Lucene search
K
OsvMost viewed

907476 matches found

OSV
OSV
•added 2023/04/20 12:0 a.m.•41 views

ALSA-2023:1895 Important: java-11-openjdk security update

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fixes: OpenJDK: improper connection handling during TLS handshake 8294474 CVE-2023-21930 OpenJDK: Swing HTML parsing issue 8296832 CVE-2023-21939 OpenJDK:...

7.4CVSS6.8AI score0.02474EPSS
Exploits1References16
OSV
OSV
•added 2023/04/06 12:0 a.m.•41 views

ALSA-2023:1673 Important: httpd:2.4 security update

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fixes: httpd: HTTP request splitting with modrewrite and modproxy CVE-2023-25690 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other...

9.8CVSS8.8AI score0.8377EPSS
Exploits5References4
OSV
OSV
•added 2023/03/31 10:44 p.m.•41 views

GHSA-5X5Q-8CGM-2HJQ Karate has vulnerable dependency on json-smart package (CVE-2023-1370)

Summary The CVE How to fix it Very simple, just upgrade json-path package to 2.8.0 from 2.7.0 inside karate-core pom.xml ;...

7.5CVSS7.7AI score0.01119EPSS
Exploits1References4
OSV
OSV
•added 2023/03/30 8:17 p.m.•41 views

GHSA-M8CG-XC2P-R3FC rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc

Impact It was found that rootless runc makes /sys/fs/cgroup writable in following conditons: 1. when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared e.g.., docker|podman|nerdctl run --cgroupns=host, with Rootless...

2.5CVSS6.5AI score0.00327EPSS
Exploits1References4
OSV
OSV
•added 2023/03/28 1:7 p.m.•41 views

RLSA-2023:1405 Important: openssl security update

OpenSSL is a toolkit that implements the Secure Sockets Layer SSL and Transport Layer Security TLS protocols, as well as a full-strength general-purpose cryptography library. Security Fixes: openssl: X.400 address type confusion in X.509 GeneralName CVE-2023-0286 openssl: timing attack in RSA...

7.5CVSS7.3AI score0.59501EPSS
Exploits0References5
OSV
OSV
•added 2023/03/16 9:15 p.m.•41 views

PYSEC-2023-50

Streamlit, software for turning data scripts into web applications, had a cross-site scripting XSS vulnerability in versions 0.63.0 through 0.80.0. Users of hosted Streamlit apps were vulnerable to a reflected XSS vulnerability. An attacker could craft a malicious URL with Javascript payloads to ...

6.1CVSS5.3AI score0.00407EPSS
Exploits0References2
OSV
OSV
•added 2023/03/02 11:21 p.m.•41 views

GHSA-59FQ-727J-HM3F keycloak-connect contains Open redirect vulnerability in the Node.js adapter

There is an Open Redirect vulnerability in the Node.js adapter when forwarding requests to Keycloak using checkSSO with query param prompt=none...

6.1CVSS6.3AI score0.00399EPSS
Exploits0References5
OSV
OSV
•added 2023/02/28 12:0 a.m.•41 views

ALSA-2023:0946 Moderate: openssl security and bug fix update

OpenSSL is a toolkit that implements the Secure Sockets Layer SSL and Transport Layer Security TLS protocols, as well as a full-strength general-purpose cryptography library. Security Fixes: openssl: read buffer overflow in X.509 certificate verification CVE-2022-4203 openssl: timing attack in RS...

7.5CVSS7.6AI score0.59501EPSS
Exploits0References18
OSV
OSV
•added 2023/02/23 8:15 p.m.•41 views

CVE-2023-0044

If the Quarkus Form Authentication session cookie Path attribute is set to / then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature...

6.1CVSS6.4AI score0.0055EPSS
Exploits0References2
OSV
OSV
•added 2023/02/16 3:15 p.m.•41 views

CVE-2023-22578

Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections...

9.8CVSS9.6AI score0.00831EPSS
Exploits0References2
OSV
OSV
•added 2023/02/15 2:58 p.m.•41 views

CVE-2023-25578 Starlite DoS vulnerability when parsing multipart request body

Starlite is an Asynchronous Server Gateway Interface ASGI framework. Prior to version 1.5.2, the request body parsing in starlite allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited number of file parts and ...

