Lucene search
K
OsvMost viewed

908957 matches found

OSV
OSV
•added 2022/05/14 1:10 a.m.•46 views

GHSA-3GV7-3H64-78CM Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat

A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. Thi...

7.5CVSS8.4AI score0.1684EPSS
Exploits0References59
OSV
OSV
•added 2022/05/13 1:7 a.m.•46 views

GHSA-XCVR-QV8H-M7XW .NET Core Denial of Service Vulnerability

.NET Core 1.0, .NET Core 1.1, NET Core 2.0 and PowerShell Core 6.0.0 allow a denial of Service vulnerability due to how specially crafted requests are handled, aka ".NET Core Denial of Service Vulnerability"...

7.5CVSS7.3AI score0.09436EPSS
Exploits0References6
OSV
OSV
•added 2022/05/11 1:22 p.m.•46 views

RLSA-2022:2200 Important: .NET 5.0 security, bug fix, and enhancement update

.NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address a security vulnerability are now available. The updated versions are .NET Core SDK 5.0.214 and .NET Core...

7.5CVSS7.5AI score0.05041EPSS
Exploits0References4
OSV
OSV
•added 2022/05/10 8:7 a.m.•46 views

RLSA-2022:1915 Moderate: httpd:2.4 security and bug fix update

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fixes: httpd: Request splitting via HTTP/2 method injection and modproxy CVE-2021-33193 httpd: modproxyuwsgi: out-of-bounds read via a crafted request uri-path CVE-2021-36160 httpd:...

7.5CVSS8.9AI score0.82295EPSS
Exploits1References7
OSV
OSV
•added 2022/05/10 6:45 a.m.•46 views

RLSA-2022:2013 Moderate: openssh security, bug fix, and enhancement update

OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fixes: openssh: privilege escalation when AuthorizedKeysCommand or AuthorizedPrincipalsCommand are...

7CVSS7.5AI score0.02367EPSS
Exploits2References3
OSV
OSV
•added 2022/05/10 6:42 a.m.•46 views

RLSA-2022:1975 Important: kernel-rt security and bug fix update

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fixes: kernel: fget: check that the fd still exists after getting a ref to it CVE-2021-4083 kernel: avoid cyclic entity chains due to malformed U...

7.8CVSS9.2AI score0.06846EPSS
Exploits11References38
OSV
OSV
•added 2022/04/27 10:28 p.m.•46 views

GHSA-MM33-5VFQ-3MM3 Cross-site Scripting Vulnerability in Action Pack

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned the CVE identifier CVE-2022-22577. Versions Affected: = 5.2.0 Not affected: 5.2.0 Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1 Impact CSP headers were only sent along with responses that Rails...

6.1CVSS7.2AI score0.01594EPSS
Exploits0References14
OSV
OSV
•added 2022/04/27 12:0 a.m.•46 views

DSA-5125-1 chromium - security update

Bulletin has no description...

9.6CVSS7AI score0.0105EPSS
Exploits25
OSV
OSV
•added 2022/04/19 4:17 p.m.•46 views

CVE-2022-29153

HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5...

7.5CVSS7.5AI score
Exploits0References6
OSV
OSV
•added 2022/04/15 5:15 a.m.•46 views

CVE-2022-26499

An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests such as GET to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2...

9.1CVSS1.6AI score
Exploits0References5
OSV
OSV
•added 2022/04/14 9:15 p.m.•46 views

CVE-2022-22968

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the fiel...

5.3CVSS5.3AI score0.05666EPSS
Exploits2References3
OSV
OSV
•added 2022/04/04 9:40 p.m.•46 views

GHSA-7VRM-3JC8-5WWM Incorrect Comparison in Vyper

Impact bytestrings can have dirty bytes in them, resulting in the word-for-word comparison to give incorrect results, e.g. vyper b1: Bytes32 = b"abcdef" b1 = sliceb1, 0, 1 b2: Bytes32 = b"abcdef" t: bool = b1 == b2 incorrectly evaluates to True even without dirty nonzero bytes, because there is n...

7.5CVSS5.9AI score0.0097EPSS
Exploits0References4
OSV
OSV
•added 2022/03/28 10:15 p.m.•46 views

CVE-2022-26280

Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipxlzmaaloneinit...

6.5CVSS1.9AI score
Exploits0References4
OSV
OSV
•added 2022/03/10 2:43 p.m.•46 views

ALSA-2022:0825 Important: kernel security, bug fix, and enhancement update

The kernel packages contain the Linux kernel, the core of any Linux operating system. The following packages have been upgraded to a later upstream version: kernel 4.18.0. BZ2036888 Security Fixes: kernel: improper initialization of the "flags" member of the new pipebuffer CVE-2022-0847 kernel: U...

9CVSS8.1AI score0.88106EPSS
Exploits119References8
OSV
OSV
•added 2022/03/03 8:35 p.m.•46 views

CVE-2022-24723 Improper Input Validation in URI.js

URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse ca...

