Lucene search
K
OpensuseLeap

1898 matches found

CVE
CVE
added 2014/06/05 9:0 p.m.15804 views

CVE-2014-3470

CVE-2014-3470 is an OpenSSL vulnerability where the ssl3_send_client_key_exchange in s3_clnt.c can trigger a NULL certificate value when using anonymous ECDH cipher suites, leading to a denial-of-service via NULL pointer dereference and client crash. Affected OpenSSL versions are before 0.9.8za, ...

4.3CVSS7.4AI score0.85784EPSS
CVE
CVE
added 2019/04/08 9:31 p.m.14646 views

CVE-2019-0211

CVE-2019-0211 affects Apache HTTP Server 2.4.17–2.4.38 when using MPM event, worker, or prefork. The issue arises from code executing in less-privileged child processes/threads (including in-process scripting interpreters) that could be exploited to run arbitrary code with the privileges of the p...

7.8CVSS7.2AI score0.65005EPSS
In wildWeb
CVE
CVE
added 2020/08/07 3:27 p.m.11974 views

CVE-2020-11984

CVE-2020-11984 affects Apache HTTP Server mod_proxy_uwsgi. Based on the provided documents, it is a vulnerability in httpd’s uwsgi handling that can lead to information disclosure and potentially remote code execution. The vulnerability was reported for Apache HTTP Server versions around 2.4.32 t...

9.8CVSS9.3AI score0.90039EPSS
In wild
CVE
CVE
added 2020/04/29 12:0 a.m.7514 views

CVE-2020-11022

CVE-2020-11022 affects jQuery versions >=1.2 and =3.5.0 or apply vendor guidance where applicable.

6.9CVSS6.7AI score0.99019EPSS
In wild
CVE
CVE
added 2020/04/01 11:8 p.m.5891 views

CVE-2020-1927

CVE-2020-1927 affects Apache HTTP Server 2.4.0–2.4.41, where mod_rewrite redirects intended to be self-referential could be fooled by encoded newlines and redirect to an unexpected URL within the request. Multiple connected advisories confirm the issue and indicate that fixes were released in Apa...

6.1CVSS6.7AI score0.56691EPSS
CVE
CVE
added 2019/08/13 8:50 p.m.5795 views

CVE-2019-9513

CVE-2019-9513 (and related HTTP/2 CVEs) affect nginx and nghttp2. The issues enable denial of service via HTTP/2 resource loops and priority/window manipulation, causing high CPU/memory usage. nginx 1.16.x and nghttp2 are specifically named in advisories; remediation is upgrading to fixed package...

7.8CVSS7.7AI score0.82017EPSS
CVE
CVE
added 2020/04/01 7:22 p.m.5481 views

CVE-2020-1934

CVE-2020-1934 affects Apache HTTP Server 2.4.0–2.4.41 via mod_proxy_ftp, which may use uninitialized memory when proxying to a malicious FTP backend. Public advisories confirm the fixes in Apache HTTP Server 2.4.43+ (e.g., ALAS-2020-1370/ALAS2-2020-1427), so upgrading to 2.4.43 or newer is the re...

5.3CVSS6AI score0.51951EPSS
In wild
CVE
CVE
added 2019/08/13 8:50 p.m.5309 views

CVE-2019-9517

CVE-2019-9517 describes an attack against some HTTP/2 implementations where unconstrained internal data buffering can cause a denial of service. The vulnerability arises when an attacker floods a connection with a large number of requests for a large response object while manipulating HTTP/2 flow...

7.8CVSS7.7AI score0.27004EPSS
CVE
CVE
added 2018/11/07 2:0 p.m.5266 views

CVE-2018-16843

CVE-2018-16843 affects nginx before 1.15.6 and 1.14.1, where HTTP/2 implementation vulnerabilities in ngx_http_v2_module (if http2 is enabled) can cause excessive memory usage. Connected advisories also reference related CVEs (16844/16845) and show multiple distributions (Debian, Fedora/Red Hat, ...

7.8CVSS7.3AI score0.47057EPSS
CVE
CVE
added 2018/07/06 4:0 p.m.4939 views

CVE-2018-10892

CVE-2018-10892 : In Docker/Moby, the default OCI Linux spec (oci/defaults_linux.go) from 1.11 to current does not block /proc/acpi pathnames. This allows a container to affect host hardware state (e.g., enabling/disabling Bluetooth, changing keyboard brightness) by targeting /proc/acpi, represent...