7.5CVSS7.4AI score0.01004EPSS
Exploits1References5
OSV
OSV
•added 2023/02/08 12:30 a.m.•41 views

GHSA-2QXP-XMX6-CQ4F Cross-Site Request Forgery (CSRF) in wallabag/wallabag

Cross-Site Request Forgery CSRF in GitHub repository wallabag/wallabag prior to 2.5.4...

6.5CVSS6.5AI score0.00301EPSS
Exploits1References4
OSV
OSV
•added 2023/02/07 10:57 p.m.•41 views

GHSA-33M6-Q9V5-62R7 go.uuid has Predictable UUID Identifiers

CVE Description for go.uuid A flaw was found in github.com/satori/go.uuid in versions from commit 0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c to d91630c8510268e75203009fe7daf2b8e1d60c45. Due to insecure randomness in the g.rand.Read function the generated UUIDs are predictable for an attacker. Updat...

9.8CVSS9.4AI score0.02307EPSS
Exploits0References10
OSV
OSV
•added 2023/02/01 6:48 p.m.•41 views

GHSA-3GV2-29QC-V67M Symfony vulnerable to Session Fixation of CSRF tokens

Description ----------- When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performin...

6.3CVSS7AI score0.0079EPSS
Exploits0References9
OSV
OSV
•added 2023/02/01 12:0 a.m.•41 views

ASB-A-250627584

Bulletin has no description...

8.8CVSS7.2AI score0.00326EPSS
Exploits0References4
OSV
OSV
•added 2023/01/26 9:30 p.m.•41 views

GHSA-4X65-4FJX-R7M6 Plaintext storage of Access Token in Jenkins GitHub Pull Request Coverage Status Plugin

Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file...

5.5CVSS5.8AI score0.00229EPSS
Exploits0References2
OSV
OSV
•added 2023/01/23 2:30 p.m.•41 views

RLSA-2023:0328 Moderate: go-toolset and golang security and bug fix update

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The golang packages provide the Go programming language compiler. Security Fixes: golang: archive/tar: unbounded memory consumption when reading headers CVE-2022-2879 golang: net/http/httputi...

7.5CVSS7.2AI score0.01544EPSS
Exploits1References5
OSV
OSV
•added 2023/01/18 6:23 p.m.•41 views

GHSA-P84V-45XJ-WWQJ ReDoS based DoS vulnerability in Action Dispatch

There is a possible regular expression based DoS vulnerability in Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2023-22792. Versions Affected: = 3.0.0 Not affected: 3.0.0 Fixed Versions: 5.2.8.15 Rails LTS, 6.1.7.1, 7.0.4.1 Impact Specially crafted cookies, in...

7.5CVSS7.5AI score0.01695EPSS
Exploits0References8
OSV
OSV
•added 2023/01/18 12:30 a.m.•41 views

GHSA-5PM2-9MR2-3FRQ Component takeover in Oracle Data Provider for .NET

Vulnerability in the Oracle Data Provider for .NET component of Oracle Database Server. Supported versions that are affected are 19c and 21c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TCPS to compromise Oracle Data Provider for .NET. Successful...

7.5CVSS7.5AI score0.00594EPSS
Exploits0References4
OSV
OSV
•added 2023/01/12 8:25 a.m.•41 views

RLSA-2023:0099 Moderate: virt:rhel and virt-devel:rhel security and bug fix update

Kernel-based Virtual Machine KVM offers a full virtualization solution for Linux on numerous hardware platforms. The virt:Rocky Linux module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting wi...

6.5CVSS6.4AI score0.00281EPSS
Exploits0References3
OSV
OSV
•added 2023/01/11 12:0 a.m.•41 views

DSA-5315-1 libxstream-java - security update

Bulletin has no description...

8.2CVSS7.7AI score0.08689EPSS
Exploits1
OSV
OSV
•added 2023/01/10 10:27 p.m.•41 views

GHSA-8GCG-VWMW-RXJ4 Flarum notifications can leak restricted content

Using the notifications feature, one can read restricted/private content and bypass access checks that would be in place for such content. The notification-sending component does not check that the subject of the notification can be seen by the receiver, and proceeds to send notifications through...

