Lucene search
K
OsvMost viewed

906237 matches found

OSV
OSV
added 2022/05/10 6:23 a.m.43 views

ALSA-2022:1764 Moderate: python38:3.8 and python38-devel:3.8 security update

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. The following...

8.2CVSS7.4AI score0.11586EPSS
Exploits3References5
OSV
OSV
added 2022/05/05 10:30 p.m.43 views

CVE-2022-29173 No protection against rollback attacks in go-tuf

go-tuf is a Go implementation of The Update Framework TUF. go-tuf does not correctly implement the client workflow for updating the metadata files for roles other than the root role. Specifically, checks for rollback attacks are not implemented correctly meaning an attacker can cause clients to...

8CVSS8.9AI score0.00532EPSS
Exploits0References4
OSV
OSV
added 2022/05/04 12:0 a.m.43 views

DLA-2993-1 libz-mingw-w64 - security update

Bulletin has no description...

7.5CVSS7.5AI score0.51733EPSS
Exploits1
OSV
OSV
added 2022/05/03 4:15 p.m.43 views

CVE-2022-1343

The function OCSPbasicverify verifies the signer certificate on an OCSP response. In the case where the non-default flag OCSPNOCHECKS is used then the response will be positive meaning a successful verification even in the case where the response signing certificate fails to verify. It is...

5.3CVSS1.3AI score
Exploits0References4
OSV
OSV
added 2022/05/02 4:0 a.m.43 views

GHSA-MPG6-RGP4-35RR Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in pyftpdlib

Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.1 allows remote attackers to cause a denial of service daemon outage by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, a different...

6.3CVSS6.1AI score0.01364EPSS
Exploits0References13
OSV
OSV
added 2022/05/02 3:16 a.m.43 views

GHSA-W227-XCFX-3PJ8 Exposure of Sensitive Information in Apache Tomcat

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /jsecuritycheck with malformed URL encoding of passwords, related to improper error checking in the 1...

4.3CVSS5.1AI score0.9444EPSS
Exploits4References36
OSV
OSV
added 2022/05/01 5:44 p.m.43 views

GHSA-4PRH-GQW8-RGH5 Apache Tomcat Directory Traversal

Directory traversal vulnerability in Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules modproxy, modrewrite, modjk, allows remote attackers to read arbitrary files via a .. dot dot sequence with combinations of 1 / slash, 2 \ backslash, and 3 URL-encoded backslash %...

5CVSS6.2AI score0.90768EPSS
Exploits2References34
OSV
OSV
added 2022/04/15 7:15 p.m.43 views

CVE-2022-26788

PowerShell Elevation of Privilege Vulnerability...

7.8CVSS6.7AI score0.00614EPSS
Exploits0References1
OSV
OSV
added 2022/04/12 8:15 p.m.43 views

CVE-2022-27380

An issue in the component mydecimal::operator= of MariaDB Server v10.6.3 and below was discovered to allow attackers to cause a Denial of Service DoS via specially crafted SQL statements...

7.5CVSS5.2AI score
Exploits0References3
OSV
OSV
added 2022/04/03 12:0 a.m.43 views

DSA-5112-1 chromium - security update

Bulletin has no description...

8.8CVSS7.6AI score0.01589EPSS
Exploits17
OSV
OSV
added 2022/04/01 11:15 p.m.43 views

CVE-2022-22963

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources...

9.8CVSS9.6AI score0.99939EPSS
Exploits36References7
OSV
OSV
added 2022/03/30 12:0 a.m.43 views

GHSA-8PP6-8X4Q-C5MX Server side request forgery in C1 CMS

C1 CMS is an open-source, .NET based Content Management System CMS. Versions prior to 6.12 allow an authenticated user to exploit Server Side Request Forgery SSRF by causing the server to make arbitrary GET requests to other servers in the local network or on localhost. The attacker may also...

7.6CVSS7.3AI score0.00734EPSS
Exploits0References4
OSV
OSV
added 2022/03/28 12:0 a.m.43 views

DSA-5110-1 chromium - security update

Bulletin has no description...

8.8CVSS8.9AI score0.24237EPSS
Exploits1
OSV
OSV
added 2022/03/25 9:15 a.m.43 views

CVE-2018-25032

zlib before 1.2.12 allows memory corruption when deflating i.e., when compressing if the input has many distant matches...

7.5CVSS3.2AI score
Exploits0References29
OSV
OSV
added 2022/03/24 10:44 a.m.43 views

RLSA-2022:1049 Important: httpd:2.4 security update

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fixes: httpd: Errors encountered during the discarding of request body lead to HTTP request smuggling CVE-2022-22720 For more details about the security issues, including the impact, a CV...

8.3CVSS9.3AI score0.28189EPSS
Exploits0References2
OSV
OSV
added 2022/03/23 9:0 p.m.43 views

CVE-2022-24731 Path traversal allows leaking out-of-bound files from Argo CD repo-server

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal vulnerability, allowing a malicious user with read/write access to leak sensitive files from Argo CD's...

