USN-4058-1 fixed a vulnerability in bash. This update provides
the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.
Original advisory details:
It was discovered that Bash incorrectly handled the restricted shell. An
attacker could possibly use this issue to escape restrictions and execute
any command.
{"nessus": [{"lastseen": "2022-09-04T15:07:02", "description": "This update for bash fixes the following issues: 	 Security issue fixed :\n\n - CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS allowing the user to execute any command with the permissions of the shell (bsc#1130324).\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update project.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-09T00:00:00", "type": "nessus", "title": "openSUSE Security Update : bash (openSUSE-2019-1178)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:bash", "p-cpe:/a:novell:opensuse:bash-debuginfo", "p-cpe:/a:novell:opensuse:bash-debuginfo-32bit", "p-cpe:/a:novell:opensuse:bash-debugsource", "p-cpe:/a:novell:opensuse:bash-devel", "p-cpe:/a:novell:opensuse:bash-lang", "p-cpe:/a:novell:opensuse:bash-loadables", "p-cpe:/a:novell:opensuse:bash-loadables-debuginfo", "p-cpe:/a:novell:opensuse:libreadline6", "p-cpe:/a:novell:opensuse:libreadline6-32bit", "p-cpe:/a:novell:opensuse:libreadline6-debuginfo", "p-cpe:/a:novell:opensuse:libreadline6-debuginfo-32bit", "p-cpe:/a:novell:opensuse:readline-devel", "p-cpe:/a:novell:opensuse:readline-devel-32bit", "cpe:/o:novell:opensuse:42.3"], "id": "OPENSUSE-2019-1178.NASL", "href": "https://www.tenable.com/plugins/nessus/123922", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-1178.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(123922);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2019-9924\");\n\n script_name(english:\"openSUSE Security Update : bash (openSUSE-2019-1178)\");\n script_summary(english:\"Check for the openSUSE-2019-1178 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for bash fixes the following issues: 	 Security issue\nfixed :\n\n - CVE-2019-9924: Fixed a vulnerability in which shell did\n not prevent user BASH_CMDS allowing the user to execute\n any command with the permissions of the shell\n (bsc#1130324).\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1130324\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected bash packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-loadables\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-loadables-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:readline-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:readline-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"bash-4.3-83.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"bash-debuginfo-4.3-83.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"bash-debugsource-4.3-83.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"bash-devel-4.3-83.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"bash-lang-4.3-83.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"bash-loadables-4.3-83.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"bash-loadables-debuginfo-4.3-83.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libreadline6-6.3-83.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libreadline6-debuginfo-6.3-83.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"readline-devel-6.3-83.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"bash-debuginfo-32bit-4.3-83.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libreadline6-32bit-6.3-83.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libreadline6-debuginfo-32bit-6.3-83.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"readline-devel-32bit-6.3-83.15.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash / bash-debuginfo-32bit / bash-debuginfo / bash-debugsource / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-04T15:07:38", "description": "This update for bash fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS allowing the user to execute any command with the permissions of the shell (bsc#1130324).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-03T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : bash (SUSE-SU-2019:0838-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2021-01-13T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:bash", "p-cpe:/a:novell:suse_linux:bash-debuginfo", "p-cpe:/a:novell:suse_linux:bash-debugsource", "p-cpe:/a:novell:suse_linux:libreadline6", "p-cpe:/a:novell:suse_linux:libreadline6-debuginfo", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2019-0838-1.NASL", "href": "https://www.tenable.com/plugins/nessus/123671", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:0838-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123671);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2019-9924\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : bash (SUSE-SU-2019:0838-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for bash fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2019-9924: Fixed a vulnerability in which shell did not prevent\nuser BASH_CMDS allowing the user to execute any command with the\npermissions of the shell (bsc#1130324).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1130324\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-9924/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20190838-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fa3dba1a\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP4:zypper in -t patch\nSUSE-SLE-WE-12-SP4-2019-838=1\n\nSUSE Linux Enterprise Workstation Extension 12-SP3:zypper in -t patch\nSUSE-SLE-WE-12-SP3-2019-838=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP4:zypper in -t\npatch SUSE-SLE-SDK-12-SP4-2019-838=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t\npatch SUSE-SLE-SDK-12-SP3-2019-838=1\n\nSUSE Linux Enterprise Server 12-SP4:zypper in -t patch\nSUSE-SLE-SERVER-12-SP4-2019-838=1\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2019-838=1\n\nSUSE Linux Enterprise Desktop 12-SP4:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP4-2019-838=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2019-838=1\n\nSUSE CaaS Platform ALL :\n\nTo install this update, use the SUSE CaaS Platform Velum dashboard. It\nwill inform you if it detects new updates and let you then trigger\nupdating of the complete cluster in a controlled way.\n\nSUSE CaaS Platform 3.0 :\n\nTo install this update, use the SUSE CaaS Platform Velum dashboard. It\nwill inform you if it detects new updates and let you then trigger\nupdating of the complete cluster in a controlled way.\n\nOpenStack Cloud Magnum Orchestration 7:zypper in -t patch\nSUSE-OpenStack-Cloud-Magnum-Orchestration-7-2019-838=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bash-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bash-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreadline6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreadline6-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(3|4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP3/4\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(3|4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP3/4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"bash-4.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"bash-debuginfo-4.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"bash-debugsource-4.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libreadline6-32bit-6.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libreadline6-6.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libreadline6-debuginfo-32bit-6.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libreadline6-debuginfo-6.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"bash-4.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"bash-debuginfo-4.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"bash-debugsource-4.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libreadline6-32bit-6.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libreadline6-6.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libreadline6-debuginfo-32bit-6.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libreadline6-debuginfo-6.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"bash-4.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"bash-debuginfo-4.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"bash-debugsource-4.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libreadline6-32bit-6.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libreadline6-6.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libreadline6-debuginfo-32bit-6.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libreadline6-debuginfo-6.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"bash-4.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"bash-debuginfo-4.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"bash-debugsource-4.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreadline6-32bit-6.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreadline6-6.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreadline6-debuginfo-32bit-6.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreadline6-debuginfo-6.3-83.23.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-04T15:08:18", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:3474 advisory.\n\n - bash: BASH_CMD is writable in restricted bash shells (CVE-2019-9924)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-08-18T00:00:00", "type": "nessus", "title": "RHEL 7 : bash (RHSA-2020:3474)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2021-10-12T00:00:00", "cpe": ["cpe:/o:redhat:rhel_aus:7.6", "cpe:/o:redhat:rhel_e4s:7.6", "cpe:/o:redhat:rhel_eus:7.6", "cpe:/o:redhat:rhel_tus:7.6", "p-cpe:/a:redhat:enterprise_linux:bash", "p-cpe:/a:redhat:enterprise_linux:bash-doc"], "id": "REDHAT-RHSA-2020-3474.NASL", "href": "https://www.tenable.com/plugins/nessus/139670", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:3474. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139670);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/10/12\");\n\n script_cve_id(\"CVE-2019-9924\");\n script_bugtraq_id(109277);\n script_xref(name:\"RHSA\", value:\"2020:3474\");\n\n script_name(english:\"RHEL 7 : bash (RHSA-2020:3474)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2020:3474 advisory.\n\n - bash: BASH_CMD is writable in restricted bash shells (CVE-2019-9924)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/138.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-9924\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:3474\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1691774\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash and / or bash-doc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9924\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(138);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bash-doc\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '7.6')) audit(AUDIT_OS_NOT, 'Red Hat 7.6', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'rhel_aus_7_6_server': [\n 'rhel-7-server-aus-debug-rpms',\n 'rhel-7-server-aus-debug-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-aus-optional-debug-rpms',\n 'rhel-7-server-aus-optional-debug-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-aus-optional-rpms',\n 'rhel-7-server-aus-optional-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-aus-optional-source-rpms',\n 'rhel-7-server-aus-optional-source-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-aus-rpms',\n 'rhel-7-server-aus-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-aus-source-rpms',\n 'rhel-7-server-aus-source-rpms__7_DOT_6__x86_64'\n ],\n 'rhel_e4s_7_6_server': [\n 'rhel-7-server-aus-debug-rpms',\n 'rhel-7-server-aus-optional-debug-rpms',\n 'rhel-7-server-aus-optional-rpms',\n 'rhel-7-server-aus-optional-source-rpms',\n 'rhel-7-server-aus-rpms',\n 'rhel-7-server-aus-source-rpms',\n 'rhel-7-server-e4s-debug-rpms',\n 'rhel-7-server-e4s-debug-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-e4s-optional-debug-rpms',\n 'rhel-7-server-e4s-optional-debug-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-e4s-optional-debug-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-e4s-optional-rpms',\n 'rhel-7-server-e4s-optional-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-e4s-optional-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-e4s-optional-source-rpms',\n 'rhel-7-server-e4s-optional-source-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-e4s-optional-source-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-e4s-rpms',\n 'rhel-7-server-e4s-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-e4s-source-rpms',\n 'rhel-7-server-e4s-source-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-tus-debug-rpms',\n 'rhel-7-server-tus-optional-debug-rpms',\n 'rhel-7-server-tus-optional-rpms',\n 'rhel-7-server-tus-optional-source-rpms',\n 'rhel-7-server-tus-source-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-debug-rpms__7_DOT_6__x86_64',\n 'rhel-ha-for-rhel-7-server-e4s-debug-rpms__7_DOT_7__x86_64',\n 'rhel-ha-for-rhel-7-server-e4s-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-rpms__7_DOT_6__x86_64',\n 'rhel-ha-for-rhel-7-server-e4s-rpms__7_DOT_7__x86_64',\n 'rhel-ha-for-rhel-7-server-e4s-source-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-source-rpms__7_DOT_6__x86_64',\n 'rhel-ha-for-rhel-7-server-e4s-source-rpms__7_DOT_7__x86_64'\n ],\n 'rhel_eus_7_6_computenode': [\n 'rhel-7-hpc-node-eus-debug-rpms',\n 'rhel-7-hpc-node-eus-debug-rpms__7_DOT_6__x86_64',\n 'rhel-7-hpc-node-eus-optional-debug-rpms',\n 'rhel-7-hpc-node-eus-optional-debug-rpms__7_DOT_6__x86_64',\n 'rhel-7-hpc-node-eus-optional-rpms',\n 'rhel-7-hpc-node-eus-optional-rpms__7_DOT_6__x86_64',\n 'rhel-7-hpc-node-eus-optional-source-rpms',\n 'rhel-7-hpc-node-eus-optional-source-rpms__7_DOT_6__x86_64',\n 'rhel-7-hpc-node-eus-rpms',\n 'rhel-7-hpc-node-eus-rpms__7_DOT_6__x86_64',\n 'rhel-7-hpc-node-eus-source-rpms',\n 'rhel-7-hpc-node-eus-source-rpms__7_DOT_6__x86_64'\n ],\n 'rhel_eus_7_6_server': [\n 'rhel-7-for-system-z-a-debug-rpms',\n 'rhel-7-for-system-z-a-optional-debug-rpms',\n 'rhel-7-for-system-z-a-optional-rpms',\n 'rhel-7-for-system-z-a-optional-source-rpms',\n 'rhel-7-for-system-z-a-rpms',\n 'rhel-7-for-system-z-a-source-rpms',\n 'rhel-7-for-system-z-eus-debug-rpms',\n 'rhel-7-for-system-z-eus-debug-rpms__7_DOT_6__s390x',\n 'rhel-7-for-system-z-eus-optional-debug-rpms',\n 'rhel-7-for-system-z-eus-optional-debug-rpms__7_DOT_6__s390x',\n 'rhel-7-for-system-z-eus-optional-rpms',\n 'rhel-7-for-system-z-eus-optional-rpms__7_DOT_6__s390x',\n 'rhel-7-for-system-z-eus-optional-source-rpms',\n 'rhel-7-for-system-z-eus-optional-source-rpms__7_DOT_6__s390x',\n 'rhel-7-for-system-z-eus-rpms',\n 'rhel-7-for-system-z-eus-rpms__7_DOT_6__s390x',\n 'rhel-7-for-system-z-eus-source-rpms',\n 'rhel-7-for-system-z-eus-source-rpms__7_DOT_6__s390x',\n 'rhel-7-server-aus-debug-rpms',\n 'rhel-7-server-aus-optional-debug-rpms',\n 'rhel-7-server-aus-optional-rpms',\n 'rhel-7-server-aus-optional-source-rpms',\n 'rhel-7-server-aus-rpms',\n 'rhel-7-server-aus-source-rpms',\n 'rhel-7-server-e4s-debug-rpms',\n 'rhel-7-server-e4s-optional-debug-rpms',\n 'rhel-7-server-e4s-optional-rpms',\n 'rhel-7-server-e4s-optional-source-rpms',\n 'rhel-7-server-e4s-rpms',\n 'rhel-7-server-e4s-source-rpms',\n 'rhel-7-server-eus-debug-rpms',\n 'rhel-7-server-eus-debug-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-eus-optional-debug-rpms',\n 'rhel-7-server-eus-optional-debug-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-eus-optional-rpms',\n 'rhel-7-server-eus-optional-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-eus-optional-source-rpms',\n 'rhel-7-server-eus-optional-source-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-eus-rpms',\n 'rhel-7-server-eus-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-eus-source-rpms',\n 'rhel-7-server-eus-source-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-tus-debug-rpms',\n 'rhel-7-server-tus-optional-debug-rpms',\n 'rhel-7-server-tus-optional-rpms',\n 'rhel-7-server-tus-optional-source-rpms',\n 'rhel-7-server-tus-rpms',\n 'rhel-7-server-tus-source-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-source-rpms',\n 'rhel-ha-for-rhel-7-server-eus-debug-rpms',\n 'rhel-ha-for-rhel-7-server-eus-debug-rpms__7_DOT_6__x86_64',\n 'rhel-ha-for-rhel-7-server-eus-rpms',\n 'rhel-ha-for-rhel-7-server-eus-rpms__7_DOT_6__x86_64',\n 'rhel-ha-for-rhel-7-server-eus-source-rpms',\n 'rhel-ha-for-rhel-7-server-eus-source-rpms__7_DOT_6__x86_64',\n 'rhel-ha-for-rhel-7-server-tus-debug-rpms',\n 'rhel-ha-for-rhel-7-server-tus-rpms',\n 'rhel-ha-for-rhel-7-server-tus-source-rpms',\n 'rhel-rs-for-rhel-7-server-eus-debug-rpms',\n 'rhel-rs-for-rhel-7-server-eus-debug-rpms__7_DOT_6__x86_64',\n 'rhel-rs-for-rhel-7-server-eus-rpms',\n 'rhel-rs-for-rhel-7-server-eus-rpms__7_DOT_6__x86_64',\n 'rhel-rs-for-rhel-7-server-eus-source-rpms',\n 'rhel-rs-for-rhel-7-server-eus-source-rpms__7_DOT_6__x86_64'\n ],\n 'rhel_extras_sap_e4s_7_6': [\n 'rhel-sap-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-debug-rpms__7_DOT_6__x86_64',\n 'rhel-sap-for-rhel-7-server-e4s-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-rpms__7_DOT_6__x86_64',\n 'rhel-sap-for-rhel-7-server-e4s-source-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-source-rpms__7_DOT_6__x86_64'\n ],\n 'rhel_extras_sap_eus_7_6': [\n 'rhel-sap-for-rhel-7-for-system-z-eus-debug-rpms',\n 'rhel-sap-for-rhel-7-for-system-z-eus-debug-rpms__7_DOT_6__s390x',\n 'rhel-sap-for-rhel-7-for-system-z-eus-rpms',\n 'rhel-sap-for-rhel-7-for-system-z-eus-rpms__7_DOT_6__s390x',\n 'rhel-sap-for-rhel-7-for-system-z-eus-source-rpms',\n 'rhel-sap-for-rhel-7-for-system-z-eus-source-rpms__7_DOT_6__s390x',\n 'rhel-sap-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-source-rpms',\n 'rhel-sap-for-rhel-7-server-eus-debug-rpms',\n 'rhel-sap-for-rhel-7-server-eus-debug-rpms__7_DOT_6__x86_64',\n 'rhel-sap-for-rhel-7-server-eus-rpms',\n 'rhel-sap-for-rhel-7-server-eus-rpms__7_DOT_6__x86_64',\n 'rhel-sap-for-rhel-7-server-eus-source-rpms',\n 'rhel-sap-for-rhel-7-server-eus-source-rpms__7_DOT_6__x86_64'\n ],\n 'rhel_extras_sap_hana_e4s_7_6': [\n 'rhel-sap-hana-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-debug-rpms__7_DOT_6__x86_64',\n 'rhel-sap-hana-for-rhel-7-server-e4s-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-rpms__7_DOT_6__x86_64',\n 