Lucene search

K

Opensuse Security Vulnerabilities

cve
cve

CVE-2019-14232

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking...

7.5CVSS

7.6AI Score

0.029EPSS

2019-08-02 03:15 PM
221
cve
cve

CVE-2020-12656

gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c in the rpcsec_gss_krb5 implementation in the Linux kernel through 5.6.10 lacks certain domain_release calls, leading to a memory leak. Note: This was disputed with the assertion that the issue does not grant any access not already available....

5.5CVSS

5.8AI Score

0.0004EPSS

2020-05-05 06:15 AM
201
cve
cve

CVE-2010-2532

lxsession-logout in lxsession in LXDE, as used on SUSE openSUSE 11.3 and other platforms, does not lock the screen when the Suspend or Hibernate button is pressed, which might make it easier for physically proximate attackers to access an unattended laptop via a resume action. NOTE: there is no...

6.2AI Score

0.001EPSS

2010-09-03 08:00 PM
35
cve
cve

CVE-2019-19065

A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures, aka CID-34b3be18a04e. NOTE: This has been disputed as not a vulnerability...

4.7CVSS

4.3AI Score

0.0004EPSS

2019-11-18 06:15 AM
278
cve
cve

CVE-2020-8907

A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using their membership to the "docker" group, an attacker with this role is able to run docker and...

7.8CVSS

7.5AI Score

0.001EPSS

2020-06-22 02:15 PM
131
3
cve
cve

CVE-2014-2913

Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that...

7.4AI Score

0.194EPSS

2014-05-07 10:55 AM
55
cve
cve

CVE-2020-8933

A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using the membership to the "lxd" group, an attacker can attach host devices and filesystems. Within...

7.8CVSS

7.5AI Score

0.001EPSS

2020-06-22 02:15 PM
135
3
cve
cve

CVE-2019-12904

In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) NOTE: the vendor's position is.....

5.9CVSS

5.8AI Score

0.002EPSS

2019-06-20 12:15 AM
280
2
cve
cve

CVE-2018-20534

There is an illegal address access at ext/testcase.c in libsolv.a in libsolv through 0.7.2 that will cause a denial of service. NOTE: third parties dispute this issue stating that the issue affects the test suite and not the underlying library. It cannot be exploited in any real-world...

6.5CVSS

6.3AI Score

0.005EPSS

2018-12-28 04:29 PM
148
cve
cve

CVE-2019-8341

An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and....

9.8CVSS

9.3AI Score

0.042EPSS

2019-02-15 07:29 AM
132
cve
cve

CVE-2019-19067

Four memory leaks in the acp_hw_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in the Linux kernel before 5.3.8 allow attackers to cause a denial of service (memory consumption) by triggering mfd_add_hotplug_devices() or pm_genpd_add_device() failures, aka CID-57be09c6e874. NOTE: third....

4.4CVSS

6.1AI Score

0.0004EPSS

2019-11-18 06:15 AM
289
cve
cve

CVE-2019-19046

A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering ida_simple_get() failure, aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance...

6.5CVSS

7.1AI Score

0.003EPSS

2019-11-18 06:15 AM
262
cve
cve

CVE-2019-9675

An issue was discovered in PHP 7.x before 7.1.27 and 7.3.x before 7.3.3. phar_tar_writeheaders_int in ext/phar/tar.c has a buffer overflow via a long link value. NOTE: The vendor indicates that the link value is used only when an archive contains a symlink, which currently cannot happen: "This...

8.1CVSS

8.6AI Score

0.013EPSS

2019-03-11 11:29 AM
347
cve
cve

CVE-2015-3281

The buffer_slow_realign function in HAProxy 1.5.x before 1.5.14 and 1.6-dev does not properly realign a buffer that is used for pending outgoing data, which allows remote attackers to obtain sensitive information (uninitialized memory contents of previous requests) via a crafted...