6.3CVSS5.3AI score0.01135EPSS
CVE
CVE
added 2018/11/07 2:0 p.m.4518 views

CVE-2018-16845

The CVE-2018-16845 issue affects nginx builds that include the ngx_http_mp4_module and the mp4 directive. Vulnerable are nginx versions earlier than 1.15.6 and 1.14.1 (when built with the module). The vulnerability arises from processing a specially crafted MP4 file, which could cause an infinite...

8.2CVSS6.4AI score0.09801EPSS
CVE
CVE
added 2019/06/11 8:49 p.m.4482 views

CVE-2019-0220

CVE-2019-0220 affects Apache HTTP Server 2.4.0–2.4.38. The issue arises when the path component of a request URL contains multiple consecutive slashes; directives like LocationMatch and RewriteRule must account for duplicates in regular expressions because the server may collapse or mishandle the...

5.3CVSS6.4AI score0.1786EPSS
CVE
CVE
added 2020/01/09 8:5 p.m.4435 views

CVE-2019-20372

NGINX (on Amazon Linux 2) is affected by CVE-2019-20372 when configured with certain error_page settings, enabling HTTP request smuggling. The Amazon Linux 2 ALAS advisory ALAS2NGINX1-2023-004 confirms vulnerable 1.17.x/older configurations and provides patched packages: nginx 1.18.0 and related ...

5.3CVSS5.2AI score0.14961EPSS
CVE
CVE
added 2020/08/17 7:13 p.m.4315 views

CVE-2020-1472

CVE-2020-1472 (Zerologon) is referenced in connected records as affecting Samba packages. Two advisories note affected versions and fixes: CVE-2020-1472 in Samba for versions < 4.18.3-1 (CBLMARINER:36991) and

10CVSS7.8AI score0.99512EPSS
In wild
CVE
CVE
added 2020/02/24 9:19 p.m.4239 views

CVE-2020-1938

CVE-2020-1938 (Tomcat AJP vulnerability) : The issue affects Apache Tomcat where the AJP Connector, enabled by default in several legacy releases, could be reached through untrusted networks. An attacker could exploit the configured AJP path to read arbitrary files in the web application and pote...

9.8CVSS9.9AI score0.9927EPSS
In wildWeb
CVE
CVE
added 2019/08/13 8:50 p.m.3846 views

CVE-2019-9511

CVE-2019-9511 is an HTTP/2 denial-of-service issue observed in multiple products where an attacker manipulates HTTP/2 window size and stream prioritization to force queuing of data in 1-byte chunks, potentially exhausting CPU/memory. Connected advisories confirm affected components include nginx ...

7.8CVSS6.8AI score0.58373EPSS
CVE
CVE
added 2019/04/08 8:11 p.m.3442 views

CVE-2019-0217

This CVE affects Apache HTTP Server 2.4.x up to 2.4.38, where a race condition in mod_auth_digest could allow an authenticated user to act as another user and bypass access control. The issue is tied to running in threaded MPMs; the underlying cause is a race condition in authentication handling....

7.5CVSS7.5AI score0.17666EPSS
CVE
CVE
added 2019/09/26 2:7 p.m.3421 views

CVE-2019-10092

The CVE-2019-10092 entry concerns Apache HTTP Server 2.4.0–2.4.39 with a limited cross-site scripting in the mod_proxy error page. The vulnerability lets an attacker craft a link on the error page that could mislead users by pointing to a page of the attacker’s choosing, but exploitation requires...

6.1CVSS7.3AI score0.81466EPSS
CVE
CVE
added 2020/08/07 3:24 p.m.3194 views

CVE-2020-9490

CVE-2020-9490 affects Apache HTTP Server versions 2.4.20–2.4.43. A specially crafted value for the Cache-Digest header in an HTTP/2 request could cause a crash when the server subsequently attempts to HTTP/2 PUSH a resource. Mitigation for unpatched servers is to disable HTTP/2 PUSH via H2Push of...

7.5CVSS8.3AI score0.89744EPSS
In wild
CVE
CVE
added 2020/08/07 3:32 p.m.3073 views

CVE-2020-11993

CVE-2020-11993 affects Apache HTTP Server 2.4.20–2.4.43: when trace/debug is enabled for the HTTP/2 module and certain traffic patterns, logging can be performed on the wrong connection, leading to concurrent use of memory pools. Mitigation in public advisories: set LogLevel for mod_http2 above i...