'rhel-sap-hana-for-rhel-7-server-e4s-source-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-source-rpms__7_DOT_6__x86_64'\n ],\n 'rhel_extras_sap_hana_eus_7_6': [\n 'rhel-sap-hana-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-source-rpms',\n 'rhel-sap-hana-for-rhel-7-server-eus-debug-rpms',\n 'rhel-sap-hana-for-rhel-7-server-eus-debug-rpms__7_DOT_6__x86_64',\n 'rhel-sap-hana-for-rhel-7-server-eus-rpms',\n 'rhel-sap-hana-for-rhel-7-server-eus-rpms__7_DOT_6__x86_64',\n 'rhel-sap-hana-for-rhel-7-server-eus-source-rpms',\n 'rhel-sap-hana-for-rhel-7-server-eus-source-rpms__7_DOT_6__x86_64'\n ],\n 'rhel_tus_7_6_server': [\n 'rhel-7-server-tus-debug-rpms',\n 'rhel-7-server-tus-debug-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-tus-optional-debug-rpms',\n 'rhel-7-server-tus-optional-debug-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-tus-optional-rpms',\n 'rhel-7-server-tus-optional-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-tus-optional-source-rpms',\n 'rhel-7-server-tus-optional-source-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-tus-rpms',\n 'rhel-7-server-tus-rpms__7_DOT_6__x86_64',\n 'rhel-7-server-tus-source-rpms',\n 'rhel-7-server-tus-source-rpms__7_DOT_6__x86_64',\n 'rhel-ha-for-rhel-7-server-tus-debug-rpms',\n 'rhel-ha-for-rhel-7-server-tus-debug-rpms__7_DOT_6__x86_64',\n 'rhel-ha-for-rhel-7-server-tus-rpms',\n 'rhel-ha-for-rhel-7-server-tus-rpms__7_DOT_6__x86_64',\n 'rhel-ha-for-rhel-7-server-tus-source-rpms',\n 'rhel-ha-for-rhel-7-server-tus-source-rpms__7_DOT_6__x86_64'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nvar pkgs = [\n {'reference':'bash-4.2.46-32.el7_6', 'sp':'6', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_aus_7_6_server', 'rhel_e4s_7_6_server', 'rhel_eus_7_6_computenode', 'rhel_eus_7_6_server', 'rhel_extras_sap_e4s_7_6', 'rhel_extras_sap_eus_7_6', 'rhel_extras_sap_hana_e4s_7_6', 'rhel_extras_sap_hana_eus_7_6', 'rhel_tus_7_6_server']},\n {'reference':'bash-4.2.46-32.el7_6', 'sp':'6', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_aus_7_6_server', 'rhel_e4s_7_6_server', 'rhel_eus_7_6_computenode', 'rhel_eus_7_6_server', 'rhel_extras_sap_e4s_7_6', 'rhel_extras_sap_eus_7_6', 'rhel_extras_sap_hana_e4s_7_6', 'rhel_extras_sap_hana_eus_7_6', 'rhel_tus_7_6_server']},\n {'reference':'bash-doc-4.2.46-32.el7_6', 'sp':'6', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_aus_7_6_server', 'rhel_e4s_7_6_server', 'rhel_eus_7_6_computenode', 'rhel_eus_7_6_server', 'rhel_extras_sap_e4s_7_6', 'rhel_extras_sap_eus_7_6', 'rhel_extras_sap_hana_e4s_7_6', 'rhel_extras_sap_hana_eus_7_6', 'rhel_tus_7_6_server']},\n {'reference':'bash-doc-4.2.46-32.el7_6', 'sp':'6', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_aus_7_6_server', 'rhel_e4s_7_6_server', 'rhel_eus_7_6_computenode', 'rhel_eus_7_6_server', 'rhel_extras_sap_e4s_7_6', 'rhel_extras_sap_eus_7_6', 'rhel_extras_sap_hana_e4s_7_6', 'rhel_extras_sap_hana_eus_7_6', 'rhel_tus_7_6_server']}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n var repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n release &&\n (rhel_decide_repo_check(repo_list:repo_list, repo_sets:repo_sets) || (!exists_check || rpm_exists(release:release, rpm:exists_check))) &&\n rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n}\n\nif (flag)\n{\n var subscription_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in the Red Hat Enterprise Linux\\n' +\n 'Advanced Update Support, Extended Update Support, Telco Extended Update Support or Update Services for SAP Solutions repositories.\\n' +\n 'Access to these repositories requires a paid RHEL subscription.\\n';\n var extra = NULL;\n if (empty_or_null(repo_sets)) extra = subscription_caveat + rpm_report_get() + redhat_report_repo_caveat();\n else extra = subscription_caveat + rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bash / bash-doc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-04T15:07:53", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:3592 advisory.\n\n - bash: BASH_CMD is writable in restricted bash shells (CVE-2019-9924)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-09-01T00:00:00", "type": "nessus", "title": "RHEL 7 : bash (RHSA-2020:3592)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2021-10-28T00:00:00", "cpe": ["cpe:/o:redhat:rhel_aus:7.7", "cpe:/o:redhat:rhel_e4s:7.7", "cpe:/o:redhat:rhel_eus:7.7", "cpe:/o:redhat:rhel_tus:7.7", "p-cpe:/a:redhat:enterprise_linux:bash", "p-cpe:/a:redhat:enterprise_linux:bash-doc"], "id": "REDHAT-RHSA-2020-3592.NASL", "href": "https://www.tenable.com/plugins/nessus/140120", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:3592. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140120);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/10/28\");\n\n script_cve_id(\"CVE-2019-9924\");\n script_bugtraq_id(109277);\n script_xref(name:\"RHSA\", value:\"2020:3592\");\n\n script_name(english:\"RHEL 7 : bash (RHSA-2020:3592)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2020:3592 advisory.\n\n - bash: BASH_CMD is writable in restricted bash shells (CVE-2019-9924)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/138.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-9924\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:3592\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1691774\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash and / or bash-doc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9924\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(138);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:7.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:7.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:7.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:7.7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bash-doc\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '7.7')) audit(AUDIT_OS_NOT, 'Red Hat 7.7', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'rhel_aus_7_7_server': [\n 'rhel-7-server-aus-debug-rpms',\n 'rhel-7-server-aus-debug-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-aus-optional-debug-rpms',\n 'rhel-7-server-aus-optional-debug-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-aus-optional-rpms',\n 'rhel-7-server-aus-optional-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-aus-optional-source-rpms',\n 'rhel-7-server-aus-optional-source-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-aus-rpms',\n 'rhel-7-server-aus-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-aus-source-rpms',\n 'rhel-7-server-aus-source-rpms__7_DOT_7__x86_64'\n ],\n 'rhel_e4s_7_7_server': [\n 'rhel-7-server-aus-debug-rpms',\n 'rhel-7-server-aus-optional-debug-rpms',\n 'rhel-7-server-aus-optional-rpms',\n 'rhel-7-server-aus-optional-source-rpms',\n 'rhel-7-server-aus-rpms',\n 'rhel-7-server-aus-source-rpms',\n 'rhel-7-server-e4s-debug-rpms',\n 'rhel-7-server-e4s-debug-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-e4s-optional-debug-rpms',\n 'rhel-7-server-e4s-optional-debug-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-e4s-optional-rpms',\n 'rhel-7-server-e4s-optional-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-e4s-optional-source-rpms',\n 'rhel-7-server-e4s-optional-source-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-e4s-rpms',\n 'rhel-7-server-e4s-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-e4s-source-rpms',\n 'rhel-7-server-e4s-source-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-tus-debug-rpms',\n 'rhel-7-server-tus-optional-debug-rpms',\n 'rhel-7-server-tus-optional-rpms',\n 'rhel-7-server-tus-optional-source-rpms',\n 'rhel-7-server-tus-rpms',\n 'rhel-7-server-tus-source-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-debug-rpms__7_DOT_7__x86_64',\n 'rhel-ha-for-rhel-7-server-e4s-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-rpms__7_DOT_7__x86_64',\n 'rhel-ha-for-rhel-7-server-e4s-source-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-source-rpms__7_DOT_7__x86_64'\n ],\n 'rhel_eus_7_7_computenode': [\n 'rhel-7-hpc-node-eus-debug-rpms',\n 'rhel-7-hpc-node-eus-debug-rpms__7_DOT_7__x86_64',\n 'rhel-7-hpc-node-eus-optional-debug-rpms',\n 'rhel-7-hpc-node-eus-optional-debug-rpms__7_DOT_7__x86_64',\n 'rhel-7-hpc-node-eus-optional-rpms',\n 'rhel-7-hpc-node-eus-optional-rpms__7_DOT_7__x86_64',\n 'rhel-7-hpc-node-eus-optional-source-rpms',\n 'rhel-7-hpc-node-eus-optional-source-rpms__7_DOT_7__x86_64',\n 'rhel-7-hpc-node-eus-rpms',\n 'rhel-7-hpc-node-eus-rpms__7_DOT_7__x86_64',\n 'rhel-7-hpc-node-eus-source-rpms',\n 'rhel-7-hpc-node-eus-source-rpms__7_DOT_7__x86_64'\n ],\n 'rhel_eus_7_7_server': [\n 'rhel-7-for-system-z-eus-debug-rpms',\n 'rhel-7-for-system-z-eus-debug-rpms__7_DOT_7__s390x',\n 'rhel-7-for-system-z-eus-optional-debug-rpms',\n 'rhel-7-for-system-z-eus-optional-debug-rpms__7_DOT_7__s390x',\n 'rhel-7-for-system-z-eus-optional-rpms',\n 'rhel-7-for-system-z-eus-optional-rpms__7_DOT_7__s390x',\n 'rhel-7-for-system-z-eus-optional-source-rpms',\n 'rhel-7-for-system-z-eus-optional-source-rpms__7_DOT_7__s390x',\n 'rhel-7-for-system-z-eus-rpms',\n 'rhel-7-for-system-z-eus-rpms__7_DOT_7__s390x',\n 'rhel-7-for-system-z-eus-source-rpms',\n 'rhel-7-for-system-z-eus-source-rpms__7_DOT_7__s390x',\n 'rhel-7-server-aus-debug-rpms',\n 'rhel-7-server-aus-optional-debug-rpms',\n 'rhel-7-server-aus-optional-rpms',\n 'rhel-7-server-aus-optional-source-rpms',\n 'rhel-7-server-aus-rpms',\n 'rhel-7-server-aus-source-rpms',\n 'rhel-7-server-e4s-debug-rpms',\n 'rhel-7-server-e4s-optional-debug-rpms',\n 'rhel-7-server-e4s-optional-rpms',\n 'rhel-7-server-e4s-optional-source-rpms',\n 'rhel-7-server-e4s-rpms',\n 'rhel-7-server-e4s-source-rpms',\n 'rhel-7-server-eus-debug-rpms',\n 'rhel-7-server-eus-debug-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-eus-optional-debug-rpms',\n 'rhel-7-server-eus-optional-debug-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-eus-optional-rpms',\n 'rhel-7-server-eus-optional-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-eus-optional-source-rpms',\n 'rhel-7-server-eus-optional-source-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-eus-rpms',\n 'rhel-7-server-eus-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-eus-source-rpms',\n 'rhel-7-server-eus-source-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-tus-debug-rpms',\n 'rhel-7-server-tus-optional-debug-rpms',\n 'rhel-7-server-tus-optional-rpms',\n 'rhel-7-server-tus-optional-source-rpms',\n 'rhel-7-server-tus-rpms',\n 'rhel-7-server-tus-source-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-source-rpms',\n 'rhel-ha-for-rhel-7-server-eus-debug-rpms',\n 'rhel-ha-for-rhel-7-server-eus-debug-rpms__7_DOT_7__x86_64',\n 'rhel-ha-for-rhel-7-server-eus-rpms',\n 'rhel-ha-for-rhel-7-server-eus-rpms__7_DOT_7__x86_64',\n 'rhel-ha-for-rhel-7-server-eus-source-rpms',\n 'rhel-ha-for-rhel-7-server-eus-source-rpms__7_DOT_7__x86_64',\n 'rhel-ha-for-rhel-7-server-tus-debug-rpms',\n 'rhel-ha-for-rhel-7-server-tus-rpms',\n 'rhel-ha-for-rhel-7-server-tus-source-rpms',\n 'rhel-rs-for-rhel-7-server-eus-debug-rpms',\n 'rhel-rs-for-rhel-7-server-eus-debug-rpms__7_DOT_7__x86_64',\n 'rhel-rs-for-rhel-7-server-eus-rpms',\n 'rhel-rs-for-rhel-7-server-eus-rpms__7_DOT_7__x86_64',\n 'rhel-rs-for-rhel-7-server-eus-source-rpms',\n 'rhel-rs-for-rhel-7-server-eus-source-rpms__7_DOT_7__x86_64'\n ],\n 'rhel_extras_sap_e4s_7_7': [\n 'rhel-sap-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-debug-rpms__7_DOT_7__x86_64',\n 'rhel-sap-for-rhel-7-server-e4s-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-rpms__7_DOT_7__x86_64',\n 'rhel-sap-for-rhel-7-server-e4s-source-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-source-rpms__7_DOT_7__x86_64'\n ],\n 'rhel_extras_sap_eus_7_7': [\n 'rhel-sap-for-rhel-7-for-system-z-eus-debug-rpms',\n 'rhel-sap-for-rhel-7-for-system-z-eus-debug-rpms__7_DOT_7__s390x',\n 'rhel-sap-for-rhel-7-for-system-z-eus-rpms',\n 'rhel-sap-for-rhel-7-for-system-z-eus-rpms__7_DOT_7__s390x',\n 'rhel-sap-for-rhel-7-for-system-z-eus-source-rpms',\n 'rhel-sap-for-rhel-7-for-system-z-eus-source-rpms__7_DOT_7__s390x',\n 'rhel-sap-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-source-rpms',\n 'rhel-sap-for-rhel-7-server-eus-debug-rpms',\n 'rhel-sap-for-rhel-7-server-eus-debug-rpms__7_DOT_7__x86_64',\n 'rhel-sap-for-rhel-7-server-eus-rpms',\n 'rhel-sap-for-rhel-7-server-eus-rpms__7_DOT_7__x86_64',\n 'rhel-sap-for-rhel-7-server-eus-source-rpms',\n 'rhel-sap-for-rhel-7-server-eus-source-rpms__7_DOT_7__x86_64'\n ],\n 'rhel_extras_sap_hana_e4s_7_7': [\n 'rhel-sap-hana-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-debug-rpms__7_DOT_7__x86_64',\n 'rhel-sap-hana-for-rhel-7-server-e4s-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-rpms__7_DOT_7__x86_64',\n 'rhel-sap-hana-for-rhel-7-server-e4s-source-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-source-rpms__7_DOT_7__x86_64'\n ],\n 'rhel_extras_sap_hana_eus_7_7': [\n 'rhel-sap-hana-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-source-rpms',\n 'rhel-sap-hana-for-rhel-7-server-eus-debug-rpms',\n 'rhel-sap-hana-for-rhel-7-server-eus-debug-rpms__7_DOT_7__x86_64',\n 'rhel-sap-hana-for-rhel-7-server-eus-rpms',\n 'rhel-sap-hana-for-rhel-7-server-eus-rpms__7_DOT_7__x86_64',\n 'rhel-sap-hana-for-rhel-7-server-eus-source-rpms',\n 'rhel-sap-hana-for-rhel-7-server-eus-source-rpms__7_DOT_7__x86_64'\n ],\n 'rhel_tus_7_7_server': [\n 'rhel-7-server-tus-debug-rpms',\n 'rhel-7-server-tus-debug-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-tus-optional-debug-rpms',\n 'rhel-7-server-tus-optional-debug-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-tus-optional-rpms',\n 'rhel-7-server-tus-optional-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-tus-optional-source-rpms',\n 'rhel-7-server-tus-optional-source-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-tus-rpms',\n 'rhel-7-server-tus-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-tus-source-rpms',\n 'rhel-7-server-tus-source-rpms__7_DOT_7__x86_64',\n 'rhel-ha-for-rhel-7-server-tus-debug-rpms',\n 'rhel-ha-for-rhel-7-server-tus-debug-rpms__7_DOT_7__x86_64',\n 'rhel-ha-for-rhel-7-server-tus-rpms',\n 'rhel-ha-for-rhel-7-server-tus-rpms__7_DOT_7__x86_64',\n 'rhel-ha-for-rhel-7-server-tus-source-rpms',\n 'rhel-ha-for-rhel-7-server-tus-source-rpms__7_DOT_7__x86_64'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nvar pkgs = [\n {'reference':'bash-4.2.46-34.el7_7', 'sp':'7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_aus_7_7_server', 'rhel_e4s_7_7_server', 'rhel_eus_7_7_computenode', 'rhel_eus_7_7_server', 'rhel_extras_sap_e4s_7_7', 'rhel_extras_sap_eus_7_7', 'rhel_extras_sap_hana_e4s_7_7', 'rhel_extras_sap_hana_eus_7_7', 'rhel_tus_7_7_server']},\n {'reference':'bash-4.2.46-34.el7_7', 'sp':'7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_aus_7_7_server', 'rhel_e4s_7_7_server', 'rhel_eus_7_7_computenode', 'rhel_eus_7_7_server', 'rhel_extras_sap_e4s_7_7', 'rhel_extras_sap_eus_7_7', 'rhel_extras_sap_hana_e4s_7_7', 'rhel_extras_sap_hana_eus_7_7', 'rhel_tus_7_7_server']},\n {'reference':'bash-doc-4.2.46-34.el7_7', 'sp':'7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_aus_7_7_server', 'rhel_e4s_7_7_server', 'rhel_eus_7_7_computenode', 'rhel_eus_7_7_server', 'rhel_extras_sap_e4s_7_7', 'rhel_extras_sap_eus_7_7', 'rhel_extras_sap_hana_e4s_7_7', 'rhel_extras_sap_hana_eus_7_7', 'rhel_tus_7_7_server']},\n {'reference':'bash-doc-4.2.46-34.el7_7', 'sp':'7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_aus_7_7_server', 'rhel_e4s_7_7_server', 'rhel_eus_7_7_computenode', 'rhel_eus_7_7_server', 'rhel_extras_sap_e4s_7_7', 'rhel_extras_sap_eus_7_7', 'rhel_extras_sap_hana_e4s_7_7', 'rhel_extras_sap_hana_eus_7_7', 'rhel_tus_7_7_server']}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n var repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n release &&\n (rhel_decide_repo_check(repo_list:repo_list, repo_sets:repo_sets) || (!exists_check || rpm_exists(release:release, rpm:exists_check))) &&\n rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n}\n\nif (flag)\n{\n var subscription_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in the Red Hat Enterprise Linux\\n' +\n 'Advanced Update Support, Extended Update Support, Telco Extended Update Support or Update Services for SAP Solutions repositories.\\n' +\n 'Access to these repositories requires a paid RHEL subscription.\\n';\n var extra = NULL;\n if (empty_or_null(repo_sets)) extra = subscription_caveat + rpm_report_get() + redhat_report_repo_caveat();\n else extra = subscription_caveat + rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bash / bash-doc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-04T15:06:41", "description": "rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell. (CVE-2019-9924)", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-02T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : bash (ALAS-2020-1379)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2020-07-06T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:bash", "p-cpe:/a:amazon:linux:bash-debuginfo", "p-cpe:/a:amazon:linux:bash-doc", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2020-1379.NASL", "href": "https://www.tenable.com/plugins/nessus/138052", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2020-1379.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138052);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/06\");\n\n script_cve_id(\"CVE-2019-9924\");\n script_xref(name:\"ALAS\", value:\"2020-1379\");\n\n script_name(english:\"Amazon Linux AMI : bash (ALAS-2020-1379)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"rbash in Bash before 4.4-beta2 did not prevent the shell user from\nmodifying BASH_CMDS, thus allowing the user to execute any command\nwith the permissions of the shell. (CVE-2019-9924)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2020-1379.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Run 'yum update bash' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bash-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bash-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"bash-4.2.46-34.43.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"bash-debuginfo-4.2.46-34.43.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"bash-doc-4.2.46-34.43.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash / bash-debuginfo / bash-doc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-04T15:02:52", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1113 advisory.