5.3CVSS5.6AI score0.01995EPSS
Exploits1References6
OSV
OSV
•added 2022/03/01 9:15 p.m.•46 views

PYSEC-2022-43052

Fluture-Node is a FP-style HTTP and streaming utils for Node based on Fluture. Using followRedirects or followRedirectsWith with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as Authorization or Cookie,...

6.1CVSS6.3AI score0.00815EPSS
Exploits0References4
OSV
OSV
•added 2022/02/17 5:33 p.m.•46 views

GO-2021-0240 Panic when reading certain archives in archive/zip

NewReader and OpenReader can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size...

7.5CVSS7.7AI score0.03464EPSS
Exploits1References4
OSV
OSV
•added 2022/02/16 9:15 p.m.•46 views

CVE-2021-43299

Stack overflow in PJSUA API when calling pjsuaplayercreate. An attacker-controlled 'filename' argument may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation...

9.8CVSS3.6AI score
Exploits0References6
OSV
OSV
•added 2022/02/11 1:15 p.m.•46 views

CVE-2022-24112

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX with default API key is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different...

9.8CVSS7.4AI score0.96182EPSS
Exploits16References5
OSV
OSV
•added 2022/02/10 8:34 p.m.•46 views

GHSA-P5CH-W78F-XH44 Cross-site scripting in @atlaskit/editor-core

The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in link targets...

5.4CVSS5.2AI score0.01126EPSS
Exploits0References5
OSV
OSV
•added 2022/02/01 12:0 a.m.•46 views

DLA-2906-1 python-django - security update

Bulletin has no description...

7.5CVSS6.8AI score0.49246EPSS
Exploits1
OSV
OSV
•added 2022/01/31 12:0 a.m.•46 views

DLA-2905-1 apache-log4j1.2 - security update

Bulletin has no description...

9.8CVSS9.2AI score0.81147EPSS
Exploits10
OSV
OSV
•added 2021/12/22 12:0 a.m.•46 views

DSA-5000-2 openjdk-11 - security update

Bulletin has no description...

7.1CVSS6.4AI score0.14839EPSS
Exploits0
OSV
OSV
•added 2021/12/14 12:0 p.m.•46 views

RUSTSEC-2021-0129 Invalid handling of `X509_verify_cert()` internal errors in libssl

Internally libssl in OpenSSL calls X509verifycert on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error for example out of memory. Such a negative return value is mishandled by OpenSSL and will cause an IO...

7.5CVSS7.2AI score0.50099EPSS
Exploits0References3
OSV
OSV
•added 2021/11/23 12:15 a.m.•46 views

PYSEC-2021-863

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority CA to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store...

8.8CVSS3.5AI score0.00375EPSS
Exploits0References6
OSV
OSV
•added 2021/11/12 12:0 a.m.•46 views

DLA-2817-1 postgresql-9.6 - security update

Bulletin has no description...

8.1CVSS7.1AI score0.01901EPSS
Exploits0
OSV
OSV
•added 2021/11/11 12:0 a.m.•46 views

DSA-5008-1 node-tar - security update

Bulletin has no description...

8.6CVSS6.9AI score0.03286EPSS
Exploits0
OSV
OSV
•added 2021/11/09 9:16 a.m.•46 views

ALSA-2021:4385 Moderate: glib2 security and bug fix update

GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. Security Fixes: glib2: Possible privilege...

5.5CVSS6.4AI score0.02622EPSS
Exploits2References2
OSV
OSV
•added 2021/11/09 8:52 a.m.•46 views

ALSA-2021:4257 Moderate: httpd:2.4 security, bug fix, and enhancement update

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fixes: httpd: modsession: NULL pointer dereference when parsing Cookie header CVE-2021-26690 httpd: Unexpected URL matching with 'MergeSlashes OFF' CVE-2021-30641 For more details about t...

7.5CVSS7.8AI score0.65067EPSS
Exploits0References3
OSV
OSV
•added 2021/11/09 8:42 a.m.•46 views

ALSA-2021:4213 Moderate: php:7.4 security, bug fix, and enhancement update

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The following packages have been upgraded to a later upstream version: php 7.4.19. BZ1944110 Security Fixes: php: Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV CVE-2020-7069 php: FILTERVALIDATEURL...

7.5CVSS6.9AI score0.05029EPSS
Exploits3References6
OSV
OSV
•added 2021/11/09 8:25 a.m.•46 views

ALSA-2021:4156 Moderate: go-toolset:rhel8 security, bug fix, and enhancement update

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The following packages have been upgraded to a later upstream version: golang 1.16.7. BZ1938071 Security Fixes: golang: net: lookup functions may return invalid host names CVE-2021-33195...

7.5CVSS7.3AI score0.034EPSS
Exploits3References4
OSV
OSV
•added 2021/11/09 8:24 a.m.•46 views

ALSA-2021:4154 Moderate: container-tools:rhel8 security, bug fix, and enhancement update

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fixes: buildah: Host environment variables leaked in build container when using chroot isolation CVE-2021-3602 containers/storage: DoS via malicious image CVE-2021-20291 For...

