313 matches found
CVE-2019-0211
CVE-2019-0211 affects Apache HTTP Server 2.4.17–2.4.38 when using MPM event, worker, or prefork. The issue arises from code executing in less-privileged child processes/threads (including in-process scripting interpreters) that could be exploited to run arbitrary code with the privileges of the p...
CVE-2024-6387
CVE-2024-6387 is a remote code-execution vulnerability in OpenSSH’s server (sshd) caused by a race condition in a signal handler that may run after a client fails to authenticate within LoginGraceTime. The issue is exploitable by an unauthenticated, remote attacker on glibc-based Linux systems, p...
CVE-2023-44487
CVE-2023-44487 – HTTP/2 Rapid Reset DoS Root cause: HTTP/2 stream resets can cause servers to continue processing, leading to unbounded resource consumption and potential DoS when clients rapidly cancel streams. What’s affected: Various HTTP/2 implementations and deployments, including servers, p...
CVE-2023-48795
CVE-2023-48795 is referenced across several connected advisories, detailing affected packages and required upgrades. Astra Linux/CBL-Mariner entries note: podman (<5.6.1-2) needs upgrade, erlang (<25.2-1), libssh2 (<1.11.1-1), libssh (<0.10.6-1), terraform (<1.3.2-25), kubevirt (&l...
CVE-2025-26465
The CVE-2025-26465 issue affects OpenSSH when VerifyHostKeyDNS is enabled. A remote attacker could perform a MITM impersonation by abusing error-code handling during host-key verification, with success contingent on exhausting the client’s memory resources. Affected context is OpenSSH implementat...
CVE-2022-4039
CVE-2022-4039 affects Red Hat Single Sign-On for OpenShift container images where an unsecured management interface is enabled. Connected sources describe the flaw as allowing an attacker to use the management interface to deploy malicious code and to access/modify potentially sensitive informati...
CVE-2023-1108
CVE-2023-1108 affects Undertow within Red Hat JBoss EAP 7.3.x (SSLConduit) where an infinite loop on close can cause DoS. Connected RHSA-2025-9583 confirms the issue and indicates a fix in the eap-7.3.z line (Patched Undertow). Remediation is to upgrade to the patched EAP 7.3.x release (eap-7.3.z...
CVE-2023-1260
CVE-2023-1260 describes an authentication bypass in kube-apiserver within Red Hat OpenShift Container Platform, enabling an authenticated user with update/patch rights on pods/ephemeralcontainers to bypass SCC admission restrictions and gain control of a privileged pod. Affected OpenShift version...
CVE-2023-2585
CVE-2023-2585 concerns Keycloak’s Device Authorization Grant, where flawed validation of device_code and client_id could allow a malicious OAuth client to spoof a consent request and trick an admin into granting access to other OAuth clients or cause unauthorized access. Connected sources corrobo...
CVE-2022-1708
CVE-2022-1708 affects CRI-O and causes memory or disk exhaustion on the node when handling large output from ExecSync. The vulnerability arises from CRI-O reading the entire command output after execution, which can exhaust node resources and impact availability. Connected advisories indicate aff...
CVE-2021-3827
CVE-2021-3827 concerns Keycloak where the default ECP binding flow can bypass other authentication flows, enabling an attacker to bypass MFA by sending a SOAP AuthnRequest with an Authorization header containing user credentials. Exploitation affects confidentiality and integrity as described in ...
CVE-2021-4104
CVE-2021-4104 affects JMSAppender in Log4j 1.2 when it is explicitly configured to use JMSAppender. A deserialization of untrusted data can occur if an attacker can write Log4j configuration and supply TopicBindingName and TopicConnectionFactoryBindingName, causing JMSAppender to perform JNDI req...
CVE-2018-1000861
CVE-2018-1000861 affects Jenkins via the Stapler web framework (MetaClass && deserialization), enabling remote code execution. Affected: Jenkins 2.153 and earlier, LTS 2.138.3 and earlier. Root cause: deserialization/IMPACTful method invocation through crafted URLs in stapler/core MetaClass.java ...
CVE-2019-7609
Kibana Timelion Remote Code Execution (CVE-2019-7609): A flaw in Timelion allowed an attacker with access to the Timelion application to send a request that may execute JavaScript code, potentially yielding arbitrary commands with Kibana process privileges on the host. Affected versions are Kiban...
CVE-2021-3560
CVE-2021-3560 – Polkit local privilege escalation : A flaw in polkit allows a local unprivileged process to bypass credential checks for D-Bus requests, enabling privilege escalation to root. Technical details across connected sources show the issue arises when a requesting process disconnects fr...
CVE-2019-9636
CVE-2019-9636 overview Python 2.7.x (up to 2.7.16) and Python 3.x (up to 3.7.2) are affected by improper handling of Unicode encoding during NFKC normalization, exposing information such as cookies and credentials cached for a hostname. The vulnerable components are urllib.parse.urlsplit and urll...
CVE-2019-1003030
CVE-2019-1003030 describes a sandbox bypass in the Jenkins Pipeline: Groovy Plugin, affecting version 2.63 and earlier. The vulnerability arises in the plugin’s sandbox handling, specifically related to the CpsGroovyShell path, enabling an attacker who can control pipeline scripts to execute arbi...