\n\n - bash: BASH_CMD is writable in restricted bash shells (CVE-2019-9924)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-04-10T00:00:00", "type": "nessus", "title": "CentOS 7 : bash (CESA-2020:1113)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2020-06-05T00:00:00", "cpe": ["p-cpe:/a:centos:centos:bash", "p-cpe:/a:centos:centos:bash-doc", "cpe:/o:centos:centos:7"], "id": "CENTOS_RHSA-2020-1113.NASL", "href": "https://www.tenable.com/plugins/nessus/135339", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2020:1113 and \n# CentOS Errata and Security Advisory 2020:1113 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(135339);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/05\");\n\n script_cve_id(\"CVE-2019-9924\");\n script_xref(name:\"RHSA\", value:\"2020:1113\");\n\n script_name(english:\"CentOS 7 : bash (CESA-2020:1113)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2020:1113 advisory.\n\n - bash: BASH_CMD is writable in restricted bash shells\n (CVE-2019-9924)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\"\n );\n # https://lists.centos.org/pipermail/centos-cr-announce/2020-April/012412.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?da81d42f\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected bash packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9924\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:bash-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"bash-4.2.46-34.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"bash-doc-4.2.46-34.el7\")) flag++;\n\n\nif (flag)\n{\n cr_plugin_caveat = '\\n' +\n 'NOTE: The security advisory associated with this vulnerability has a\\n' +\n 'fixed package version that may only be available in the continuous\\n' +\n 'release (CR) repository for CentOS, until it is present in the next\\n' +\n 'point release of CentOS.\\n\\n' +\n\n 'If an equal or higher package level does not exist in the baseline\\n' +\n 'repository for your major version of CentOS, then updates from the CR\\n' +\n 'repository will need to be applied in order to address the\\n' +\n 'vulnerability.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + cr_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash / bash-doc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-14T15:17:19", "description": "The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has bash packages installed that are affected by a vulnerability:\n\n - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell. (CVE-2019-9924)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-12-09T00:00:00", "type": "nessus", "title": "NewStart CGSL CORE 5.05 / MAIN 5.05 : bash Vulnerability (NS-SA-2020-0101)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2020-12-10T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2020-0101_BASH.NASL", "href": "https://www.tenable.com/plugins/nessus/143950", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2020-0101. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143950);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/10\");\n\n script_cve_id(\"CVE-2019-9924\");\n script_bugtraq_id(109277);\n\n script_name(english:\"NewStart CGSL CORE 5.05 / MAIN 5.05 : bash Vulnerability (NS-SA-2020-0101)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has bash packages installed that are affected by a\nvulnerability:\n\n - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the\n user to execute any command with the permissions of the shell. (CVE-2019-9924)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2020-0101\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL bash packages. Note that updated packages may not be available yet. Please contact ZTE for\nmore information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9924\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL CORE 5.05\" &&\n release !~ \"CGSL MAIN 5.05\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.05 / NewStart CGSL MAIN 5.05');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nflag = 0;\n\npkgs = {\n 'CGSL CORE 5.05': [\n 'bash-4.2.46-34.el7.cgslv5_5.0.1.g97b8dcb.lite',\n 'bash-debuginfo-4.2.46-34.el7.cgslv5_5.0.1.g97b8dcb.lite',\n 'bash-doc-4.2.46-34.el7.cgslv5_5.0.1.g97b8dcb.lite',\n 'bash-lang-4.2.46-34.el7.cgslv5_5.0.1.g97b8dcb.lite'\n ],\n 'CGSL MAIN 5.05': [\n 'bash-4.2.46-34.el7.cgslv5_5',\n 'bash-debuginfo-4.2.46-34.el7.cgslv5_5',\n 'bash-doc-4.2.46-34.el7.cgslv5_5'\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bash');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:22:53", "description": "According to the version of the bash package installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.(CVE-2019-9924)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-29T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP2 : bash (EulerOS-SA-2019-1563)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:bash", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-1563.NASL", "href": "https://www.tenable.com/plugins/nessus/125490", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125490);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2019-9924\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : bash (EulerOS-SA-2019-1563)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the bash package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - rbash in Bash before 4.4-beta2 did not prevent the\n shell user from modifying BASH_CMDS, thus allowing the\n user to execute any command with the permissions of the\n shell.(CVE-2019-9924)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1563\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?690cd50f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"bash-4.2.46-28.h3\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:22:37", "description": "An update of the bash package has been released.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-14T00:00:00", "type": "nessus", "title": "Photon OS 1.0: Bash PHSA-2019-1.0-0229", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2020-01-16T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:bash", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2019-1_0-0229_BASH.NASL", "href": "https://www.tenable.com/plugins/nessus/124869", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2019-1.0-0229. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124869);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2020/01/16\");\n\n script_cve_id(\"CVE-2019-9924\");\n\n script_name(english:\"Photon OS 1.0: Bash PHSA-2019-1.0-0229\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the bash package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-229.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9924\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"bash-4.3.48-3.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"bash-debuginfo-4.3.48-3.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"bash-lang-4.3.48-3.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:22:33", "description": "According to the version of the bash package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability :\n\n - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.(CVE-2019-9924)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-30T00:00:00", "type": "nessus", "title": "EulerOS Virtualization for ARM 64 3.0.2.0 : bash (EulerOS-SA-2019-1621)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:bash", "cpe:/o:huawei:euleros:uvp:3.0.2.0"], "id": "EULEROS_SA-2019-1621.NASL", "href": "https://www.tenable.com/plugins/nessus/125573", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125573);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2019-9924\"\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.2.0 : bash (EulerOS-SA-2019-1621)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the bash package installed, the EulerOS\nVirtualization for ARM 64 installation on the remote host is affected\nby the following vulnerability :\n\n - rbash in Bash before 4.4-beta2 did not prevent the\n shell user from modifying BASH_CMDS, thus allowing the\n user to execute any command with the permissions of the\n shell.(CVE-2019-9924)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1621\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9ce39ee1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"bash-4.2.46-30.h5\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:22:52", "description": "According to the version of the bash package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability :\n\n - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.(CVE-2019-9924)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-30T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.1.0 : bash (EulerOS-SA-2019-1609)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:bash", "cpe:/o:huawei:euleros:uvp:3.0.1.0"], "id": "EULEROS_SA-2019-1609.NASL", "href": "https://www.tenable.com/plugins/nessus/125561", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125561);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2019-9924\"\n );\n\n script_name(english:\"EulerOS Virtualization 3.0.1.0 : bash (EulerOS-SA-2019-1609)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the bash package installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerability :\n\n - rbash in Bash before 4.4-beta2 did not prevent the\n shell user from modifying BASH_CMDS, thus allowing the\n user to execute any command with the permissions of the\n shell.(CVE-2019-9924)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1609\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?363650db\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"bash-4.2.46-30.h5\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:22:58", "description": "According to the version of the bash package installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.(CVE-2019-9924)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-29T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP3 : bash (EulerOS-SA-2019-1564)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:bash", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-1564.NASL", "href": "https://www.tenable.com/plugins/nessus/125491", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125491);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2019-9924\"\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : bash (EulerOS-SA-2019-1564)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the bash package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - rbash in Bash before 4.4-beta2 did not prevent the\n shell user from modifying BASH_CMDS, thus allowing the\n user to execute any command with the permissions of the\n shell.(CVE-2019-9924)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1564\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?493e1b7c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"bash-4.2.46-28.h3\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-04T15:07:52", "description": "This update for bash fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS allowing the user to execute any command with the permissions of the shell (bsc#1130324).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-09T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : bash (SUSE-SU-2019:0898-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2021-01-13T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:bash", "p-cpe:/a:novell:suse_linux:bash-debuginfo", "p-cpe:/a:novell:suse_linux:bash-debugsource", "p-cpe:/a:novell:suse_linux:libreadline6", "p-cpe:/a:novell:suse_linux:libreadline6-debuginfo", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2019-0898-1.NASL", "href": "https://www.tenable.com/plugins/nessus/123924", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:0898-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123924);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2019-9924\");\n\n script_name(english:\"SUSE SLES12 Security Update : bash (SUSE-SU-2019:0898-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for bash fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2019-9924: Fixed a vulnerability in which shell did not prevent\nuser BASH_CMDS allowing the user to execute any command with the\npermissions of the shell (bsc#1130324).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1130324\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-9924/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20190898-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f1a0a48e\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2019-898=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2019-898=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2019-898=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bash-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bash-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreadline6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreadline6-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0/1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"bash-4.2-83.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"bash-debuginfo-4.2-83.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"bash-debugsource-4.2-83.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libreadline6-32bit-6.2-83.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libreadline6-6.2-83.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libreadline6-debuginfo-32bit-6.2-83.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libreadline6-debuginfo-6.2-83.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"bash-4.2-83.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"bash-debuginfo-4.2-83.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"bash-debugsource-4.2-83.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libreadline6-32bit-6.2-83.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libreadline6-6.2-83.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libreadline6-debuginfo-32bit-6.2-83.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libreadline6-debuginfo-6.2-83.3.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-14T15:12:51", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:3803 advisory.\n\n - bash: BASH_CMD is writable in restricted bash shells (CVE-2019-9924)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-09-23T00:00:00", "type": "nessus", "title": "RHEL 7 : bash (RHSA-2020:3803)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2021-10-12T00:00:00", "cpe": ["cpe:/o:redhat:rhel_aus:7.4", "cpe:/o:redhat:rhel_e4s:7.4", "cpe:/o:redhat:rhel_tus:7.4", "p-cpe:/a:redhat:enterprise_linux:bash", "p-cpe:/a:redhat:enterprise_linux:bash-doc"], "id": "REDHAT-RHSA-2020-3803.NASL", "href": "https://www.tenable.com/plugins/nessus/140746", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:3803. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140746);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/10/12\");\n\n script_cve_id(\"CVE-2019-9924\");\n script_bugtraq_id(109277);\n script_xref(name:\"RHSA\", value:\"2020:3803\");\n\n script_name(english:\"RHEL 7 : bash (RHSA-2020:3803)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2020:3803 advisory.\n\n - bash: BASH_CMD is writable in restricted bash shells (CVE-2019-9924)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/138.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-9924\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:3803\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1691774\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash and / or bash-doc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9924\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(138);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bash-doc\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '7.4')) audit(AUDIT_OS_NOT, 'Red Hat 7.4', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'rhel_aus_7_4_server': [\n 'rhel-7-server-aus-debug-rpms',\n 'rhel-7-server-aus-debug-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-aus-optional-debug-rpms',\n 'rhel-7-server-aus-optional-debug-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-aus-optional-rpms',\n 'rhel-7-server-aus-optional-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-aus-optional-source-rpms',\n 'rhel-7-server-aus-optional-source-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-aus-rpms',\n 'rhel-7-server-aus-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-aus-source-rpms',\n 'rhel-7-server-aus-source-rpms__7_DOT_4__x86_64'\n ],\n 'rhel_e4s_7_4_server': [\n 'rhel-7-server-aus-debug-rpms',\n 'rhel-7-server-aus-optional-debug-rpms',\n 'rhel-7-server-aus-optional-rpms',\n 'rhel-7-server-aus-optional-source-rpms',\n 'rhel-7-server-aus-rpms',\n 'rhel-7-server-aus-source-rpms',\n 'rhel-7-server-e4s-debug-rpms',\n 'rhel-7-server-e4s-debug-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-e4s-optional-debug-rpms',\n 'rhel-7-server-e4s-optional-debug-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-e4s-optional-rpms',\n 'rhel-7-server-e4s-optional-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-e4s-optional-source-rpms',\n 'rhel-7-server-e4s-optional-source-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-e4s-rpms',\n 'rhel-7-server-e4s-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-e4s-source-rpms',\n 'rhel-7-server-e4s-source-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-tus-debug-rpms',\n 'rhel-7-server-tus-optional-debug-rpms',\n 'rhel-7-server-tus-optional-rpms',\n 'rhel-7-server-tus-optional-source-rpms',\n 'rhel-7-server-tus-rpms',\n 'rhel-7-server-tus-source-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-debug-rpms__7_DOT_4__x86_64',\n 'rhel-ha-for-rhel-7-server-e4s-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-rpms__7_DOT_4__x86_64',\n 'rhel-ha-for-rhel-7-server-e4s-source-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-source-rpms__7_DOT_4__x86_64'\n ],\n 'rhel_extras_sap_e4s_7_4': [\n 'rhel-sap-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-debug-rpms__7_DOT_4__x86_64',\n 'rhel-sap-for-rhel-7-server-e4s-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-rpms__7_DOT_4__x86_64',\n 'rhel-sap-for-rhel-7-server-e4s-source-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-source-rpms__7_DOT_4__x86_64'\n ],\n 'rhel_extras_sap_hana_e4s_7_4': [\n 'rhel-sap-hana-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-debug-rpms__7_DOT_4__x86_64',\n 'rhel-sap-hana-for-rhel-7-server-e4s-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-rpms__7_DOT_4__x86_64',\n 'rhel-sap-hana-for-rhel-7-server-e4s-source-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-source-rpms__7_DOT_4__x86_64'\n ],\n 'rhel_tus_7_4_server': [\n 'rhel-7-server-tus-debug-rpms',\n 'rhel-7-server-tus-debug-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-tus-optional-debug-rpms',\n 'rhel-7-server-tus-optional-debug-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-tus-optional-rpms',\n 'rhel-7-server-tus-optional-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-tus-optional-source-rpms',\n 'rhel-7-server-tus-optional-source-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-tus-rpms',\n 'rhel-7-server-tus-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-tus-source-rpms',\n 'rhel-7-server-tus-source-rpms__7_DOT_4__x86_64'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nvar pkgs = [\n {'reference':'bash-4.2.46-30.el7_4', 'sp':'4', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_aus_7_4_server', 'rhel_e4s_7_4_server', 'rhel_extras_sap_e4s_7_4', 'rhel_extras_sap_hana_e4s_7_4', 'rhel_tus_7_4_server']},\n {'reference':'bash-doc-4.2.46-30.el7_4', 'sp':'4', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_aus_7_4_server', 'rhel_e4s_7_4_server', 'rhel_extras_sap_e4s_7_4', 'rhel_extras_sap_hana_e4s_7_4', 'rhel_tus_7_4_server']}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n var repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n release &&\n (rhel_decide_repo_check(repo_list:repo_list, repo_sets:repo_sets) || (!exists_check || rpm_exists(release:release, rpm:exists_check))) &&\n rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n}\n\nif (flag)\n{\n var subscription_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in the Red Hat Enterprise Linux\\n' +\n 'Advanced Update Support, Telco Extended Update Support or Update Services for SAP Solutions repositories.