid - security update

Bulletin has no description...

9.8CVSS7.8AI score0.7179EPSS
Exploits0
OSV
OSV
•added 2020/04/28 4:7 p.m.•51 views

ALSA-2020:1932 Important: container-tools:rhel8 security update

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fixes: buildah: Crafted input tar file may lead to local file overwrite during image build process CVE-2020-10696 For more details about the security issues, including the...

9.3CVSS8.7AI score0.02603EPSS
Exploits1References2
OSV
OSV
•added 2020/04/28 12:0 a.m.•51 views

DSA-4668-1 openjdk-8 - security update

Bulletin has no description...

8.3CVSS6.8AI score0.0623EPSS
Exploits0
OSV
OSV
•added 2020/04/14 3:27 p.m.•51 views

GHSA-G2F6-V5QH-H2MQ Nexus Repository Manager 3 - Remote Code Execution

Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection issue 1 of 2...

8.8CVSS8.7AI score0.99064EPSS
Exploits10References8
OSV
OSV
•added 2020/01/29 12:0 a.m.•51 views

DLA-2085-1 zlib - security update

Bulletin has no description...

9.8CVSS8.5AI score0.07489EPSS
Exploits0
OSV
OSV
•added 2019/10/15 12:0 a.m.•51 views

DSA-4509-3 apache2 - security update

Bulletin has no description...

6.1CVSS7.4AI score0.81466EPSS
Exploits4
OSV
OSV
•added 2019/09/20 12:0 a.m.•51 views

DSA-4529-1 php7.0 - security update

Bulletin has no description...

9.8CVSS7.8AI score0.07031EPSS
Exploits6
OSV
OSV
•added 2019/08/24 12:0 a.m.•51 views

DLA-1896-1 commons-beanutils - security update

Bulletin has no description...

7.5CVSS7.5AI score0.28839EPSS
Exploits1
OSV
OSV
•added 2019/06/19 12:0 a.m.•51 views

DLA-1828-1 python-urllib3 - security update

Bulletin has no description...

6.1CVSS6.8AI score0.02056EPSS
Exploits1
Total number of security vulnerabilities5000