CVE-2019-1003029
CVE-2019-1003029 describes a sandbox bypass in Jenkins Script Security Plugin (versions ≤ 1.53) that lets attackers with Overall/Read permission execute arbitrary code on the Jenkins master JVM. Affected components are in the plugin’s Groovy sandbox: GroovySandbox.java and SecureGroovyScript.java...
CVE-2023-0056
CVE-2023-0056 affects HAProxy and is described in connected advisories as an uncontrolled resource consumption DoS that can crash the service, including a scenario where an authenticated remote attacker could trigger a crafted server in an OpenShift cluster. The issue is associated with HAProxy’s...
CVE-2019-9514
CVE-2019-9514 corresponds to an HTTP/2 vulnerability where an attacker floods a peer by sending HEADERS frames, causing unbounded memory growth and potential DoS. Public details in connected advisories show affected stacks include Go HTTP/2 implementations and Go-based tools, with remediation via...
CVE-2019-2684
CVE-2019-2684 concerns Oracle Java SE and Java SE Embedded, specifically the RMI component. The connected Chainguard entry shows affected packages for OpenJDK builds (openjdk-21/openj9, openjdk-8/openj9, openjdk-11/openj9, openjdk-17/openj9). The initial description identifies affected Oracle Jav...
CVE-2026-31431
CVE-2026-31431 is a local privilege escalation in the Linux kernel’s algif_aead/AF_ALG path. The root cause is an in-place operation bug in the AEAD handling, which can be exercised via AF_ALG sockets with the authencesn algorithm and splice() to corrupt the kernel page cache of readable files wi...
CVE-2019-14287
CVE-2019-14287 affects sudo before 1.8.28. An attacker with a Runas ALL sudoer account can bypass policy blacklists and session PAM modules and cause incorrect logging by invoking sudo with a crafted user ID (example: sudo -u $((0xffffffff))). This corresponds to a local privilege-escalation flaw...
CVE-2018-10237
CVE-2018-10237 affects Google Guava 11.0–24.x before 24.1.1. Unbounded memory allocation occurs during Java serialization of AtomicDoubleArray and GWT serialization of CompoundOrdering, enabling potential denial-of-service via memory exhaustion. Root cause is eager allocation without checks on cl...
CVE-2019-13734
CVE-2019-13734 describes an out-of-bounds write in the SQLite component used by Google Chrome/Chromium, enabling potential heap corruption via a crafted HTML page. Connected advisories confirm this affects Chrome/Chromium’s SQLite usage and note mitigations include updating to Chrome 79.0.3945.79...
CVE-2018-1002105
CVE-2018-1002105 affects Kubernetes: before versions v1.10.11, v1.11.5, and v1.12.3, the kube-apiserver mishandles error responses to proxied upgrade requests. This flaw lets specially crafted requests establish a connection through the API server to backends and then send arbitrary requests over...
CVE-2020-10696
CVE-2020-10696 involves a path traversal flaw in Buildah prior to 1.14.5. The vulnerability could allow an attacker to trick a user building a container image from an HTTP(S) server into writing files to the host file system where the user has permissions. The provided connected docs corroborate ...
CVE-2023-3223
CVE-2023-3223 relates to Undertow: Servlets annotated with @MultipartConfig may cause an OutOfMemoryError from large multipart content, enabling remote DoS. A bypass may occur if fileSizeThreshold limits are configured but the file name in the request is set to null. The Nessus plugin notes an un...
CVE-2019-14835
The CVE-2019-14835 entry describes a buffer overflow in Linux kernel vhost functionality (virtqueue buffers translated to IOVs) during VM live migration. A privileged guest user could pass descriptors with invalid length while migration is underway, potentially causing a host privilege escalation...
CVE-2019-2602
CVE-2019-2602 affects Oracle Java SE and Java SE Embedded Libraries component. Affected: Java SE 7u211, 8u202, 11.0.2, 12; Java SE Embedded 8u201. Root cause per the entry: vulnerability in Libraries that allows an unauthenticated, network-based attacker to cause a hang or frequent crashes (compl...
CVE-2018-12207
CVE-2018-12207 describes an issue where improper invalidation of page-table updates by a privileged guest can cause a Denial of Service on the host on Intel processors. The vulnerability stems from how the guest VM handles translations in the MMU/TLB when paging structures change, potentially exp...
CVE-2019-6974
CVE-2019-6974 affects the Linux kernel KVM subsystem: a race in kvm_ioctl_create_device() mishandles reference counting, enabling a local user with access to /dev/kvm to cause a use-after-free, potentially crashing the guest or escalating privileges. The issue is fixed in kernel 4.20.8 and relate...
CVE-2019-1003000
CVE-2019-1003000 is a sandbox bypass/remote code execution flaw in Jenkins via the Script Security Plugin (and depending on Groovy/Declarative plugins). Affected components include Script Security Plugin versions up to 1.49 and earlier, with vulnerable code in GroovySandbox.java that lets attacke...