\\n' +\n 'Access to these repositories requires a paid RHEL subscription.\\n';\n var extra = NULL;\n if (empty_or_null(repo_sets)) extra = subscription_caveat + rpm_report_get() + redhat_report_repo_caveat();\n else extra = subscription_caveat + rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bash / bash-doc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-14T15:17:19", "description": "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has bash packages installed that are affected by a vulnerability:\n\n - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell. (CVE-2019-9924)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-12-09T00:00:00", "type": "nessus", "title": "NewStart CGSL CORE 5.04 / MAIN 5.04 : bash Vulnerability (NS-SA-2020-0067)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2020-12-10T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2020-0067_BASH.NASL", "href": "https://www.tenable.com/plugins/nessus/143925", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2020-0067. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143925);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/10\");\n\n script_cve_id(\"CVE-2019-9924\");\n script_bugtraq_id(109277);\n\n script_name(english:\"NewStart CGSL CORE 5.04 / MAIN 5.04 : bash Vulnerability (NS-SA-2020-0067)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has bash packages installed that are affected by a\nvulnerability:\n\n - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the\n user to execute any command with the permissions of the shell. (CVE-2019-9924)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2020-0067\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL bash packages. Note that updated packages may not be available yet. Please contact ZTE for\nmore information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9924\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL CORE 5.04\" &&\n release !~ \"CGSL MAIN 5.04\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nflag = 0;\n\npkgs = {\n 'CGSL CORE 5.04': [\n 'bash-4.2.46-34.el7.cgslv5.0.1.g00226e8.lite',\n 'bash-debuginfo-4.2.46-34.el7.cgslv5.0.1.g00226e8.lite',\n 'bash-doc-4.2.46-34.el7.cgslv5.0.1.g00226e8.lite',\n 'bash-lang-4.2.46-34.el7.cgslv5.0.1.g00226e8.lite'\n ],\n 'CGSL MAIN 5.04': [\n 'bash-4.2.46-34.el7.cgslv5',\n 'bash-debuginfo-4.2.46-34.el7.cgslv5',\n 'bash-doc-4.2.46-34.el7.cgslv5'\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bash');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-03T15:04:34", "description": "* bash: BASH_CMD is writable in restricted bash shells", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-04-21T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : bash on SL7.x x86_64 (20200407)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2020-04-24T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:bash", "p-cpe:/a:fermilab:scientific_linux:bash-debuginfo", "p-cpe:/a:fermilab:scientific_linux:bash-doc", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20200407_BASH_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/135800", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(135800);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/04/24\");\n\n script_cve_id(\"CVE-2019-9924\");\n\n script_name(english:\"Scientific Linux Security Update : bash on SL7.x x86_64 (20200407)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\"* bash: BASH_CMD is writable in restricted bash shells\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind2004&L=SCIENTIFIC-LINUX-ERRATA&P=17378\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f3a5b39b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected bash, bash-debuginfo and / or bash-doc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:bash-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:bash-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"bash-4.2.46-34.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"bash-debuginfo-4.2.46-34.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"bash-doc-4.2.46-34.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash / bash-debuginfo / bash-doc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:22:43", "description": "According to the version of the bash package installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.(CVE-2019-9924)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-29T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP5 : bash (EulerOS-SA-2019-1565)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:bash", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-1565.NASL", "href": "https://www.tenable.com/plugins/nessus/125492", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125492);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2019-9924\"\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : bash (EulerOS-SA-2019-1565)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the bash package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - rbash in Bash before 4.4-beta2 did not prevent the\n shell user from modifying BASH_CMDS, thus allowing the\n user to execute any command with the permissions of the\n shell.(CVE-2019-9924)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1565\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?76b5a2a2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"bash-4.2.46-30.h5.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-14T15:14:43", "description": "The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2020-1503 advisory.\n\n - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell. (CVE-2019-9924)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-10-28T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : bash (ALAS-2020-1503)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2020-10-28T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:bash", "p-cpe:/a:amazon:linux:bash-debuginfo", "p-cpe:/a:amazon:linux:bash-doc", "cpe:/o:amazon:linux:2"], "id": "AL2_ALAS-2020-1503.NASL", "href": "https://www.tenable.com/plugins/nessus/141999", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n# \n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2020-1503.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141999);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/28\");\n\n script_cve_id(\"CVE-2019-9924\");\n script_bugtraq_id(109277);\n script_xref(name:\"ALAS\", value:\"2020-1503\");\n\n script_name(english:\"Amazon Linux 2 : bash (ALAS-2020-1503)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the ALAS2-2020-1503 advisory.\n\n - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the\n user to execute any command with the permissions of the shell. (CVE-2019-9924)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2020-1503.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-9924\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update bash' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9924\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bash-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bash-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\npkgs = [\n {'reference':'bash-4.2.46-34.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'bash-4.2.46-34.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'bash-4.2.46-34.amzn2', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'bash-debuginfo-4.2.46-34.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'bash-debuginfo-4.2.46-34.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'bash-debuginfo-4.2.46-34.amzn2', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'bash-doc-4.2.46-34.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'bash-doc-4.2.46-34.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'bash-doc-4.2.46-34.amzn2', 'cpu':'x86_64', 'release':'AL2'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash / bash-debuginfo / bash-doc\");\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-04T15:19:43", "description": "This update for bash fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS allowing the user to execute any command with the permissions of the shell (bsc#1130324).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-08T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : bash (SUSE-SU-2019:0838-2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2021-01-13T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:bash", "p-cpe:/a:novell:suse_linux:bash-debuginfo", "p-cpe:/a:novell:suse_linux:bash-debugsource", "p-cpe:/a:novell:suse_linux:libreadline6", "p-cpe:/a:novell:suse_linux:libreadline6-debuginfo", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2019-0838-2.NASL", "href": "https://www.tenable.com/plugins/nessus/126524", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:0838-2.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126524);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2019-9924\");\n\n script_name(english:\"SUSE SLES12 Security Update : bash (SUSE-SU-2019:0838-2)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for bash fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2019-9924: Fixed a vulnerability in which shell did not prevent\nuser BASH_CMDS allowing the user to execute any command with the\npermissions of the shell (bsc#1130324).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1130324\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-9924/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20190838-2/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1348d432\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 7:zypper in -t patch\nSUSE-OpenStack-Cloud-7-2019-838=1\n\nSUSE Linux Enterprise Workstation Extension 12-SP5:zypper in -t patch\nSUSE-SLE-WE-12-SP5-2019-838=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch\nSUSE-SLE-SAP-12-SP2-2019-838=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2019-838=1\n\nSUSE Linux Enterprise Server 12-SP2-BCL:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-BCL-2019-838=1\n\nSUSE Enterprise Storage 4:zypper in -t patch SUSE-Storage-4-2019-838=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bash-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bash-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreadline6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreadline6-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"bash-4.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"bash-debuginfo-4.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"bash-debugsource-4.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libreadline6-32bit-6.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libreadline6-6.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libreadline6-debuginfo-32bit-6.3-83.23.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libreadline6-debuginfo-6.3-83.23.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-04T15:01:43", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1113 advisory.\n\n - bash: BASH_CMD is writable in restricted bash shells (CVE-2019-9924)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-04-01T00:00:00", "type": "nessus", "title": "RHEL 7 : bash (RHSA-2020:1113)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2021-10-13T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:bash", "p-cpe:/a:redhat:enterprise_linux:bash-doc"], "id": "REDHAT-RHSA-2020-1113.NASL", "href": "https://www.tenable.com/plugins/nessus/135062", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:1113. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135062);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/10/13\");\n\n script_cve_id(\"CVE-2019-9924\");\n script_bugtraq_id(109277);\n script_xref(name:\"RHSA\", value:\"2020:1113\");\n\n script_name(english:\"RHEL 7 : bash (RHSA-2020:1113)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2020:1113 advisory.\n\n - bash: BASH_CMD is writable in restricted bash shells (CVE-2019-9924)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/138.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-9924\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:1113\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1691774\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash and / or bash-doc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9924\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(138);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bash-doc\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'enterprise_linux_7_client': [\n 'rhel-7-desktop-debug-rpms',\n 'rhel-7-desktop-fastrack-debug-rpms',\n 'rhel-7-desktop-fastrack-rpms',\n 'rhel-7-desktop-fastrack-source-rpms',\n 'rhel-7-desktop-optional-debug-rpms',\n 'rhel-7-desktop-optional-fastrack-debug-rpms',\n 'rhel-7-desktop-optional-fastrack-rpms',\n 'rhel-7-desktop-optional-fastrack-source-rpms',\n 'rhel-7-desktop-optional-rpms',\n 'rhel-7-desktop-optional-source-rpms',\n 'rhel-7-desktop-rpms',\n 'rhel-7-desktop-source-rpms'\n ],\n 'enterprise_linux_7_computenode': [\n 'rhel-7-for-hpc-node-fastrack-debug-rpms',\n 'rhel-7-for-hpc-node-fastrack-rpms',\n 'rhel-7-for-hpc-node-fastrack-source-rpms',\n 'rhel-7-for-hpc-node-optional-fastrack-debug-rpms',\n 'rhel-7-for-hpc-node-optional-fastrack-rpms',\n 'rhel-7-for-hpc-node-optional-fastrack-source-rpms',\n 'rhel-7-hpc-node-debug-rpms',\n 'rhel-7-hpc-node-optional-debug-rpms',\n 'rhel-7-hpc-node-optional-rpms',\n 'rhel-7-hpc-node-optional-source-rpms',\n 'rhel-7-hpc-node-rpms',\n 'rhel-7-hpc-node-source-rpms'\n ],\n 'enterprise_linux_7_server': [\n 'rhel-7-for-system-z-a-debug-rpms',\n 'rhel-7-for-system-z-a-optional-debug-rpms',\n 'rhel-7-for-system-z-a-optional-rpms',\n 'rhel-7-for-system-z-a-optional-source-rpms',\n 'rhel-7-for-system-z-a-rpms',\n 'rhel-7-for-system-z-a-source-rpms',\n 'rhel-7-for-system-z-debug-rpms',\n 'rhel-7-for-system-z-fastrack-debug-rpms',\n 'rhel-7-for-system-z-fastrack-rpms',\n 'rhel-7-for-system-z-fastrack-source-rpms',\n 'rhel-7-for-system-z-optional-debug-rpms',\n 'rhel-7-for-system-z-optional-fastrack-debug-rpms',\n 'rhel-7-for-system-z-optional-fastrack-rpms',\n 'rhel-7-for-system-z-optional-fastrack-source-rpms',\n 'rhel-7-for-system-z-optional-rpms',\n 'rhel-7-for-system-z-optional-source-rpms',\n 'rhel-7-for-system-z-rpms',\n 'rhel-7-for-system-z-source-rpms',\n 'rhel-7-server-debug-rpms',\n 'rhel-7-server-fastrack-debug-rpms',\n 'rhel-7-server-fastrack-rpms',\n 'rhel-7-server-fastrack-source-rpms',\n 'rhel-7-server-optional-debug-rpms',\n 'rhel-7-server-optional-fastrack-debug-rpms',\n 'rhel-7-server-optional-fastrack-rpms',\n 'rhel-7-server-optional-fastrack-source-rpms',\n 'rhel-7-server-optional-rpms',\n 'rhel-7-server-optional-source-rpms',\n 'rhel-7-server-rpms',\n 'rhel-7-server-source-rpms',\n 'rhel-ha-for-rhel-7-for-system-z-debug-rpms',\n 'rhel-ha-for-rhel-7-for-system-z-rpms',\n 'rhel-ha-for-rhel-7-for-system-z-source-rpms',\n 'rhel-ha-for-rhel-7-server-debug-rpms',\n 'rhel-ha-for-rhel-7-server-rpms',\n 'rhel-ha-for-rhel-7-server-source-rpms',\n 'rhel-rs-for-rhel-7-for-system-z-debug-rpms',\n 'rhel-rs-for-rhel-7-for-system-z-rpms',\n 'rhel-rs-for-rhel-7-for-system-z-source-rpms',\n 'rhel-rs-for-rhel-7-server-debug-rpms',\n 'rhel-rs-for-rhel-7-server-rpms',\n 'rhel-rs-for-rhel-7-server-source-rpms'\n ],\n 'enterprise_linux_7_workstation': [\n 'rhel-7-workstation-debug-rpms',\n 'rhel-7-workstation-fastrack-debug-rpms',\n 'rhel-7-workstation-fastrack-rpms',\n 'rhel-7-workstation-fastrack-source-rpms',\n 'rhel-7-workstation-optional-debug-rpms',\n 'rhel-7-workstation-optional-fastrack-debug-rpms',\n 'rhel-7-workstation-optional-fastrack-rpms',\n 'rhel-7-workstation-optional-fastrack-source-rpms',\n 'rhel-7-workstation-optional-rpms',\n 'rhel-7-workstation-optional-source-rpms',\n 'rhel-7-workstation-rpms',\n 'rhel-7-workstation-source-rpms'\n ],\n 'rhel_extras_7': [\n 'rhel-7-desktop-supplementary-rpms',\n 'rhel-7-desktop-supplementary-source-rpms',\n 'rhel-7-for-hpc-node-supplementary-rpms',\n 'rhel-7-for-hpc-node-supplementary-source-rpms',\n 'rhel-7-for-system-z-eus-supplementary-rpms',\n 'rhel-7-for-system-z-eus-supplementary-source-rpms',\n 'rhel-7-for-system-z-supplementary-debug-rpms',\n 'rhel-7-for-system-z-supplementary-rpms',\n 'rhel-7-for-system-z-supplementary-source-rpms',\n 'rhel-7-hpc-node-eus-supplementary-rpms',\n 'rhel-7-server-eus-supplementary-rpms',\n 'rhel-7-server-supplementary-rpms',\n 'rhel-7-server-supplementary-source-rpms',\n 'rhel-7-workstation-supplementary-rpms',\n 'rhel-7-workstation-supplementary-source-rpms'\n ],\n 'rhel_extras_oracle_java_7': [\n 'rhel-7-desktop-restricted-maintenance-oracle-java-rpms',\n 'rhel-7-for-hpc-node-restricted-maintenance-oracle-java-rpms',\n 'rhel-7-hpc-node-eus-restricted-maintenance-oracle-java-rpms',\n 'rhel-7-server-eus-restricted-maintenance-oracle-java-rpms',\n 'rhel-7-server-eus-restricted-maintenance-oracle-java-source-rpms',\n 'rhel-7-server-restricted-maintenance-oracle-java-rpms',\n 'rhel-7-workstation-restricted-maintenance-oracle-java-rpms'\n ],\n 'rhel_extras_rt_7': [\n 'rhel-7-server-nfv-debug-rpms',\n 'rhel-7-server-nfv-rpms',\n 'rhel-7-server-nfv-source-rpms',\n 'rhel-7-server-rt-debug-rpms',\n 'rhel-7-server-rt-rpms',\n 'rhel-7-server-rt-source-rpms'\n ],\n 'rhel_extras_sap_7': [\n 'rhel-sap-for-rhel-7-for-system-z-debug-rpms',\n 'rhel-sap-for-rhel-7-for-system-z-eus-debug-rpms',\n 'rhel-sap-for-rhel-7-for-system-z-eus-rpms',\n 'rhel-sap-for-rhel-7-for-system-z-eus-source-rpms',\n 'rhel-sap-for-rhel-7-for-system-z-rpms',\n 'rhel-sap-for-rhel-7-for-system-z-source-rpms',\n 'rhel-sap-for-rhel-7-server-debug-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-source-rpms',\n 'rhel-sap-for-rhel-7-server-eus-debug-rpms',\n 'rhel-sap-for-rhel-7-server-eus-rpms',\n 'rhel-sap-for-rhel-7-server-eus-source-rpms',\n 'rhel-sap-for-rhel-7-server-rpms',\n 'rhel-sap-for-rhel-7-server-source-rpms'\n ],\n 'rhel_extras_sap_hana_7': [\n 'rhel-sap-hana-for-rhel-7-server-debug-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-source-rpms',\n 'rhel-sap-hana-for-rhel-7-server-eus-debug-rpms',\n 'rhel-sap-hana-for-rhel-7-server-eus-rpms',\n 'rhel-sap-hana-for-rhel-7-server-eus-source-rpms',\n 'rhel-sap-hana-for-rhel-7-server-rpms',\n 'rhel-sap-hana-for-rhel-7-server-source-rpms'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nvar pkgs = [\n {'reference':'bash-4.2.46-34.