6.8CVSS5.2AI score0.00923EPSS
Exploits0References3
OSV
OSV
added 2022/03/23 1:15 p.m.43 views

CVE-2021-25220

BIND 9.11.0 - 9.11.36 9.12.0 - 9.16.26 9.17.0 - 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 - 9.11.36-S1 9.16.8-S1 - 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including Supported Preview Editions - are also believed to be affected but have not been tested as th...

6.8CVSS2.2AI score0.0325EPSS
Exploits0References10
OSV
OSV
added 2022/03/23 6:15 a.m.43 views

CVE-2022-27666

A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat...

7.8CVSS7.4AI score
Exploits0References5
OSV
OSV
added 2022/03/18 12:0 a.m.43 views

DSA-5105-1 bind9 - security update

Bulletin has no description...

6.8CVSS7.1AI score0.0325EPSS
Exploits0
OSV
OSV
added 2022/03/15 12:0 a.m.43 views

DSA-5103-1 openssl - security update

Bulletin has no description...

7.5CVSS7.4AI score0.70561EPSS
Exploits2
OSV
OSV
added 2022/03/14 6:15 p.m.43 views

PYSEC-2022-163

The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the updaterepo function when using hg, the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution...

9.8CVSS3.8AI score0.03652EPSS
Exploits0References3
OSV
OSV
added 2022/03/10 2:43 p.m.43 views

RLSA-2022:0825 Important: kernel security, bug fix, and enhancement update

The kernel packages contain the Linux kernel, the core of any Linux operating system. The following packages have been upgraded to a later upstream version: kernel 4.18.0. BZ2036888 Security Fixes: kernel: improper initialization of the "flags" member of the new pipebuffer CVE-2022-0847 kernel: U...

8.8CVSS8.2AI score0.88106EPSS
Exploits119References9
OSV
OSV
added 2022/03/10 12:0 a.m.43 views

DLA-2942-1 firefox-esr - security update

Bulletin has no description...

9.6CVSS7.2AI score0.00931EPSS
Exploits4
OSV
OSV
added 2022/03/09 12:0 a.m.43 views

DSA-5097-1 firefox-esr - security update

Bulletin has no description...

9.6CVSS7.2AI score0.00931EPSS
Exploits4
OSV
OSV
added 2022/03/04 12:0 a.m.43 views

DSA-5089-1 chromium - security update

Bulletin has no description...

9.6CVSS6.8AI score0.01677EPSS
Exploits5
OSV
OSV
added 2022/03/02 10:24 p.m.43 views

GHSA-CM9W-C4RJ-R2CF Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in view_component

This is an XSS vulnerability that has the potential to impact anyone using translations with the viewcomponent gem. Data received via user input and passed as an interpolation argument to the translate method is not properly sanitized before display. Versions 2.29.1 and 2.49.1 have been released...

8.1CVSS6.8AI score0.01075EPSS
Exploits0References7
OSV
OSV
added 2022/02/23 11:50 p.m.43 views

CVE-2022-24707 SQL injection in anuko timetracker

Anuko Time Tracker is an open source, web-based time tracking application written in PHP. UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions of anuko timetracker prior to 1.20.0.5642. This was happening because the Puncher plugin...

7.4CVSS8.9AI score0.07159EPSS
Exploits5References5
OSV
OSV
added 2022/02/16 5:15 p.m.43 views

CVE-2022-24086

Adobe Commerce versions 2.4.3-p1 and earlier and 2.3.7-p2 and earlier are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution...

9.8CVSS9.6AI score0.99199EPSS
Exploits5References2
OSV
OSV
added 2022/02/15 1:57 a.m.43 views

GHSA-579H-MV94-G4GP Privilege Escalation in Kubernetes

In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary reques...

9.8CVSS8.1AI score0.86978EPSS
Exploits10References22
OSV
OSV
added 2022/02/11 11:23 p.m.43 views

GHSA-7F33-F4F5-XWGW In-band key negotiation issue in AWS S3 Crypto SDK for golang

Summary The golang AWS S3 Crypto SDK is impacted by an issue that can result in loss of confidentiality and message forgery. The attack requires write access to the bucket in question, and that the attacker has access to an endpoint that reveals decryption failures without revealing the plaintext...

2.5CVSS5AI score0.00231EPSS
Exploits1References10
OSV
OSV
added 2022/02/09 12:56 a.m.43 views

GHSA-C597-F74M-JGC2 Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Keycloak

A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle MITM attack...

5.9CVSS6.5AI score0.00905EPSS
Exploits0References3
OSV
OSV
added 2022/02/04 11:15 p.m.43 views

PYSEC-2022-82

Tensorflow is an Open Source Machine Learning Framework. The implementation of AssignOp can result in copying uninitialized data to a new tensor. This later results in undefined behavior. The implementation has a check that the left hand side of the assignment is initialized to minimize number of...

8.8CVSS0.9AI score0.00755EPSS
Exploits1References3
OSV
OSV
added 2022/01/25 12:0 a.m.43 views

DSA-5061-1 wpewebkit - security update

Bulletin has no description...