6AI Score

0.003EPSS

2015-07-06 03:59 PM
57
cve
cve

CVE-2020-14323

A null pointer dereference flaw was found in samba's Winbind service in versions before 4.11.15, before 4.12.9 and before 4.13.1. A local user could use this flaw to crash the winbind service causing denial of...

5.5CVSS

5.9AI Score

0.001EPSS

2020-10-29 08:15 PM
467
2
cve
cve

CVE-2020-8903

A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using their membership to the "adm" group, users with this role are able to read the DHCP XID from the....

7.8CVSS

7.3AI Score

0.001EPSS

2020-06-22 02:15 PM
133
2
cve
cve

CVE-2020-14400

An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c. NOTE: Third parties do not consider this to be a vulnerability as there is no known path of exploitation or cross of a trust...

7.5CVSS

7.2AI Score

0.019EPSS

2020-06-17 04:15 PM
162
cve
cve

CVE-2014-4608

Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO...

5.7AI Score

0.011EPSS

2014-07-03 04:22 AM
90
In Wild
cve
cve

CVE-2020-14399

An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c. NOTE: there is reportedly "no trust boundary...

7.5CVSS

7.3AI Score

0.019EPSS

2020-06-17 04:15 PM
165
cve
cve

CVE-2017-16232

LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the...

7.5CVSS

6.7AI Score

0.017EPSS

2019-03-21 03:59 PM
84
cve
cve

CVE-2013-2423

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not...

8AI Score

0.968EPSS

2013-04-17 06:55 PM
972
In Wild
2
cve
cve

CVE-2019-17069

PuTTY before 0.73 might allow remote SSH-1 servers to cause a denial of service by accessing freed memory locations via an SSH1_MSG_DISCONNECT...

7.5CVSS

7.2AI Score

0.007EPSS

2019-10-01 05:15 PM
218
cve
cve

CVE-2013-0422

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using.....

8.2AI Score

0.975EPSS

2013-01-10 09:55 PM
959
In Wild
2
cve
cve

CVE-2019-18683

An issue was discovered in drivers/media/platform/vivid in the Linux kernel through 5.3.8. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during...

7CVSS

7.7AI Score

0.0004EPSS

2019-11-04 04:15 PM
180
2
cve
cve

CVE-2020-1472

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a.....

5.5CVSS

7.9AI Score

0.511EPSS

2020-08-17 07:15 PM
2686
In Wild
104
cve
cve

CVE-2018-14553

gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference allowing attackers to crash an application via a specific function call sequence. Only affects PHP when linked with an external libgd (not...

7.5CVSS

7.3AI Score

0.013EPSS

2020-02-11 01:15 PM
307
cve
cve

CVE-2020-25637

A double free memory issue was found to occur in the libvirt API, in versions before 6.8.0, responsible for requesting information about network interfaces of a running QEMU domain. This flaw affects the polkit access control driver. Specifically, clients connecting to the read-write socket with...

6.7CVSS

6.6AI Score

0.0004EPSS

2020-10-06 02:15 PM
310
3
cve
cve

CVE-2017-18017

The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in.....

9.8CVSS

9.5AI Score

0.954EPSS

2018-01-03 06:29 AM
430
cve
cve

CVE-2020-5496

FontForge 20190801 has a heap-based buffer overflow in the Type2NotDefSplines() function in...

8.8CVSS

8.7AI Score

0.005EPSS

2020-01-03 10:15 PM
222
cve
cve

CVE-2017-18595

An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function allocate_trace_buffer in the file...

7.8CVSS

7.8AI Score

0.0004EPSS

2019-09-04 09:15 PM
408
cve
cve

CVE-2020-5395

FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in...

8.8CVSS

8.4AI Score

0.005EPSS

2020-01-03 08:15 PM
261
cve
cve

CVE-2019-5737

In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated...

7.5CVSS

7.6AI Score

0.015EPSS

2019-03-28 05:29 PM
171
cve
cve

CVE-2014-9529

Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 3.18.2 allows local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during....

6.2AI Score

0.0004EPSS

2015-01-09 09:59 PM
99
cve
cve

CVE-2019-15606

Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value...