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'bash-4.2.46-34.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'bash-doc-4.2.46-34.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'bash-doc-4.2.46-34.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n var repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n release &&\n (rhel_decide_repo_check(repo_list:repo_list, repo_sets:repo_sets) || (!exists_check || rpm_exists(release:release, rpm:exists_check))) &&\n rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(repo_sets)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bash / bash-doc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-04T15:19:43", "description": "It was discovered that Bash incorrectly handled the restricted shell.\nAn attacker could possibly use this issue to escape restrictions and execute any command.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-16T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS : Bash vulnerability (USN-4058-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2020-09-17T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:bash", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "UBUNTU_USN-4058-1.NASL", "href": "https://www.tenable.com/plugins/nessus/126748", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4058-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126748);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/17\");\n\n script_cve_id(\"CVE-2019-9924\");\n script_xref(name:\"USN\", value:\"4058-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS : Bash vulnerability (USN-4058-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was discovered that Bash incorrectly handled the restricted shell.\nAn attacker could possibly use this issue to escape restrictions and\nexecute any command.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4058-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"bash\", pkgver:\"4.3-14ubuntu1.4\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-04T15:06:10", "description": "Two issues have been fixed in bash, the GNU Bourne-Again Shell :\n\nCVE-2016-9401\n\nThe popd builtin segfaulted when called with negative out of range offsets.\n\nCVE-2019-9924\n\nSylvain Beucler discovered that it was possible to call commands that contained a slash when in restricted mode (rbash) by adding them to the BASH_CMDS array.\n\nFor Debian 8 'Jessie', these problems have been fixed in version 4.3-11+deb8u2.\n\nWe recommend that you upgrade your bash packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-03-26T00:00:00", "type": "nessus", "title": "Debian DLA-1726-1 : bash security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9401", "CVE-2019-9924"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:bash", "p-cpe:/a:debian:debian_linux:bash-builtins", "p-cpe:/a:debian:debian_linux:bash-doc", "p-cpe:/a:debian:debian_linux:bash-static", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-1726.NASL", "href": "https://www.tenable.com/plugins/nessus/123093", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1726-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(123093);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9401\", \"CVE-2019-9924\");\n\n script_name(english:\"Debian DLA-1726-1 : bash security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two issues have been fixed in bash, the GNU Bourne-Again Shell :\n\nCVE-2016-9401\n\nThe popd builtin segfaulted when called with negative out of range\noffsets.\n\nCVE-2019-9924\n\nSylvain Beucler discovered that it was possible to call commands that\ncontained a slash when in restricted mode (rbash) by adding them to\nthe BASH_CMDS array.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n4.3-11+deb8u2.\n\nWe recommend that you upgrade your bash packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2019/03/msg00028.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/bash\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bash-builtins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bash-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bash-static\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"bash\", reference:\"4.3-11+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"bash-builtins\", reference:\"4.3-11+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"bash-doc\", reference:\"4.3-11+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"bash-static\", reference:\"4.3-11+deb8u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-07T04:18:14", "description": "The version of AOS installed on the remote host is prior to 5.15.3. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.15.3 advisory.\n\n - It's been found that multiple functions in ipmitool before 1.8.19 neglect proper checking of the data received from a remote LAN party, which may lead to buffer overflows and potentially to remote code execution on the ipmitool side. This is especially dangerous if ipmitool is run as a privileged user. This problem is fixed in version 1.8.19. (CVE-2020-5208)\n\n - avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) and may cause information leakage by obtaining potentially sensitive information from the responding device via port-5353 UDP packets. NOTE: this may overlap CVE-2015-2809. (CVE-2017-6519)\n\n - http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. (CVE-2018-20852)\n\n - An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally. (CVE-2019-16056)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2754, CVE-2020-2755)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2756, CVE-2020-2757)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2773)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2781)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded:\n 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2020-2800)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). (CVE-2020-2803, CVE-2020-2805)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency).\n Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.\n Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2830)\n\n - An issue was discovered in Rsyslog v8.1908.0. contrib/pmaixforwardedfrom/pmaixforwardedfrom.c has a heap overflow in the parser for AIX log messages. The parser tries to locate a log message delimiter (in this case, a space or a colon) but fails to account for strings that do not satisfy this constraint. If the string does not match, then the variable lenMsg will reach the value zero and will skip the sanity check that detects invalid log messages. The message will then be considered valid, and the parser will eat up the nonexistent colon delimiter. In doing so, it will decrement lenMsg, a signed integer, whose value was zero and now becomes minus one. The following step in the parser is to shift left the contents of the message. To do this, it will call memmove with the right pointers to the target and destination strings, but the lenMsg will now be interpreted as a huge value, causing a heap overflow. (CVE-2019-17041)\n\n - An issue was discovered in Rsyslog v8.1908.0. contrib/pmcisconames/pmcisconames.c has a heap overflow in the parser for Cisco log messages. The parser tries to locate a log message delimiter (in this case, a space or a colon), but fails to account for strings that do not satisfy this constraint. If the string does not match, then the variable lenMsg will reach the value zero and will skip the sanity check that detects invalid log messages. The message will then be considered valid, and the parser will eat up the nonexistent colon delimiter. In doing so, it will decrement lenMsg, a signed integer, whose value was zero and now becomes minus one. The following step in the parser is to shift left the contents of the message.\n To do this, it will call memmove with the right pointers to the target and destination strings, but the lenMsg will now be interpreted as a huge value, causing a heap overflow. (CVE-2019-17042)\n\n - An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c. (CVE-2017-18595)\n\n - In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub- buffer). (CVE-2019-19768)\n\n - A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7.\n This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network user to crash the system kernel, resulting in a denial of service. (CVE-2020-10711)\n\n - An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus- daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. (CVE-2020-12049)\n\n - A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger authentication of unrelated processes owned by other users. This may result in a local DoS and information disclosure. (CVE-2018-1116)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: Applies to client and server deployment of Java.\n This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2020-2767)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2020-2778)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data.\n Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2020-2816)\n\n - In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all. (CVE-2017-15710)\n\n - A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage. (CVE-2018-1301)\n\n - In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded. (CVE-2018-17199)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Pluggable Auth).\n Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2737)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges).\n Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.1 (Integrity and Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). (CVE-2019-2739)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: XML). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2740)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2805)\n\n - In macOS High Sierra before 10.13.5, an issue existed in CUPS. This issue was addressed with improved access restrictions. (CVE-2018-4180, CVE-2018-4181)\n\n - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-4300. Reason: This candidate is a duplicate of CVE-2018-4300. Notes: All CVE users should reference CVE-2018-4300 instead of this candidate.\n All references and descriptions in this candidate have been removed to prevent accidental usage.\n (CVE-2018-4700)\n\n - In the Linux kernel before 4.1.4, a buffer overflow occurs when checking userspace params in drivers/media/dvb-frontends/cx24116.c. The maximum size for a DiSEqC command is 6, according to the userspace API. However, the code allows larger values such as 23. (CVE-2015-9289)\n\n - The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to the current task's default request-key keyring via the request_key() system call, allowing a local user to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.\n (CVE-2017-17807)\n\n - The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds (OOB) read that potentially allows arbitrary read in the kernel address space. (CVE-2018-19985)\n\n - An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.\n (CVE-2018-20169)\n\n - In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. This is similar to CVE-2013-4343. (CVE-2018-7191)\n\n - A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.\n (CVE-2019-10207)\n\n - In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses. (CVE-2019-10638)\n\n - The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to have a dependency on an address associated with a network namespace. (CVE-2019-10639)\n\n - The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. (CVE-2019-11190)\n\n - The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a '\\0' character. (CVE-2019-11884)\n\n - ** DISPUTED ** An issue was discovered in drm_load_edid_firmware in drivers/gpu/drm/drm_edid_load.c in the Linux kernel through 5.1.5. There is an unchecked kstrdup of fwstr, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: The vendor disputes this issues as not being a vulnerability because kstrdup() returning NULL is handled sufficiently and there is no chance for a NULL pointer dereference. (CVE-2019-12382)\n\n - In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds violation. (CVE-2019-13233)\n\n - In the Linux kernel through 5.2.1 on the powerpc platform, when hardware transactional memory is disabled, a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn() system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c. (CVE-2019-13648)\n\n - In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default. (CVE-2019-14283)\n\n - A vulnerability was found in Linux Kernel, where a Heap Overflow was found in mwifiex_set_wmm_params() function of Marvell Wifi Driver. (CVE-2019-14815)\n\n - An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. In the qedi_dbg_* family of functions, there is an out-of-bounds read. (CVE-2019-15090)\n\n - An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver. (CVE-2019-15221)\n\n - An issue was discovered in the Linux kernel before 5.0.1. There is a memory leak in register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service. (CVE-2019-15916)\n\n - An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow. (CVE-2019-16746)\n\n - The Linux kernel before 5.4.1 on powerpc allows Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs, aka CID-39e72bf96f58. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c. (CVE-2019-18660)\n\n - A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs.\n As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it is possible for the specified target task to perform an execve() syscall with setuid execution before perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls. This issue affects kernel versions before 4.8. (CVE-2019-3901)\n\n - The Broadcom brcmfmac WiFi driver prior to commit a4176ec356c73a46c07c181c6d04039fafa34a9f is vulnerable to a frame validation bypass. If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and unprocessed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be bypassed if the bus used is USB (for instance by a wifi dongle). This can allow firmware event frames from a remote source to be processed. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.\n More typically, this vulnerability will result in denial-of-service conditions. (CVE-2019-9503)\n\n - GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment. (CVE-2018-15587)\n\n - It was discovered evolution-ews before 3.31.3 does not check the validity of SSL certificates. An attacker could abuse this flaw to get confidential information by tricking the user into connecting to a fake server without the user noticing the difference. (CVE-2019-3890)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2020-14556)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2020-14577)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-14578, CVE-2020-14579)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). (CVE-2020-14583)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note:\n This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N). (CVE-2020-14593)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2020-14621)\n\n - The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file. (CVE-2018-10360)\n\n - ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service. (CVE-2017-1000476)\n\n - The ReadXWDImage function in coders\\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can cause memory exhaustion via a crafted length (number of color-map entries) field in the header of an XWD file. (CVE-2017-11166)\n\n - In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function ReadTIFFImage, which allows attackers to cause a denial of service. (CVE-2017-12805)\n\n - In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function format8BIM, which allows attackers to cause a denial of service. (CVE-2017-12806)\n\n - An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerability was found in the function ReadPCDImage in coders/pcd.c, which allow remote attackers to cause a denial of service via a crafted file. (CVE-2017-18251)\n\n - An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList function in MagickWand/mogrify.c allows attackers to cause a denial of service (assertion failure and application exit in ReplaceImageInList) via a crafted file. (CVE-2017-18252)\n\n - An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerability was found in the function WriteGIFImage in coders/gif.c, which allow remote attackers to cause a denial of service via a crafted file. (CVE-2017-18254)\n\n - In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted MIFF image file. (CVE-2017-18271)\n\n - In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadTXTImage in coders/txt.