9.3CVSS8AI score0.07617EPSS
Exploits1
OSV
OSV
added 2022/01/24 12:0 a.m.43 views

DSA-5055-1 util-linux - security update

Bulletin has no description...

5.5CVSS5.8AI score0.00634EPSS
Exploits4
OSV
OSV
added 2022/01/19 12:15 p.m.43 views

CVE-2022-21277

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: ImageIO. Supported versions that are affected are Oracle Java SE: 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows...

5.3CVSS4.8AI score
Exploits0References5
OSV
OSV
added 2022/01/13 12:0 a.m.43 views

DSA-5044-1 firefox-esr - security update

Bulletin has no description...

10CVSS7.5AI score0.0134EPSS
Exploits6
OSV
OSV
added 2022/01/10 2:12 p.m.43 views

CVE-2022-22823

buildmodel in xmlparse.c in Expat aka libexpat before 2.4.3 has an integer overflow...

9.8CVSS3.7AI score
Exploits0References6
OSV
OSV
added 2022/01/10 2:10 p.m.43 views

CVE-2021-42392

The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various atta...

9.8CVSS7.6AI score
Exploits0References7
OSV
OSV
added 2022/01/06 10:50 p.m.43 views

CVE-2022-21661 SQL injection in WordPress

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WPQuery, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress...

8CVSS8AI score0.97795EPSS
Exploits14References13
OSV
OSV
added 2021/12/12 12:0 a.m.43 views

DLA-2843-1 linux - security update

Bulletin has no description...

8.8CVSS7.7AI score0.06902EPSS
Exploits9
OSV
OSV
added 2021/11/23 12:15 a.m.43 views

PYSEC-2021-863

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority CA to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store...

8.8CVSS3.5AI score0.00375EPSS
Exploits0References6
OSV
OSV
added 2021/11/15 9:57 a.m.43 views

RLSA-2021:4647 Important: kernel security update

The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fixes: kernel: Insufficient validation of user-supplied sizes for the MSGCRYPTO message type CVE-2021-43267 kernel: timer tree corruption leads to missing wakeup and system freeze CVE-2021-20317 For mor...

8.8CVSS7.7AI score0.57853EPSS
Exploits2References3
OSV
OSV
added 2021/11/12 12:0 a.m.43 views

DSA-5009-1 tomcat9 - security update

Bulletin has no description...

7.5CVSS6.9AI score0.10997EPSS
Exploits0
OSV
OSV
added 2021/11/09 9:12 a.m.43 views

ALSA-2021:4373 Low: pcre security update

PCRE is a Perl-compatible regular expression library. Security Fixes: pcre: Buffer over-read in JIT when UTF is disabled and \X or \R has fixed quantifier greater than 1 CVE-2019-20838 pcre: Integer overflow when parsing callout numeric arguments CVE-2020-14155 For more details about the security...

7.5CVSS7AI score0.04182EPSS
Exploits0References3
OSV
OSV
added 2021/11/09 9:1 a.m.43 views

RLSA-2021:4326 Moderate: libX11 security update

The libX11 packages contain the core X11 protocol client library. Security Fixes: libX11: missing request length checks CVE-2021-31535 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in t...

8.1CVSS7.5AI score0.10634EPSS
Exploits2References2
OSV
OSV
added 2021/11/09 8:52 a.m.43 views

RLSA-2021:4257 Moderate: httpd:2.4 security, bug fix, and enhancement update

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fixes: httpd: modsession: NULL pointer dereference when parsing Cookie header CVE-2021-26690 httpd: Unexpected URL matching with 'MergeSlashes OFF' CVE-2021-30641 For more details about t...

7.5CVSS7.8AI score0.65067EPSS
Exploits0References8
OSV
OSV
added 2021/10/05 8:24 p.m.43 views

GHSA-69J6-29VR-P3J9 Authentication bypass for viewing and deletions of snapshots

Today we are releasing Grafana 7.5.11, and 8.1.6. These patch releases include an important security fix for an issue that affects all Grafana versions from 2.0.1. Grafana Cloud instances have already been patched and an audit did not find any usage of this attack vector. Grafana Enterprise...

7.3CVSS7.5AI score0.99888EPSS
Exploits1References13
OSV
OSV
added 2021/10/05 9:15 a.m.43 views

CVE-2021-41524

While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project...

7.5CVSS2.4AI score
Exploits0References8
OSV
OSV
added 2021/10/04 9:15 p.m.43 views

CVE-2021-41091

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby Docker Engine where the data directory typically /var/lib/docker contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traver...

6.3CVSS6.6AI score
Exploits0References5
OSV
OSV
added 2021/09/13 8:6 p.m.43 views

GHSA-MWGJ-7X7J-6966 Deserialization of Untrusted Data in ParlAI

Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0...

9.8CVSS9.3AI score0.17353EPSS
Exploits4References8
Total number of security vulnerabilities5000