7.1CVSS6.7AI score0.01587EPSS
Exploits1References3
OSV
OSV
•added 2021/10/12 4:32 p.m.•46 views

GHSA-Q9P4-QFC8-FVPP SQL Injection in medoo

columnQuote in medoo before 1.7.5 allows remote attackers to perform a SQL Injection due to improper escaping...

9.8CVSS9.8AI score0.01421EPSS
Exploits0References4
OSV
OSV
•added 2021/10/12 12:0 a.m.•46 views

DLA-2785-1 linux-4.19 - security update

Bulletin has no description...

8.8CVSS7.7AI score0.01476EPSS
Exploits15
OSV
OSV
•added 2021/10/04 6:15 p.m.•46 views

CVE-2021-32626

Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote co...

8.8CVSS2.9AI score
Exploits0References10
OSV
OSV
•added 2021/09/27 6:15 a.m.•46 views

PYSEC-2021-354

furlongm openvpn-monitor through 1.1.3 allows Authorization Bypass to disconnect arbitrary clients...

7.5CVSS3.6AI score0.02448EPSS
Exploits6References3
OSV
OSV
•added 2021/07/28 6:8 p.m.•46 views

GO-2021-0103 Denial of service in github.com/holiman/uint256

Due to improper bounds checking, certain mathematical operations can cause a panic via an out of bounds read. If this package is used to process untrusted user inputs, this may be used as a vector for a denial of service attack...

7.5CVSS7.4AI score0.01462EPSS
Exploits0References2
OSV
OSV
•added 2021/07/22 7:43 p.m.•46 views

GHSA-J5C2-HM46-WP5C Privilege escalation: all users can access Admin-level API keys

Impact An error in the implementation of the limits service in 4.0.0 allows all authenticated users including contributors to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. GhostPro has already been patched. Self-hosters are impacted ...

6.5CVSS7AI score0.01019EPSS
Exploits1References4
OSV
OSV
•added 2021/07/14 12:0 a.m.•46 views

DSA-4939-1 firefox-esr - security update

Bulletin has no description...

8.8CVSS7.5AI score0.03582EPSS
Exploits1
OSV
OSV
•added 2021/07/13 12:0 p.m.•46 views

RUSTSEC-2021-0076 libsecp256k1 allows overflowing signatures

libsecp256k1 accepts signatures whose R or S parameter is larger than the secp256k1 curve order, which differs from other implementations. This could lead to invalid signatures being verified. The error is resolved in 0.5.0 by adding a checkoverflow flag...

9.8CVSS9.3AI score0.00935EPSS
Exploits1References3
OSV
OSV
•added 2021/06/30 12:38 a.m.•46 views

UVI-2021-1001086 mac80211: Fix NULL ptr deref for injected rate info

mac80211: Fix NULL ptr deref for injected rate info This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.12.13 by commit...

7.2AI score
Exploits0
OSV
OSV
•added 2021/06/01 12:0 a.m.•46 views

ASB-A-173843328

In hidinputchangeresolutionmultipliers of hid-input.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

7.8CVSS8.2AI score0.00282EPSS
Exploits0References2
OSV
OSV
•added 2021/05/11 7:15 p.m.•46 views

CVE-2021-31200

Common Utilities Remote Code Execution Vulnerability...

7.2CVSS7.4AI score0.02482EPSS
Exploits0References1
OSV
OSV
•added 2021/05/04 12:0 a.m.•46 views

DLA-2647-1 bind9 - security update

Bulletin has no description...

9.8CVSS6.9AI score0.83406EPSS
Exploits0
OSV
OSV
•added 2021/05/02 12:0 a.m.•46 views

DSA-4910-1 libimage-exiftool-perl - security update

Bulletin has no description...

7.8CVSS7.3AI score0.99981EPSS
Exploits39
OSV
OSV
•added 2021/05/01 12:0 a.m.•46 views

DSA-4909-1 bind9 - security update

Bulletin has no description...

9.8CVSS6.9AI score0.83406EPSS
Exploits0
OSV
OSV
•added 2021/04/14 8:4 p.m.•46 views

GO-2021-0095 Sensitive information exposure in github.com/google/go-tpm

Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport is able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted, allowing them to use the created key...

7.1CVSS6.7AI score0.0018EPSS
Exploits1References2
OSV
OSV
•added 2021/03/30 3:15 p.m.•46 views

CVE-2021-21409

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty io.netty:netty-codec-http2 before version 4.1.61.Final there is a vulnerability that enables request smuggling. The...

5.9CVSS5.7AI score0.18891EPSS
Exploits0References59
OSV
OSV
•added 2021/02/19 12:0 a.m.•46 views

DSA-4858-1 chromium - security update

Bulletin has no description...

9.6CVSS9.6AI score0.19815EPSS
Exploits8
OSV
OSV
•added 2021/02/16 4:51 p.m.•46 views

GHSA-2M8V-572M-FF2V Command Injection Vulnerability

Impact command injection vulnerability Patches Problem was fixed with a parameter check. Please upgrade to version = 5.3.1 Workarounds If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency, si.inetChecksite, si.services, si.processLoad ... do onl...

7.8CVSS7.3AI score0.9024EPSS
Exploits4References9
Total number of security vulnerabilities5000