CVE-2018-18311
CVE-2018-18311 is a Perl vulnerability describing a buffer overflow caused by crafted regular expressions and an integer/offset issue in Perl’s environment setup (Perl before 5.26.3 and 5.28.x before 5.28.1). Connected advisories show multiple distributions releasing patches and updates to Perl p...
CVE-2019-9515
CVE-2019-9515 concerns an HTTP/2 settings flood that can cause memory/CPU exhaustion. Arista’s security advisory (Security Advisory 0043) states the vulnerability is in Go’s gRPC HTTP/2 usage and can affect TerminAttr, OpenConfig, CVP, and certain Wi‑Fi OpenConfig-enabled components when enabled....
CVE-2019-2698
CVE-2019-2698 affects Oracle Java SE (subcomponent 2D) with affected Java SE versions 7u211 and 8u202; exploitation could allow takeover of Java SE via network access without authentication. CVSSv3.1 base score 8.1. Affected openjdk/openjdk-based packages (e.g., java-1.8.0-openjdk) and Oracle Jav...
CVE-2023-2253
CVE-2023-2253 concerns the /v2/_catalog endpoint in distribution/distribution, where the query parameter n controls the maximum number of records returned. The flaw allows a malicious user to supply an unreasonably large n, potentially triggering allocation of a massive string array and causing m...
CVE-2017-7525
CVE-2017-7525 is a deserialization flaw in jackson-databind enabling code execution via ObjectMapper.readValue on versions before 2.6.7.1, 2.7.9.1, or 2.8.9. Astra Linux notes extend the issue to versions before 2.8.10 and 2.9.1, and newer advisories reference mitigations/updates. Remediation vis...
CVE-2019-7221
CVE-2019-7221 is a Use-after-Free in the KVM implementation of the Linux kernel up to version 4.20.5. The vulnerability concerns KVM VMX preemption timer handling and is locally exploitable with low privileges and no user interaction, potentially affecting confidentiality, integrity, and availabi...
CVE-2024-1132
Keycloak path traversal vulnerability (CVE-2024-1132) arises from improper validation of redirect URLs, enabling an attacker to bypass validation and access other URLs within the domain when a client uses wildcard Valid Redirect URIs. The issue requires user interaction and affects clients with w...
CVE-2019-19921
Technical details about CVE-2019-19921 are not publicly available in the provided Connected documents. The entries reference related advisories, but no concrete affected versions, root cause, or fixes are included here. Monitor for updates.
CVE-2020-27777
The CVE-2020-27777 issue concerns the Linux kernel on PowerPC: RTAS memory accesses in the userspace-to-kernel path allow a local, root-like user on a locked-down guest (Secure Boot) running on PowerVM or KVM/pseries to escalate privileges to the running kernel. Root cause is an improper handling...
CVE-2023-27561
CVE-2023-27561 affects runc; a race condition in volume mounts between two containers with shared mounts can enable an escalation of privileges via libcontainer/rootfs_linux.go. The issue is a regression of CVE-2019-19921 and requires two containers with custom volume-mount configurations and cus...
CVE-2024-0406
CVE-2024-0406 concerns the mholt/archiver package. The connected Nessus/SUSE entries confirm a path-traversal flaw in tar unpacking that can cause writing to restricted files or directories when extracting archives. The remediation path shown in the connected docs includes upgrading the affected ...
CVE-2018-18397
The vulnerability CVE-2018-18397 affects the Linux kernel prior to 4.19.7, where the userfaultfd implementation mishandles access control for certain UFFDIO ioctls (fs/userfaultfd.c and mm/userfaultfd.c). A local attacker with read permissions on a tmpfs file containing holes could write data int...
CVE-2018-14721
CVE-2018-14721 affects FasterXML jackson-databind 2.x up to 2.9.6 (before 2.9.7). The flaw allows remote attackers to perform SSRF by failing to block axis2-jaxws class during polymorphic deserialization, enabling server-side requests under network access. The vulnerability is tied to the misuse ...
CVE-2020-27827
CVE-2020-27827 concerns Open vSwitch where specially crafted LLDP packets can trigger memory allocation issues during handling of optional TLVs, leading to a denial of service and impacting availability. The connected documents provide various advisories (e.g., AlmaLinux, Gentoo GLSA) that refere...
CVE-2021-3669
CVE-2021-3669 is a Linux kernel vulnerability where measuring shared memory usage does not scale with large shared memory segment counts, enabling resource exhaustion and DoS. Connected sources confirm the issue affects multiple kernel versions and distributions, with remediations following vendo...
CVE-2020-10749
The CVE-2020-10749 entry affects containernetworking/plugins versions before 0.8.6, due to improper validation of IPv6 router advertisements that enables man-in-the-middle (MitM) attacks in Kubernetes clusters. A malicious container could redirect traffic by sending rogue IPv6 router advertisemen...
CVE-2018-19361
CVE-2018-19361 is listed in the IBM Cloudera Observability bulletin as affecting Cloudera Observability on Premises 3.5.3, with remediation in 3.6.2. Description from the bulletin notes that FasterXML jackson-databind 2.x before 2.9.8 allows polymorphic deserialization via the openjpa class, yiel...