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted image file that is mishandled in a GetImageIndexInList call. (CVE-2017-18273)\n\n - In ImageMagick 7.0.7-28, there is an infinite loop in the ReadOneMNGImage function of the coders/png.c file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted mng file. (CVE-2018-10177)\n\n - ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage in coders/tiff.c. (CVE-2018-10804)\n\n - ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c. (CVE-2018-10805)\n\n - In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function ReadDCMImage in coders/dcm.c, which allows attackers to cause a denial of service via a crafted DCM image file.\n (CVE-2018-11656)\n\n - In ImageMagick 7.0.8-3 Q16, ReadBMPImage and WriteBMPImage in coders/bmp.c allow attackers to cause an out of bounds write via a crafted file. (CVE-2018-12599)\n\n - In ImageMagick 7.0.8-3 Q16, ReadDIBImage and WriteDIBImage in coders/dib.c allow attackers to cause an out of bounds write via a crafted file. (CVE-2018-12600)\n\n - In ImageMagick 7.0.8-4, there is a memory leak in the XMagickCommand function in MagickCore/animate.c.\n (CVE-2018-13153)\n\n - ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c. (CVE-2018-14434)\n\n - ImageMagick 7.0.8-4 has a memory leak in DecodeImage in coders/pcd.c. (CVE-2018-14435)\n\n - ImageMagick 7.0.8-4 has a memory leak in ReadMIFFImage in coders/miff.c. (CVE-2018-14436)\n\n - ImageMagick 7.0.8-4 has a memory leak in parse8BIM in coders/meta.c. (CVE-2018-14437)\n\n - In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file. (CVE-2018-15607)\n\n - In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the CheckEventLogging function in MagickCore/log.c. (CVE-2018-16328)\n\n - In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ReadOneJNGImage in coders/png.c allows an attacker to cause a denial of service (WriteBlob assertion failure and application exit) via a crafted file. (CVE-2018-16749)\n\n - In ImageMagick 7.0.7-29 and earlier, a memory leak in the formatIPTCfromBuffer function in coders/meta.c was found. (CVE-2018-16750)\n\n - There is a memory leak in the function WriteMSLImage of coders/msl.c in ImageMagick 7.0.8-13 Q16, and the function ProcessMSLScript of coders/msl.c in GraphicsMagick before 1.3.31. (CVE-2018-18544)\n\n - In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can result in an infinite loop and hang, with high CPU and memory consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file. (CVE-2018-20467)\n\n - WriteEPTImage in coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote attackers to cause a denial of service (MagickCore/memory.c double free and application crash) or possibly have unspecified other impact via a crafted file. (CVE-2018-8804)\n\n - ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage and EncodeLabImage functions (coders/tiff.c), which results in a hang (tens of minutes) with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tiff file. (CVE-2018-9133)\n\n - An off-by-one read vulnerability was discovered in ImageMagick before version 7.0.7-28 in the formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end of the buffer or to crash the program. (CVE-2019-10131)\n\n - In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file. (CVE-2019-10650)\n\n - The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size. This occurs because ReadCINImage in coders/cin.c lacks a check for insufficient image data in a file.\n (CVE-2019-11470)\n\n - ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first. (CVE-2019-11472)\n\n - In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. (CVE-2019-11597)\n\n - In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. This is related to SetGrayscaleImage in MagickCore/quantize.c. (CVE-2019-11598)\n\n - A NULL pointer dereference in the function ReadPANGOImage in coders/pango.c and the function ReadVIDImage in coders/vid.c in ImageMagick 7.0.8-34 allows remote attackers to cause a denial of service via a crafted image. (CVE-2019-12974)\n\n - ImageMagick 7.0.8-34 has a memory leak vulnerability in the WriteDPXImage function in coders/dpx.c.\n (CVE-2019-12975)\n\n - ImageMagick 7.0.8-34 has a memory leak in the ReadPCLImage function in coders/pcl.c. (CVE-2019-12976)\n\n - ImageMagick 7.0.8-34 has a use of uninitialized value vulnerability in the ReadPANGOImage function in coders/pango.c. (CVE-2019-12978)\n\n - ImageMagick 7.0.8-34 has a use of uninitialized value vulnerability in the SyncImageSettings function in MagickCore/image.c. This is related to AcquireImage in magick/image.c. (CVE-2019-12979)\n\n - ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c.\n (CVE-2019-13133)\n\n - ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadVIFFImage in coders/viff.c. (CVE-2019-13134)\n\n - ImageMagick before 7.0.8-50 has a use of uninitialized value vulnerability in the function ReadCUTImage in coders/cut.c. (CVE-2019-13135)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage because a width of zero is mishandled. (CVE-2019-13295)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage because a height of zero is mishandled. (CVE-2019-13297)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages because of mishandling columns. (CVE-2019-13300)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory because of an AnnotateImage error.\n (CVE-2019-13301)\n\n - ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a misplaced assignment. (CVE-2019-13304)\n\n - ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a misplaced strncpy and an off-by-one error. (CVE-2019-13305)\n\n - ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of off-by-one errors. (CVE-2019-13306)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages because of mishandling rows. (CVE-2019-13307)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of mishandling the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c. (CVE-2019-13309)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of an error in MagickWand/mogrify.c. (CVE-2019-13310)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of a wand/mogrify.c error.\n (CVE-2019-13311)\n\n - ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c.\n (CVE-2019-13454)\n\n - In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file.\n (CVE-2019-14980)\n\n - In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is a divide-by-zero vulnerability in the MeanShiftImage function. It allows an attacker to cause a denial of service by sending a crafted file.\n (CVE-2019-14981)\n\n - The XWD image (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (application crash resulting from an out-of-bounds Read) in ReadXWDImage in coders/xwd.c by crafting a corrupted XWD image file, a different vulnerability than CVE-2019-11472. (CVE-2019-15139)\n\n - coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to cause a denial of service (use-after- free and application crash) or possibly have unspecified other impact by crafting a Matlab image file that is mishandled in ReadImage in MagickCore/constitute.c. (CVE-2019-15140)\n\n - WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in tif_dirwrite.c of LibTIFF. NOTE: this occurs because of an incomplete fix for CVE-2019-11597.\n (CVE-2019-15141)\n\n - ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage. (CVE-2019-16708)\n\n - ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage. (CVE-2019-16709)\n\n - ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c. (CVE-2019-16710)\n\n - ImageMagick 7.0.8-40 has a memory leak in Huffman2DEncodeImage in coders/ps2.c. (CVE-2019-16711)\n\n - ImageMagick 7.0.8-43 has a memory leak in Huffman2DEncodeImage in coders/ps3.c, as demonstrated by WritePS3Image. (CVE-2019-16712)\n\n - ImageMagick 7.0.8-43 has a memory leak in coders/dot.c, as demonstrated by PingImage in MagickCore/constitute.c. (CVE-2019-16713)\n\n - ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.\n (CVE-2019-17540)\n\n - ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo in MagickCore/string.c because the error manager is mishandled in coders/jpeg.c. (CVE-2019-17541)\n\n - In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer overflow in the function WriteSGIImage of coders/sgi.c. (CVE-2019-19948)\n\n - In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WritePNGImage of coders/png.c, related to Magick_png_write_raw_profile and LocaleNCompare. (CVE-2019-19949)\n\n - In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c. (CVE-2019-7175)\n\n - In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in WritePDFImage in coders/pdf.c. (CVE-2019-7397)\n\n - In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage in coders/dib.c. (CVE-2019-7398)\n\n - In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image file. (CVE-2019-9956)\n\n - ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address, because transmissions are rescheduled even when a packet lacks a valid origin timestamp. (CVE-2020-11868)\n\n - ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can query time from the victim's ntpd instance. (CVE-2020-13817)\n\n - Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code by providing a large amount of compressed XML data, a related issue to CVE-2015-1283. (CVE-2015-2716)\n\n - snmp_oid_compare in snmplib/snmp_api.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an unauthenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. (CVE-2018-18066)\n\n - Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a better zip bomb issue. (CVE-2019-13232)\n\n - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e. (CVE-2019-19527)\n\n - A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the way mremap handled DAX Huge Pages.\n This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system. (CVE-2020-10757)\n\n - An issue was found in Linux kernel before 5.5.4. The mwifiex_cmd_append_vsie_tlv() function in drivers/net/wireless/marvell/mwifiex/scan.c allows local users to gain privileges or cause a denial of service because of an incorrect memcpy and buffer overflow, aka CID-b70261a288ea. (CVE-2020-12653)\n\n - An issue was found in Linux kernel before 5.5.4. mwifiex_ret_wmm_get_status() in drivers/net/wireless/marvell/mwifiex/wmm.c allows a remote AP to trigger a heap-based buffer overflow because of an incorrect memcpy, aka CID-3a9b153c5591. (CVE-2020-12654)\n\n - managed-keys is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if, during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm.\n Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5745. (CVE-2018-5745)\n\n - Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465. (CVE-2019-6465)\n\n - With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).\n (CVE-2019-6477)\n\n - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell. (CVE-2019-9924)\n\n - The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory space. (CVE-2020-12888)\n\n - A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1. (CVE-2019-5436)\n\n - It was discovered that the gnome-shell lock screen since version 3.15.91 did not properly restrict all contextual actions. An attacker with physical access to a locked workstation could invoke certain keyboard shortcuts, and potentially other actions. (CVE-2019-3820)\n\n - A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor. (CVE-2020-8616)\n\n - Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results. (CVE-2020-8617)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-09-01T00:00:00", "type": "nessus", "title": "Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.15.3)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-4343", "CVE-2015-1283", "CVE-2015-2716", "CVE-2015-2809", "CVE-2015-9289", "CVE-2017-1000476", "CVE-2017-11166", "CVE-2017-12805", "CVE-2017-12806", "CVE-2017-15710", "CVE-2017-17807", "CVE-2017-18251", "CVE-2017-18252", "CVE-2017-18254", "CVE-2017-18271", "CVE-2017-18273", "CVE-2017-18595", "CVE-2017-6519", "CVE-2018-10177", "CVE-2018-10360", "CVE-2018-10804", "CVE-2018-10805", "CVE-2018-1116", "CVE-2018-11656", "CVE-2018-12599", "CVE-2018-12600", "CVE-2018-1301", "CVE-2018-13153", "CVE-2018-14434", "CVE-2018-14435", "CVE-2018-14436", "CVE-2018-14437", "CVE-2018-15587", "CVE-2018-15607", "CVE-2018-16328", "CVE-2018-16749", "CVE-2018-16750", "CVE-2018-17199", "CVE-2018-18066", "CVE-2018-18544", "CVE-2018-19985", "CVE-2018-20169", "CVE-2018-20467", "CVE-2018-20852", "CVE-2018-4180", "CVE-2018-4181", "CVE-2018-4300", "CVE-2018-4700", "CVE-2018-5745", "CVE-2018-7191", "CVE-2018-8804", "CVE-2018-9133", "CVE-2019-10131", "CVE-2019-10207", "CVE-2019-10638", "CVE-2019-10639", "CVE-2019-10650", "CVE-2019-11190", "CVE-2019-11340", "CVE-2019-11470", "CVE-2019-11472", "CVE-2019-11597", "CVE-2019-11598", "CVE-2019-11884", "CVE-2019-12382", "CVE-2019-12974", "CVE-2019-12975", "CVE-2019-12976", "CVE-2019-12978", "CVE-2019-12979", "CVE-2019-13133", "CVE-2019-13134", "CVE-2019-13135", "CVE-2019-13232", "CVE-2019-13233", "CVE-2019-13295", "CVE-2019-13297", "CVE-2019-13300", "CVE-2019-13301", "CVE-2019-13304", "CVE-2019-13305", "CVE-2019-13306", "CVE-2019-13307", "CVE-2019-13309", "CVE-2019-13310", "CVE-2019-13311", "CVE-2019-13454", "CVE-2019-13648", "CVE-2019-14283", "CVE-2019-14815", "CVE-2019-14980", "CVE-2019-14981", "CVE-2019-15090", "CVE-2019-15139", "CVE-2019-15140", "CVE-2019-15141", "CVE-2019-15221", "CVE-2019-15916", "CVE-2019-16056", "CVE-2019-16708", "CVE-2019-16709", "CVE-2019-16710", "CVE-2019-16711", "CVE-2019-16712", "CVE-2019-16713", "CVE-2019-16746", "CVE-2019-17041", "CVE-2019-17042", "CVE-2019-17540", "CVE-2019-17541", "CVE-2019-18660", "CVE-2019-19527", "CVE-2019-19768", "CVE-2019-19948", "CVE-2019-19949", "CVE-2019-2737", "CVE-2019-2739", "CVE-2019-2740", "CVE-2019-2805", "CVE-2019-3820", "CVE-2019-3890", "CVE-2019-3901", "CVE-2019-5436", "CVE-2019-6465", "CVE-2019-6477", "CVE-2019-7175", "CVE-2019-7397", "CVE-2019-7398", "CVE-2019-9503", "CVE-2019-9924", "CVE-2019-9956", "CVE-2020-10711", "CVE-2020-10757", "CVE-2020-11868", "CVE-2020-12049", "CVE-2020-12653", "CVE-2020-12654", "CVE-2020-12888", "CVE-2020-13817", "CVE-2020-14556", "CVE-2020-14577", "CVE-2020-14578", "CVE-2020-14579", "CVE-2020-14583", "CVE-2020-14593", "CVE-2020-14621", "CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2767", "CVE-2020-2773", "CVE-2020-2778", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2805", "CVE-2020-2816", "CVE-2020-2830", "CVE-2020-5208", "CVE-2020-8616", "CVE-2020-8617"], "modified": "2022-12-06T00:00:00", "cpe": ["cpe:/o:nutanix:aos"], "id": "NUTANIX_NXSA-AOS-5_15_3.NASL", "href": "https://www.tenable.com/plugins/nessus/164596", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164596);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\n \"CVE-2015-2716\",\n \"CVE-2015-9289\",\n \"CVE-2017-6519\",\n \"CVE-2017-11166\",\n \"CVE-2017-12805\",\n \"CVE-2017-12806\",\n \"CVE-2017-15710\",\n \"CVE-2017-17807\",\n \"CVE-2017-18251\",\n \"CVE-2017-18252\",\n \"CVE-2017-18254\",\n \"CVE-2017-18271\",\n \"CVE-2017-18273\",\n \"CVE-2017-18595\",\n \"CVE-2017-1000476\",\n \"CVE-2018-1116\",\n \"CVE-2018-1301\",\n \"CVE-2018-4180\",\n \"CVE-2018-4181\",\n \"CVE-2018-4700\",\n \"CVE-2018-5745\",\n \"CVE-2018-7191\",\n \"CVE-2018-8804\",\n \"CVE-2018-9133\",\n \"CVE-2018-10177\",\n \"CVE-2018-10360\",\n \"CVE-2018-10804\",\n \"CVE-2018-10805\",\n \"CVE-2018-11656\",\n \"CVE-2018-12599\",\n \"CVE-2018-12600\",\n \"CVE-2018-13153\",\n \"CVE-2018-14434\",\n \"CVE-2018-14435\",\n \"CVE-2018-14436\",\n \"CVE-2018-14437\",\n \"CVE-2018-15587\",\n \"CVE-2018-15607\",\n \"CVE-2018-16328\",\n \"CVE-2018-16749\",\n \"CVE-2018-16750\",\n \"CVE-2018-17199\",\n \"CVE-2018-18066\",\n \"CVE-2018-18544\",\n \"CVE-2018-19985\",\n \"CVE-2018-20169\",\n \"CVE-2018-20467\",\n \"CVE-2018-20852\",\n \"CVE-2018-20852\",\n \"CVE-2019-2737\",\n \"CVE-2019-2739\",\n \"CVE-2019-2740\",\n \"CVE-2019-2805\",\n \"CVE-2019-3820\",\n \"CVE-2019-3890\",\n \"CVE-2019-3901\",\n \"CVE-2019-5436\",\n \"CVE-2019-6465\",\n \"CVE-2019-6477\",\n \"CVE-2019-7175\",\n \"CVE-2019-7397\",\n \"CVE-2019-7398\",\n \"CVE-2019-9503\",\n \"CVE-2019-9924\",\n \"CVE-2019-9956\",\n \"CVE-2019-10131\",\n \"CVE-2019-10207\",\n \"CVE-2019-10638\",\n \"CVE-2019-10639\",\n \"CVE-2019-10650\",\n \"CVE-2019-11190\",\n \"CVE-2019-11470\",\n \"CVE-2019-11472\",\n \"CVE-2019-11597\",\n \"CVE-2019-11598\",\n \"CVE-2019-11884\",\n \"CVE-2019-12382\",\n \"CVE-2019-12974\",\n \"CVE-2019-12975\",\n \"CVE-2019-12976\",\n \"CVE-2019-12978\",\n \"CVE-2019-12979\",\n \"CVE-2019-13133\",\n \"CVE-2019-13134\",\n \"CVE-2019-13135\",\n \"CVE-2019-13232\",\n \"CVE-2019-13233\",\n \"CVE-2019-13295\",\n \"CVE-2019-13297\",\n \"CVE-2019-13300\",\n \"CVE-2019-13301\",\n \"CVE-2019-13304\",\n \"CVE-2019-13305\",\n \"CVE-2019-13306\",\n \"CVE-2019-13307\",\n \"CVE-2019-13309\",\n \"CVE-2019-13310\",\n \"CVE-2019-13311\",\n \"CVE-2019-13454\",\n \"CVE-2019-13648\",\n \"CVE-2019-14283\",\n \"CVE-2019-14815\",\n \"CVE-2019-14980\",\n \"CVE-2019-14981\",\n \"CVE-2019-15090\",\n \"CVE-2019-15139\",\n \"CVE-2019-15140\",\n \"CVE-2019-15141\",\n \"CVE-2019-15221\",\n \"CVE-2019-15916\",\n \"CVE-2019-16056\",\n \"CVE-2019-16056\",\n \"CVE-2019-16708\",\n \"CVE-2019-16709\",\n \"CVE-2019-16710\",\n \"CVE-2019-16711\",\n \"CVE-2019-16712\",\n \"CVE-2019-16713\",\n \"CVE-2019-16746\",\n \"CVE-2019-17041\",\n \"CVE-2019-17042\",\n \"CVE-2019-17540\",\n \"CVE-2019-17541\",\n \"CVE-2019-18660\",\n \"CVE-2019-19527\",\n \"CVE-2019-19768\",\n \"CVE-2019-19948\",\n \"CVE-2019-19949\",\n \"CVE-2020-2754\",\n \"CVE-2020-2754\",\n \"CVE-2020-2755\",\n \"CVE-2020-2755\",\n \"CVE-2020-2756\",\n \"CVE-2020-2756\",\n \"CVE-2020-2757\",\n \"CVE-2020-2757\",\n \"CVE-2020-2767\",\n \"CVE-2020-2773\",\n \"CVE-2020-2773\",\n \"CVE-2020-2778\",\n \"CVE-2020-2781\",\n \"CVE-2020-2781\",\n \"CVE-2020-2800\",\n \"CVE-2020-2800\",\n \"CVE-2020-2803\",\n \"CVE-2020-2803\",\n \"CVE-2020-2805\",\n \"CVE-2020-2805\",\n \"CVE-2020-2816\",\n \"CVE-2020-2830\",\n \"CVE-2020-2830\",\n \"CVE-2020-5208\",\n \"CVE-2020-8616\",\n \"CVE-2020-8617\",\n \"CVE-2020-10711\",\n \"CVE-2020-10757\",\n \"CVE-2020-11868\",\n \"CVE-2020-12049\",\n \"CVE-2020-12653\",\n \"CVE-2020-12654\",\n \"CVE-2020-12888\",\n \"CVE-2020-13817\",\n \"CVE-2020-14556\",\n \"CVE-2020-14577\",\n \"CVE-2020-14578\",\n \"CVE-2020-14579\",\n \"CVE-2020-14583\",\n \"CVE-2020-14593\",\n \"CVE-2020-14621\"\n );\n\n script_name(english:\"Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.15.3)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Nutanix AOS host is affected by multiple vulnerabilities .