7.5CVSS8.6AI score0.58716EPSS
In wild
CVE
CVE
added 2019/08/13 8:50 p.m.3067 views

CVE-2019-9516

CVE-2019-9516 is an HTTP/2 header leak vulnerability affecting nginx and several Linux distributions. The issue occurs when an attacker sends streams with 0-length header names and values (optionally Huffman encoded), causing nginx to allocate memory for headers that may be kept until the session...

7.5CVSS7.3AI score0.56262EPSS
CVE
CVE
added 2019/04/19 12:0 a.m.2930 views

CVE-2019-11358

CVE-2019-11358 is a prototype pollution vulnerability in jQuery (before 3.4.0) where mishandling of extend(true, {}, ...) can extend Object.prototype if an unsanitized source object has an enumerable proto property. The Core issue is triggered when a polluted prototype is introduced via nested ob...

6.1CVSS6.4AI score0.87218EPSS
In wild
CVE
CVE
added 2019/03/08 11:0 p.m.2591 views

CVE-2019-9641

CVE-2019-9641 affects PHP's EXIF extension (older PHP 7.1.x/7.2.x/7.3.x branches). Affected versions are PHP 7.1.0–7.1.26/7.2.0–7.2.15/7.3.0–7.3.2 (per sources: 7.1.27, 7.2.16, 7.3.3 as fixed). The root cause is an uninitialized read in exif_process_IFD_in_TIFF (with related notes on exif_process...

9.8CVSS9.2AI score0.09395EPSS
CVE
CVE
added 2020/07/13 12:0 a.m.2545 views

CVE-2019-20907

CVE-2019-20907 affects Python’s tarfile handling (Lib/tarfile.py) up to Python 3.8.3. A crafted TAR archive can trigger an infinite loop when opened via tarfile.open because _proc_pax lacks header validation. Connected advisories confirm the issue is treated as a tarfile DoS, with patches release...

7.5CVSS7.6AI score0.06304EPSS
CVE
CVE
added 2018/11/07 5:0 a.m.2382 views

CVE-2018-19052

The CVE-2018-19052 issue affects lighttpd’s mod_alias_physical_handler (mod_alias.c): when a configured alias lacks a trailing '/' but the target path has one, there is potential directory traversal to the parent of the alias target. Public advisories confirm this vulnerability across multiple di...

7.5CVSS7.3AI score0.1408EPSS
CVE
CVE
added 2020/01/30 12:0 a.m.2338 views

CVE-2020-8492

CVE-2020-8492 describes a Regular Expression Denial of Service (ReDoS) in Python’s urllib.request.AbstractBasicAuthHandler that can be triggered by a malicious HTTP server. The vulnerability affects Python 2.7 (up to 2.7.17) and multiple 3.x releases (up to 3.8.1 per the CVE summary). Connected a...

7.1CVSS7AI score0.06617EPSS
CVE
CVE
added 2019/06/11 9:35 p.m.2154 views

CVE-2019-0197

The CVE-2019-0197 entry concerns Apache HTTP Server 2.4.34–2.4.38. When HTTP/2 is enabled for an http: host or H2Upgrade is enabled for h2 on an https: host, an Upgrade request from http/1.1 to http/2 that is not the first request on a connection could cause misconfiguration and crash. Servers th...

4.9CVSS5.5AI score0.08441EPSS
CVE
CVE
added 2020/10/02 2:14 p.m.1677 views

CVE-2020-7069

CVE-2020-7069 affects PHP AES-CCM encryption: when using openssl_encrypt() with a 12-byte IV, only the first 7 bytes are used in versions 7.2.x < 7.2.34, 7.3.x < 7.3.23, and 7.4.x

6.5CVSS6.2AI score0.02055EPSS
CVE
CVE
added 2019/02/22 11:0 p.m.1627 views

CVE-2019-9020

CVE-2019-9020 affects PHP versions before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. It stems from invalid input to xmlrpc_decode(), enabling a heap out-of-bounds read via xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c. The impact is a memory access issue th...

9.8CVSS8.4AI score0.10059EPSS
CVE
CVE
added 2018/10/09 3:0 p.m.1583 views

CVE-2018-18074

CVE-2018-18074 affects the Python requests library prior to 2.20.0. When handling a same-hostname HTTPS-to-HTTP redirect, the library sends the HTTP Authorization header to the HTTP URI, enabling credential exposure via network sniffing. Mitigation: upgrade to a version that includes the fix (Req...