6.8CVSS5.9AI score0.00397EPSS
Exploits0References5
OSV
OSV
•added 2023/01/02 6:7 a.m.•41 views

RLSA-2023:0005 Important: bcel security update

The Byte Code Engineering Library Apache Commons BCEL is intended to give users a convenient way to analyze, create, and manipulate binary Java class files those ending with .class. Security Fixes: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing CVE-2022-42920 For more...

8.1CVSS9.7AI score0.02836EPSS
Exploits0References2
OSV
OSV
•added 2022/12/27 3:15 p.m.•41 views

PYSEC-2022-43010

Improper Access Control in GitHub repository ikus060/rdiffweb prior to 2.5.5...

9.8CVSS6.9AI score0.00827EPSS
Exploits1References5
OSV
OSV
•added 2022/12/22 8:15 p.m.•41 views

CVE-2022-1097

NSSToken objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird 91.8, Firefox 99, and Firefox ESR 91.8...

6.5CVSS3.4AI score
Exploits0References4
OSV
OSV
•added 2022/12/16 11:41 p.m.•41 views

CVE-2022-23531 Arbitrary file write when scanning a specially-crafted local PyPI package

GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine...

5.8CVSS7.8AI score0.0059EPSS
Exploits0References5
OSV
OSV
•added 2022/12/09 5:49 p.m.•41 views

CVE-2022-23478 Out of Bound Write in xrdp

xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol RDP. xrdp v0.9.21 contain a Out of Bound Write in xrdpmmtransprocessdrdynvcchannelopen function. There are no known workarounds for this issue. Users are advised to upgrade...

9.1CVSS7.7AI score0.00799EPSS
Exploits0References4
OSV
OSV
•added 2022/12/07 12:0 a.m.•41 views

DLA-3227-1 ruby-rails-html-sanitizer - security update

Bulletin has no description...

6.1CVSS6.3AI score0.2914EPSS
Exploits1
OSV
OSV
•added 2022/12/01 12:0 a.m.•41 views

DSA-5292-1 snapd - security update

Bulletin has no description...

7.8CVSS7AI score0.00384EPSS
Exploits2
OSV
OSV
•added 2022/11/23 12:0 a.m.•41 views

CVE-2022-41934 Improper Neutralization of Directives in Dynamically Evaluated Code in org.xwiki.platform:xwiki-platform-menu-ui

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on commonly accessible documents including the menu macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki...

9.9CVSS9.2AI score0.01261EPSS
Exploits1References7
OSV
OSV
•added 2022/11/17 12:0 a.m.•41 views

DLA-3199-1 firefox-esr - security update

Bulletin has no description...

9.8CVSS7.6AI score0.01061EPSS
Exploits0
OSV
OSV
•added 2022/11/08 12:0 a.m.•41 views

ALSA-2022:7444 Moderate: kernel-rt security and bug fix update

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fixes: off-path attacker may inject data or terminate victim's TCP session CVE-2020-36516 Race condition in VTRESIZEX ioctl when vcconsi.d is...

8.6CVSS8.9AI score0.12746EPSS
Exploits21References52
OSV
OSV
•added 2022/11/01 11:55 p.m.•41 views

GO-2022-1095 Unsanitized NUL in environment variables on Windows in syscall and os/exec

Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavi...

7.5CVSS7.5AI score0.00778EPSS
Exploits0References3
OSV
OSV
•added 2022/10/29 7:15 p.m.•41 views

CVE-2022-41974

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege...

7.8CVSS7.8AI score
Exploits0References13
OSV
OSV
•added 2022/10/25 12:0 a.m.•41 views

ALSA-2022:7134 Important: kernel-rt security and bug fix update

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fixes: kernel: a use-after-free in clsroute filter implementation may lead to privilege escalation CVE-2022-2588 kernel: information leak in...

7.8CVSS7.4AI score0.06214EPSS
Exploits7References15
OSV
OSV
•added 2022/10/24 12:0 a.m.•41 views

DLA-3157-1 bluez - security update

Bulletin has no description...

9.1CVSS7.7AI score0.01808EPSS
Exploits4
OSV
OSV
•added 2022/10/20 2:15 p.m.•41 views

CVE-2022-40084

OpenCRX before v5.2.2 was discovered to be vulnerable to password enumeration due to the difference in error messages received during a password reset which could enable an attacker to determine if a username, email or ID is valid...