\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of AOS installed on the remote host is prior to 5.15.3. It is, therefore, affected by multiple\nvulnerabilities as referenced in the NXSA-AOS-5.15.3 advisory.\n\n - It's been found that multiple functions in ipmitool before 1.8.19 neglect proper checking of the data\n received from a remote LAN party, which may lead to buffer overflows and potentially to remote code\n execution on the ipmitool side. This is especially dangerous if ipmitool is run as a privileged user. This\n problem is fixed in version 1.8.19. (CVE-2020-5208)\n\n - avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source\n addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic\n amplification) and may cause information leakage by obtaining potentially sensitive information from the\n responding device via port-5353 UDP packets. NOTE: this may overlap CVE-2015-2809. (CVE-2017-6519)\n\n - http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not\n correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An\n attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix\n (e.g., pythonicexample.com to steal cookies for example.com). When a program uses\n http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing\n cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before\n 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. (CVE-2018-20852)\n\n - An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x\n through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An\n application that uses the email module and implements some kind of checks on the From/To headers of a\n message could be tricked into accepting an email address that should be denied. An attack may be the same\n as in CVE-2019-11340; however, this CVE applies to Python more generally. (CVE-2019-16056)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported\n versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to\n client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2754, CVE-2020-2755)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through\n sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying\n data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed\n Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2756, CVE-2020-2757)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported\n versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to\n client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2773)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported\n versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily\n exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java\n SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause\n a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server\n deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and\n sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component\n without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web\n service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2781)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP\n Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded:\n 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well\n as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This\n vulnerability can only be exploited by supplying data to APIs in the specified Component without using\n Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0\n Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2020-2800)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly\n impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE,\n Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not\n apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed\n by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS\n Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). (CVE-2020-2803, CVE-2020-2805)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency).\n Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.\n Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through\n sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying\n data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed\n Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2830)\n\n - An issue was discovered in Rsyslog v8.1908.0. contrib/pmaixforwardedfrom/pmaixforwardedfrom.c has a heap\n overflow in the parser for AIX log messages. The parser tries to locate a log message delimiter (in this\n case, a space or a colon) but fails to account for strings that do not satisfy this constraint. If the\n string does not match, then the variable lenMsg will reach the value zero and will skip the sanity check\n that detects invalid log messages. The message will then be considered valid, and the parser will eat up\n the nonexistent colon delimiter. In doing so, it will decrement lenMsg, a signed integer, whose value was\n zero and now becomes minus one. The following step in the parser is to shift left the contents of the\n message. To do this, it will call memmove with the right pointers to the target and destination strings,\n but the lenMsg will now be interpreted as a huge value, causing a heap overflow. (CVE-2019-17041)\n\n - An issue was discovered in Rsyslog v8.1908.0. contrib/pmcisconames/pmcisconames.c has a heap overflow in\n the parser for Cisco log messages. The parser tries to locate a log message delimiter (in this case, a\n space or a colon), but fails to account for strings that do not satisfy this constraint. If the string\n does not match, then the variable lenMsg will reach the value zero and will skip the sanity check that\n detects invalid log messages. The message will then be considered valid, and the parser will eat up the\n nonexistent colon delimiter. In doing so, it will decrement lenMsg, a signed integer, whose value was zero\n and now becomes minus one. The following step in the parser is to shift left the contents of the message.\n To do this, it will call memmove with the right pointers to the target and destination strings, but the\n lenMsg will now be interpreted as a huge value, causing a heap overflow. (CVE-2019-17042)\n\n - An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function\n allocate_trace_buffer in the file kernel/trace/trace.c. (CVE-2017-18595)\n\n - In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in\n kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-\n buffer). (CVE-2019-19768)\n\n - A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7.\n This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into\n the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO\n restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate\n that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer\n dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network\n user to crash the system kernel, resulting in a denial of service. (CVE-2020-10711)\n\n - An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-\n daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local\n attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use\n this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus\n clients. (CVE-2020-12049)\n\n - A flaw was found in polkit before version 0.116. The implementation of the\n polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for\n authentication and trigger authentication of unrelated processes owned by other users. This may result in\n a local DoS and information disclosure. (CVE-2018-1116)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are\n affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker\n with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result\n in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized\n read access to a subset of Java SE accessible data. Note: Applies to client and server deployment of Java.\n This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java\n applets. It can also be exploited by supplying data to APIs in the specified Component without using\n sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0\n Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2020-2767)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are\n affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker\n with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result\n in unauthorized read access to a subset of Java SE accessible data. Note: Applies to client and server\n deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and\n sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component\n without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web\n service. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2020-2778)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are\n affected are Java SE: 11.0.6 and 14. Easily exploitable vulnerability allows unauthenticated attacker with\n network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in\n unauthorized creation, deletion or modification access to critical data or all Java SE accessible data.\n Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component\n without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web\n service. CVSS 3.0 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2020-2816)\n\n - In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured\n with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding\n when verifying the user's credentials. If the header value is not present in the charset conversion table,\n a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example,\n 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of\n one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the\n process would crash which could be used as a Denial of Service attack. In the more likely case, this\n memory is already reserved for future use and the issue has no effect at all. (CVE-2017-15710)\n\n - A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an\n out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is\n considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is\n classified as low risk for common server usage. (CVE-2018-1301)\n\n - In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before\n decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since\n the expiry time is loaded when the session is decoded. (CVE-2018-17199)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Pluggable Auth).\n Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily\n exploitable vulnerability allows high privileged attacker with network access via multiple protocols to\n compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to\n cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9\n (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2737)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges).\n Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily\n exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL\n Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well\n as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base\n Score 5.1 (Integrity and Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). (CVE-2019-2739)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: XML). Supported\n versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability\n impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2740)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported\n versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability\n impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2805)\n\n - In macOS High Sierra before 10.13.5, an issue existed in CUPS. This issue was addressed with improved\n access restrictions. (CVE-2018-4180, CVE-2018-4181)\n\n - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-4300. Reason: This candidate is a\n duplicate of CVE-2018-4300. Notes: All CVE users should reference CVE-2018-4300 instead of this candidate.\n All references and descriptions in this candidate have been removed to prevent accidental usage.\n (CVE-2018-4700)\n\n - In the Linux kernel before 4.1.4, a buffer overflow occurs when checking userspace params in\n drivers/media/dvb-frontends/cx24116.c. The maximum size for a DiSEqC command is 6, according to the\n userspace API. However, the code allows larger values such as 23. (CVE-2015-9289)\n\n - The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to\n the current task's default request-key keyring via the request_key() system call, allowing a local user\n to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write\n permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.\n (CVE-2017-17807)\n\n - The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num\n from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds\n (OOB) read that potentially allows arbitrary read in the kernel address space. (CVE-2018-19985)\n\n - An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during\n the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.\n (CVE-2018-20169)\n\n - In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before\n register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and\n panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. This is similar to\n CVE-2013-4343. (CVE-2018-7191)\n\n - A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before\n 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware\n could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.\n (CVE-2019-10207)\n\n - In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel\n produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple\n destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and\n thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page\n that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses. (CVE-2019-10638)\n\n - The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel\n address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel\n image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and\n ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash\n collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This\n key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via\n enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the\n attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled\n IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic\n is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the\n attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP\n addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to\n have a dependency on an address associated with a network namespace. (CVE-2019-10639)\n\n - The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because\n install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the\n ptrace_may_access() check has a race condition when reading /proc/pid/stat. (CVE-2019-11190)\n\n - The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a\n local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command,\n because a name field may not end with a '\\0' character. (CVE-2019-11884)\n\n - ** DISPUTED ** An issue was discovered in drm_load_edid_firmware in drivers/gpu/drm/drm_edid_load.c in the\n Linux kernel through 5.1.5. There is an unchecked kstrdup of fwstr, which might allow an attacker to cause\n a denial of service (NULL pointer dereference and system crash). NOTE: The vendor disputes this issues as\n not being a vulnerability because kstrdup() returning NULL is handled sufficiently and there is no chance\n for a NULL pointer dereference. (CVE-2019-12382)\n\n - In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an\n LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds\n violation. (CVE-2019-13233)\n\n - In the Linux kernel through 5.2.1 on the powerpc platform, when hardware transactional memory is disabled,\n a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn()\n system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and\n arch/powerpc/kernel/signal_64.c. (CVE-2019-13648)\n\n - In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and\n head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an\n unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by\n default. (CVE-2019-14283)\n\n - A vulnerability was found in Linux Kernel, where a Heap Overflow was found in mwifiex_set_wmm_params()\n function of Marvell Wifi Driver. (CVE-2019-14815)\n\n - An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. In the\n qedi_dbg_* family of functions, there is an out-of-bounds read. (CVE-2019-15090)\n\n - An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a\n malicious USB device in the sound/usb/line6/pcm.c driver. (CVE-2019-15221)\n\n - An issue was discovered in the Linux kernel before 5.0.1. There is a memory leak in\n register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service. (CVE-2019-15916)\n\n - An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check\n the length of variable elements in a beacon head, leading to a buffer overflow. (CVE-2019-16746)\n\n - The Linux kernel before 5.4.1 on powerpc allows Information Exposure because the Spectre-RSB mitigation is\n not in place for all applicable CPUs, aka CID-39e72bf96f58. This is related to\n arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c. (CVE-2019-18660)\n\n - A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs.\n As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it\n is possible for the specified target task to perform an execve() syscall with setuid execution before\n perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check\n and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged\n execve() calls. This issue affects kernel versions before 4.8. (CVE-2019-3901)\n\n - The Broadcom brcmfmac WiFi driver prior to commit a4176ec356c73a46c07c181c6d04039fafa34a9f is vulnerable\n to a frame validation bypass. If the brcmfmac driver receives a firmware event frame from a remote source,\n the is_wlc_event_frame function will cause this frame to be discarded and unprocessed. If the driver\n receives the firmware event frame from the host, the appropriate handler is called. This frame validation\n can be bypassed if the bus used is USB (for instance by a wifi dongle). This can allow firmware event\n frames from a remote source to be processed. In the worst case scenario, by sending specially-crafted WiFi\n packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.