7.5CVSS6.7AI score0.07443EPSS
CVE
CVE
added 2016/07/19 1:0 a.m.1521 views

CVE-2016-5387

CVE-2016-5387 affects Apache httpd prior to 2.4.25, where RFC 3875 compliance allows untrusted HTTP_PROXY data to influence outbound proxy selection via a crafted Proxy header (the httpoxy issue). Public docs indicate the issue arises from the HTTP_PROXY environment variable being exposed to appl...

8.1CVSS8AI score0.55724EPSS
CVE
CVE
added 2020/05/20 6:26 p.m.1510 views

CVE-2020-9484

CVE-2020-9484 is a deserialization flaw in Apache Tomcat that, under a specific FileStore PersistenceManager configuration and a crafted request, can trigger remote code execution. Affected are Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61, and 7.0.0 to 7.0.107 when the...

7CVSS7.5AI score0.56636EPSS
CVE
CVE
added 2020/04/30 4:58 p.m.1500 views

CVE-2020-11651

SaltStack Salt (CVE-2020-11651) vulnerable in Salt before 2019.2.4 and 3000 before 3000.2: the salt-master ClearFuncs class does not properly validate method calls, enabling a remote, unauthenticated user to access certain methods, retrieve user tokens from the salt-master, and potentially run ar...

9.8CVSS9.6AI score0.96405EPSS
In wild
CVE
CVE
added 2020/02/24 9:11 p.m.1472 views

CVE-2020-1935

CVE-2020-1935 affects Apache Tomcat across multiple branches: 9.0.0.M1–9.0.30, 8.5.0–8.5.50, and 7.0.0–7.0.99. It stems from HTTP header parsing that can mishandle end-of-line and Transfer-Encoding, enabling HTTP Request Smuggling when Tomcat sits behind certain reverse proxies. Impact is informa...

5.8CVSS7.4AI score0.09386EPSS
CVE
CVE
added 2020/11/03 2:21 a.m.1377 views

CVE-2020-16009

CVE-2020-16009 is a Google Chrome/Chromium V8 type-confusion vulnerability that could allow remote code execution via a crafted HTML page. Root cause: type confusion in V8 before 86.0.4240.183. Affected product family includes Google Chrome and other Chromium-based browsers; Debian security advis...

8.8CVSS8.6AI score0.48574EPSS
In wild
CVE
CVE
added 2020/07/22 4:16 p.m.1358 views

CVE-2020-6514

CVE-2020-6514 affects Google Chrome WebRTC data channel where an attacker in a privileged network position could trigger a memory corruption (heap) via a crafted SCTP stream. The initial description notes an inappropriate WebRTC implementation as the underlying cause, with the vulnerability explo...

6.5CVSS7.3AI score0.0779EPSS
CVE
CVE
added 2019/11/25 2:22 p.m.1356 views

CVE-2019-13720

CVE-2019-13720 is a use-after-free in Chrome’s WebAudio (Chromium) prior to 78.0.3904.87 that could allow remote code execution via a crafted HTML page, with heap corruption as the underlying risk. Public documents identify the affected component as the WebAudio functionality in Chrome/Chromium a...

8.8CVSS8.1AI score0.72977EPSS
In wild
CVE
CVE
added 2016/02/15 7:0 p.m.1351 views

CVE-2016-0746

CVE-2016-0746 is a use-after-free in nginx’s resolver when processing DNS CNAME responses. The issue affects nginx versions before 1.8.1 and 1.9.x before 1.9.10; exploitation could crash worker processes or yield other unspecified impacts. Remediation per connected docs: upgrade to non‑vulnerable...

9.8CVSS9.5AI score0.08625EPSS
CVE
CVE
added 2020/04/30 5:0 p.m.1343 views

CVE-2020-11652

CVE-2020-11652 affects SaltStack Salt prior to 2019.2.4 and 3000 prior to 3000.2, where the salt-master ClearFuncs class allows authenticated users to access methods that do not properly sanitize paths, enabling arbitrary directory access. This is a directory-traversal vulnerability in the salt-m...

6.5CVSS7.8AI score0.86063EPSS
In wild
CVE
CVE
added 2019/02/22 11:0 p.m.1336 views

CVE-2019-9021

CVE-2019-9021 affects PHP releases prior to 5.6.40, 7.x prior to 7.1.26, 7.2.x prior to 7.2.14, and 7.3.x prior to 7.3.1. It describes a heap-based buffer over-read in PHAR reading functions of the PHAR extension (phar_detect_phar_fname_ext in ext/phar/phar.c) that can cause reading memory past t...