5.3CVSS5.4AI score0.02422EPSS
Exploits1References2
OSV
OSV
•added 2022/10/19 7:0 p.m.•41 views

GHSA-7VR5-72W7-Q6JC Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin

Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be...

8.8CVSS9.9AI score0.01211EPSS
Exploits0References3
OSV
OSV
•added 2022/10/19 12:0 a.m.•41 views

CVE-2022-39260 Git vulnerable to Remote Code Execution via Heap overflow in `git shell`

Git is an open source, scalable, distributed revision control system. git shell is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the...

8.5CVSS9AI score0.02938EPSS
Exploits0References10
OSV
OSV
•added 2022/10/17 11:15 p.m.•41 views

CVE-2022-3569

Due to an issue with incorrect sudo permissions, Zimbra Collaboration Suite ZCS suffers from a local privilege escalation issue in versions 9.0.0 and prior, where the 'zimbra' user can effectively coerce postfix into running arbitrary commands as 'root'...

7.8CVSS7.2AI score
Exploits0References3
OSV
OSV
•added 2022/10/06 9:25 p.m.•41 views

GHSA-398J-F7M7-795J PHPMailer vulnerable to email header injection

Impact Arbitrary additional email headers can be injected via crafted From or Sender headers. Patches Fixed in 2.2.1 Workarounds Filter user-supplied values prior to using them in From or Sender properties. References https://nvd.nist.gov/vuln/detail/CVE-2012-0796 For more information If you have...

4CVSS5.8AI score0.01677EPSS
Exploits0References7
OSV
OSV
•added 2022/10/05 12:0 a.m.•41 views

DLA-3137-1 nodejs - security update

Bulletin has no description...

9.8CVSS7.7AI score0.37286EPSS
Exploits1
OSV
OSV
•added 2022/10/04 2:35 p.m.•41 views

RLSA-2022:6781 Important: bind9.16 security update

The Berkeley Internet Name Domain BIND is an implementation of the Domain Name System DNS protocols. BIND includes a DNS server named; a resolver library routines for applications to use when interfacing with DNS; and tools for verifying that the DNS server is operating correctly. Security Fixes:...

7.5CVSS7.7AI score0.02299EPSS
Exploits0References4
OSV
OSV
•added 2022/10/03 12:0 a.m.•41 views

ALSA-2022:6763 Important: bind security update

The Berkeley Internet Name Domain BIND is an implementation of the Domain Name System DNS protocols. BIND includes a DNS server named; a resolver library routines for applications to use when interfacing with DNS; and tools for verifying that the DNS server is operating correctly. Security Fixes:...

7.5CVSS7.6AI score0.02299EPSS
Exploits0References8
OSV
OSV
•added 2022/10/01 12:0 a.m.•41 views

DLA-3128-1 node-thenify - security update

Bulletin has no description...

9.8CVSS9.3AI score0.01637EPSS
Exploits1
OSV
OSV
•added 2022/09/28 12:0 a.m.•41 views

DSA-5240-1 webkit2gtk - security update

Bulletin has no description...

8.8CVSS7.3AI score0.03213EPSS
Exploits0
OSV
OSV
•added 2022/09/26 2:15 p.m.•41 views

CVE-2022-3204

A vulnerability named 'Non-Responsive Delegation Attack' NRDelegation Attack has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for...

7.5CVSS1.2AI score0.01259EPSS
Exploits0References6
OSV
OSV
•added 2022/09/25 12:0 a.m.•41 views

DLA-3119-1 expat - security update

Bulletin has no description...

8.1CVSS7.7AI score0.01659EPSS
Exploits0
OSV
OSV
•added 2022/09/17 12:0 a.m.•41 views

GHSA-3F7H-MF4Q-VRM4 Denial of Service due to parser crash

Those using FasterXML/woodstox to seralize XML data may be vulnerable to Denial of Service attacks DOS. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. This...

6.5CVSS7AI score0.19653EPSS
Exploits1References7
OSV
OSV
•added 2022/09/15 3:25 a.m.•41 views

GHSA-R8M2-4X37-6592 .NET Denial of Service Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A denial of service vulnerability exists in ASP.NET...

7.5CVSS7.5AI score0.03074EPSS
Exploits0References15
Total number of security vulnerabilities5000