9.8CVSS

9.4AI Score

0.014EPSS

2020-02-07 03:15 PM
226
2
cve
cve

CVE-2019-15604

Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509...

7.5CVSS

8.2AI Score

0.004EPSS

2020-02-07 03:15 PM
203
3
cve
cve

CVE-2019-15605

HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is...

9.8CVSS

9.5AI Score

0.005EPSS

2020-02-07 03:15 PM
399
5
cve
cve

CVE-2019-13720

Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML...

8.8CVSS

8.1AI Score

0.974EPSS

2019-11-25 03:15 PM
1127
In Wild
4
cve
cve

CVE-2012-5656

The rasterization process in Inkscape before 0.48.4 allows local users to read arbitrary files via an external entity in a SVG file, aka an XML external entity (XXE) injection...

5.5CVSS

5.3AI Score

0.001EPSS

2013-01-18 11:48 AM
32
cve
cve

CVE-2008-1567

phpMyAdmin before 2.11.5.1 stores the MySQL (1) username and (2) password, and the (3) Blowfish secret key, in cleartext in a Session file under /tmp, which allows local users to obtain sensitive...

5.5CVSS

5.3AI Score

0.0004EPSS

2008-03-31 10:44 PM
36
cve
cve

CVE-2009-3238

The get_random_int function in drivers/char/random.c in the Linux kernel before 2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the function's tendency to.....

5.5CVSS

5.7AI Score

0.001EPSS

2009-09-18 10:30 AM
55
7
cve
cve

CVE-2020-15999

Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML...

6.5CVSS

7.1AI Score

0.026EPSS

2020-11-03 03:15 AM
1811
In Wild
22
cve
cve

CVE-2016-2107

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability...

5.9CVSS

6.9AI Score

0.967EPSS

2016-05-05 01:59 AM
510
4
cve
cve

CVE-2008-3188

libxcrypt in SUSE openSUSE 11.0 uses the DES algorithm when the configuration specifies the MD5 algorithm, which makes it easier for attackers to conduct brute-force attacks against hashed...

7.5CVSS

7.4AI Score

0.004EPSS

2008-07-22 04:41 PM
23
4
cve
cve

CVE-2014-1478

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the MPostWriteBarrier class in....

9.8AI Score

0.009EPSS

2014-02-06 05:44 AM
38
cve
cve

CVE-2009-1961

The inode double locking code in fs/ocfs2/file.c in the Linux kernel 2.6.30 before 2.6.30-rc3, 2.6.27 before 2.6.27.24, 2.6.29 before 2.6.29.4, and possibly other versions down to 2.6.19 allows local users to cause a denial of service (prevention of file creation and removal) via a series of...

4.7CVSS

4.4AI Score

0.0004EPSS

2009-06-08 01:00 AM
40
cve
cve

CVE-2014-0038

The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer...

5.6AI Score

0.001EPSS

2014-02-06 10:55 PM
103
cve
cve

CVE-2009-3231

The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty...

5.8AI Score

0.014EPSS

2009-09-17 10:30 AM
122
cve
cve

CVE-2009-1699

The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a...

7.5CVSS

6.9AI Score

0.031EPSS

2009-06-10 06:00 PM
43
cve
cve

CVE-2009-0115

The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0.4.8, as used in SUSE openSUSE, SUSE Linux Enterprise Server (SLES), Fedora, and possibly other operating systems, uses world-writable permissions for the socket file (aka /var/run/multipathd.sock), which...

7.8CVSS

7.4AI Score

0.0004EPSS

2009-03-30 04:30 PM
28
cve
cve

CVE-2010-1866

The dechunk filter in PHP 5.3 through 5.3.2, when decoding an HTTP chunked encoding stream, allows context-dependent attackers to cause a denial of service (crash) and possibly trigger memory corruption via a negative chunk size, which bypasses a signed comparison, related to an integer overflow...

9.8CVSS

9.4AI Score

0.027EPSS

2010-05-07 11:00 PM
34
Total number of security vulnerabilities3260