9.8CVSS8.5AI score0.10059EPSS
CVE
CVE
added 2019/02/22 11:0 p.m.1327 views

CVE-2019-9024

CVE-2019-9024 affects PHP’s xmlrpc_decode() path via base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c. A hostile XMLRPC server can cause memory to be read outside allocated areas. Affected: PHP 5.6.x before 5.6.40; PHP 7.x before 7.1.26; 7.2.x before 7.2.14; 7.3.x before 7.3.1. Remediation (...

7.5CVSS8.3AI score0.0712EPSS
CVE
CVE
added 2019/11/01 10:15 p.m.1289 views

CVE-2019-6470

CVE-2019-6470 concerns a use-after-free/crash in DHCPv6 when ISC BIND libraries are mismatched with dhcpd. The described root cause is a bug in a BIND library function used by dhcpd, with the library bug preventing normal operation and a crash potential when vendors differ in package versions. Af...

7.5CVSS6.7AI score0.08813EPSS
CVE
CVE
added 2020/10/02 2:14 p.m.1272 views

CVE-2020-7070

CVE-2020-7070 affects PHP 7.2.x < 7.2.34, 7.3.x < 7.3.23 and 7.4.x

5.3CVSS6.5AI score0.05029EPSS
CVE
CVE
added 2019/12/23 4:39 p.m.1242 views

CVE-2019-17563

Tomcat CVE-2019-17563: A race-condition in FORM authentication allowed a session-fixation window in Tomcat 9.0.0.M1–9.0.29, 8.5.0–8.5.49, and 7.0.0–7.0.98. The issue is acknowledged as a vulnerability with practical exploitation not detailed in the provided docs. Affected products: Apache Tomcat....

7.5CVSS7.7AI score0.10687EPSS
CVE
CVE
added 2020/11/06 7:27 a.m.1193 views

CVE-2020-16846

CVE-2020-16846 affects SaltStack Salt via the Salt API SSH Client. The issue allows an unauthenticated, network-accessible user to execute arbitrary commands by injecting shell commands through crafted requests to the Salt API when the SSH client is enabled. The vulnerability is cited across mult...

9.8CVSS9.3AI score0.99585EPSS
In wildWeb
CVE
CVE
added 2019/02/22 11:0 p.m.1170 views

CVE-2019-9023

CVE-2019-9023 affects PHP mbstring: heap-based buffer over-read when regcomp/regexec/regparse in mbstring are fed invalid multibyte data. Affected versions include PHP 5.6.40 and PHP 7.x prior to 7.1.26 (7.1.x), 7.2.x prior to 7.2.14, and 7.3.x prior to 7.3.1. Root cause is memory read outside al...

9.8CVSS8.5AI score0.09317EPSS
CVE
CVE
added 2019/06/19 10:7 p.m.1144 views

CVE-2019-12900

CVE-2019-12900 affects bzip2 up to 1.0.6. The vulnerability is an out-of-bounds write in BZ2_decompress (decompress.c) when there are many selectors, potentially causing memory corruption. Public notices list multiple vendor advisories (e.g., Rocky Linux/AlmaLinux, Debian/Ubuntu, OpenSUSE, Amazon...

9.8CVSS9.6AI score0.08042EPSS
CVE
CVE
added 2019/03/08 9:0 p.m.1144 views

CVE-2019-9636

CVE-2019-9636 overview Python 2.7.x (up to 2.7.16) and Python 3.x (up to 3.7.2) are affected by improper handling of Unicode encoding during NFKC normalization, exposing information such as cookies and credentials cached for a hostname. The vulnerable components are urllib.parse.urlsplit and urll...

9.8CVSS9.4AI score0.08811EPSS
CVE
CVE
added 2018/01/04 1:0 p.m.1143 views

CVE-2017-5753

CVE-2017-5753 is part of the Spectre family (Variant 1) described in the SPECTRE_MELTDOWN_ADVISORY: it involves speculative execution and a bounds-check bypass that can enable an unprivileged attacker to read privileged memory via cache timing analysis. IBM’s AIX/VIOS advisories and iFixes addres...

5.6CVSS6.1AI score0.93838EPSS
CVE
CVE
added 2017/05/23 3:56 a.m.1142 views

CVE-2016-9843

CVE-2016-9843 concerns zlib 1.2.8 and its crc32_big implementation (big-endian CRC calculation). Connected docs show affected packages: FLTK builds for zlib before 1.3.8-1 in CBLMariner, and Cloud Foundry/ALAS advisories link multiple zlib-related CVEs with remediation guidance. The FLTK note sta...

9.8CVSS9.9AI score0.0595EPSS
Total number of security vulnerabilities1898