\n More typically, this vulnerability will result in denial-of-service conditions. (CVE-2019-9503)\n\n - GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a\n specially crafted email that contains a valid signature from the entity to be impersonated as an\n attachment. (CVE-2018-15587)\n\n - It was discovered evolution-ews before 3.31.3 does not check the validity of SSL certificates. An attacker\n could abuse this flaw to get confidential information by tricking the user into connecting to a fake\n server without the user noticing the difference. (CVE-2019-3890)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as\n unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client\n and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2020-14556)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported\n versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server\n deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and\n sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component\n without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web\n service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2020-14577)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and\n server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-14578, CVE-2020-14579)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a\n person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may\n significantly impact additional products. Successful attacks of this vulnerability can result in takeover\n of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code\n (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability\n does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code\n installed by an administrator). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability\n impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). (CVE-2020-14583)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported\n versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily\n exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly\n impact additional products. Successful attacks of this vulnerability can result in unauthorized creation,\n deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note:\n This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start\n applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java\n deployments, typically in servers, that load and run only trusted code (e.g., code installed by an\n administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N). (CVE-2020-14593)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported\n versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily\n exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This\n vulnerability can only be exploited by supplying data to APIs in the specified Component without using\n Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1\n Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2020-14621)\n\n - The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a\n denial of service (out-of-bounds read and application crash) via a crafted ELF file. (CVE-2018-10360)\n\n - ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in\n coders/dds.c, which allows attackers to cause a denial of service. (CVE-2017-1000476)\n\n - The ReadXWDImage function in coders\\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can\n cause memory exhaustion via a crafted length (number of color-map entries) field in the header of an XWD\n file. (CVE-2017-11166)\n\n - In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function ReadTIFFImage, which\n allows attackers to cause a denial of service. (CVE-2017-12805)\n\n - In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function format8BIM, which\n allows attackers to cause a denial of service. (CVE-2017-12806)\n\n - An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerability was found in the function\n ReadPCDImage in coders/pcd.c, which allow remote attackers to cause a denial of service via a crafted\n file. (CVE-2017-18251)\n\n - An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList function in MagickWand/mogrify.c allows\n attackers to cause a denial of service (assertion failure and application exit in ReplaceImageInList) via\n a crafted file. (CVE-2017-18252)\n\n - An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerability was found in the function\n WriteGIFImage in coders/gif.c, which allow remote attackers to cause a denial of service via a crafted\n file. (CVE-2017-18254)\n\n - In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function\n ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (CPU exhaustion) via a\n crafted MIFF image file. (CVE-2017-18271)\n\n - In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function\n ReadTXTImage in coders/txt.c, which allows attackers to cause a denial of service (CPU exhaustion) via a\n crafted image file that is mishandled in a GetImageIndexInList call. (CVE-2017-18273)\n\n - In ImageMagick 7.0.7-28, there is an infinite loop in the ReadOneMNGImage function of the coders/png.c\n file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted mng\n file. (CVE-2018-10177)\n\n - ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage in coders/tiff.c. (CVE-2018-10804)\n\n - ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c. (CVE-2018-10805)\n\n - In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function ReadDCMImage in\n coders/dcm.c, which allows attackers to cause a denial of service via a crafted DCM image file.\n (CVE-2018-11656)\n\n - In ImageMagick 7.0.8-3 Q16, ReadBMPImage and WriteBMPImage in coders/bmp.c allow attackers to cause an out\n of bounds write via a crafted file. (CVE-2018-12599)\n\n - In ImageMagick 7.0.8-3 Q16, ReadDIBImage and WriteDIBImage in coders/dib.c allow attackers to cause an out\n of bounds write via a crafted file. (CVE-2018-12600)\n\n - In ImageMagick 7.0.8-4, there is a memory leak in the XMagickCommand function in MagickCore/animate.c.\n (CVE-2018-13153)\n\n - ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c. (CVE-2018-14434)\n\n - ImageMagick 7.0.8-4 has a memory leak in DecodeImage in coders/pcd.c. (CVE-2018-14435)\n\n - ImageMagick 7.0.8-4 has a memory leak in ReadMIFFImage in coders/miff.c. (CVE-2018-14436)\n\n - ImageMagick 7.0.8-4 has a memory leak in parse8BIM in coders/meta.c. (CVE-2018-14437)\n\n - In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36\n 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory\n resources are consumed until ultimately an attempted large memory allocation fails. Remote attackers could\n leverage this vulnerability to cause a denial of service via a crafted file. (CVE-2018-15607)\n\n - In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the CheckEventLogging function in\n MagickCore/log.c. (CVE-2018-16328)\n\n - In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ReadOneJNGImage in coders/png.c allows an\n attacker to cause a denial of service (WriteBlob assertion failure and application exit) via a crafted\n file. (CVE-2018-16749)\n\n - In ImageMagick 7.0.7-29 and earlier, a memory leak in the formatIPTCfromBuffer function in coders/meta.c\n was found. (CVE-2018-16750)\n\n - There is a memory leak in the function WriteMSLImage of coders/msl.c in ImageMagick 7.0.8-13 Q16, and the\n function ProcessMSLScript of coders/msl.c in GraphicsMagick before 1.3.31. (CVE-2018-18544)\n\n - In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can result in an infinite loop and hang,\n with high CPU and memory consumption. Remote attackers could leverage this vulnerability to cause a denial\n of service via a crafted file. (CVE-2018-20467)\n\n - WriteEPTImage in coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote attackers to cause a denial of\n service (MagickCore/memory.c double free and application crash) or possibly have unspecified other impact\n via a crafted file. (CVE-2018-8804)\n\n - ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage and EncodeLabImage functions\n (coders/tiff.c), which results in a hang (tens of minutes) with a tiny PoC file. Remote attackers could\n leverage this vulnerability to cause a denial of service via a crafted tiff file. (CVE-2018-9133)\n\n - An off-by-one read vulnerability was discovered in ImageMagick before version 7.0.7-28 in the\n formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end\n of the buffer or to crash the program. (CVE-2019-10131)\n\n - In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of\n coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a\n crafted image file. (CVE-2019-10650)\n\n - The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service\n (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size. This\n occurs because ReadCINImage in coders/cin.c lacks a check for insufficient image data in a file.\n (CVE-2019-11470)\n\n - ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows\n attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the\n header indicates neither LSB first nor MSB first. (CVE-2019-11472)\n\n - In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of\n coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure\n via a crafted image file. (CVE-2019-11597)\n\n - In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of\n coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via\n a crafted image file. This is related to SetGrayscaleImage in MagickCore/quantize.c. (CVE-2019-11598)\n\n - A NULL pointer dereference in the function ReadPANGOImage in coders/pango.c and the function ReadVIDImage\n in coders/vid.c in ImageMagick 7.0.8-34 allows remote attackers to cause a denial of service via a crafted\n image. (CVE-2019-12974)\n\n - ImageMagick 7.0.8-34 has a memory leak vulnerability in the WriteDPXImage function in coders/dpx.c.\n (CVE-2019-12975)\n\n - ImageMagick 7.0.8-34 has a memory leak in the ReadPCLImage function in coders/pcl.c. (CVE-2019-12976)\n\n - ImageMagick 7.0.8-34 has a use of uninitialized value vulnerability in the ReadPANGOImage function in\n coders/pango.c. (CVE-2019-12978)\n\n - ImageMagick 7.0.8-34 has a use of uninitialized value vulnerability in the SyncImageSettings function in\n MagickCore/image.c. This is related to AcquireImage in magick/image.c. (CVE-2019-12979)\n\n - ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c.\n (CVE-2019-13133)\n\n - ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadVIFFImage in\n coders/viff.c. (CVE-2019-13134)\n\n - ImageMagick before 7.0.8-50 has a use of uninitialized value vulnerability in the function ReadCUTImage\n in coders/cut.c. (CVE-2019-13135)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in\n AdaptiveThresholdImage because a width of zero is mishandled. (CVE-2019-13295)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in\n AdaptiveThresholdImage because a height of zero is mishandled. (CVE-2019-13297)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages\n because of mishandling columns. (CVE-2019-13300)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory because of an AnnotateImage error.\n (CVE-2019-13301)\n\n - ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a\n misplaced assignment. (CVE-2019-13304)\n\n - ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a\n misplaced strncpy and an off-by-one error. (CVE-2019-13305)\n\n - ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of\n off-by-one errors. (CVE-2019-13306)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages\n because of mishandling rows. (CVE-2019-13307)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of mishandling the NoSuchImage\n error in CLIListOperatorImages in MagickWand/operation.c. (CVE-2019-13309)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of an error in\n MagickWand/mogrify.c. (CVE-2019-13310)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of a wand/mogrify.c error.\n (CVE-2019-13311)\n\n - ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c.\n (CVE-2019-13454)\n\n - In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in\n the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file.\n (CVE-2019-14980)\n\n - In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is a divide-by-zero vulnerability in\n the MeanShiftImage function. It allows an attacker to cause a denial of service by sending a crafted file.\n (CVE-2019-14981)\n\n - The XWD image (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 allows\n attackers to cause a denial-of-service (application crash resulting from an out-of-bounds Read) in\n ReadXWDImage in coders/xwd.c by crafting a corrupted XWD image file, a different vulnerability than\n CVE-2019-11472. (CVE-2019-15139)\n\n - coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to cause a denial of service (use-after-\n free and application crash) or possibly have unspecified other impact by crafting a Matlab image file that\n is mishandled in ReadImage in MagickCore/constitute.c. (CVE-2019-15140)\n\n - WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service\n (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to\n TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in\n tif_dirwrite.c of LibTIFF. NOTE: this occurs because of an incomplete fix for CVE-2019-11597.\n (CVE-2019-15141)\n\n - ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage. (CVE-2019-16708)\n\n - ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage. (CVE-2019-16709)\n\n - ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in\n MagickCore/memory.c. (CVE-2019-16710)\n\n - ImageMagick 7.0.8-40 has a memory leak in Huffman2DEncodeImage in coders/ps2.c. (CVE-2019-16711)\n\n - ImageMagick 7.0.8-43 has a memory leak in Huffman2DEncodeImage in coders/ps3.c, as demonstrated by\n WritePS3Image. (CVE-2019-16712)\n\n - ImageMagick 7.0.8-43 has a memory leak in coders/dot.c, as demonstrated by PingImage in\n MagickCore/constitute.c. (CVE-2019-16713)\n\n - ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.\n (CVE-2019-17540)\n\n - ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo in MagickCore/string.c because the\n error manager is mishandled in coders/jpeg.c. (CVE-2019-17541)\n\n - In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer overflow in the function WriteSGIImage of\n coders/sgi.c. (CVE-2019-19948)\n\n - In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WritePNGImage of\n coders/png.c, related to Magick_png_write_raw_profile and LocaleNCompare. (CVE-2019-19949)\n\n - In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c. (CVE-2019-7175)\n\n - In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in\n WritePDFImage in coders/pdf.c. (CVE-2019-7397)\n\n - In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage in coders/dib.c. (CVE-2019-7398)\n\n - In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of\n coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image\n file. (CVE-2019-9956)\n\n - ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated\n synchronization via a server mode packet with a spoofed source IP address, because transmissions are\n rescheduled even when a packet lacks a valid origin timestamp. (CVE-2020-11868)\n\n - ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service\n (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The\n victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can\n query time from the victim's ntpd instance. (CVE-2020-13817)\n\n - Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and\n Thunderbird before 31.7 allows remote attackers to execute arbitrary code by providing a large amount of\n compressed XML data, a related issue to CVE-2015-1283. (CVE-2015-2716)\n\n - snmp_oid_compare in snmplib/snmp_api.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be\n used by an unauthenticated attacker to remotely cause the instance to crash via a crafted UDP packet,\n resulting in Denial of Service. (CVE-2018-18066)\n\n - Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of\n service (resource consumption), aka a better zip bomb issue. (CVE-2019-13232)\n\n - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e. (CVE-2019-19527)\n\n - A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the way mremap handled DAX Huge Pages.\n This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the\n system. (CVE-2020-10757)\n\n - An issue was found in Linux kernel before 5.5.4. The mwifiex_cmd_append_vsie_tlv() function in\n drivers/net/wireless/marvell/mwifiex/scan.c allows local users to gain privileges or cause a denial of\n service because of an incorrect memcpy and buffer overflow, aka CID-b70261a288ea. (CVE-2020-12653)\n\n - An issue was found in Linux kernel before 5.5.4. mwifiex_ret_wmm_get_status() in\n drivers/net/wireless/marvell/mwifiex/wmm.c allows a remote AP to trigger a heap-based buffer overflow\n because of an incorrect memcpy, aka CID-3a9b153c5591. (CVE-2020-12654)\n\n - managed-keys is a feature which allows a BIND resolver to automatically maintain the keys used by trust\n anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys\n feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if,\n during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm.\n Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions\n 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13\n development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for\n vulnerability to CVE-2018-5745. (CVE-2018-5745)\n\n - Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones\n are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and\n versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13\n development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for\n vulnerability to CVE-2019-6465. (CVE-2019-6465)\n\n - With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to\n a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection\n to a server could consume more resources than the server has been provisioned to handle. When a TCP\n connection with a large number of pipelined queries is closed, the load on the server releasing these\n multiple resources can cause it to become unresponsive, even for queries that can be answered\n authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).\n (CVE-2019-6477)\n\n - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the\n user to execute any command with the permissions of the shell. (CVE-2019-9924)\n\n - The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory\n space. (CVE-2020-12888)\n\n - A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl\n versions 7.19.4 through 7.64.1. (CVE-2019-5436)\n\n - It was discovered that the gnome-shell lock screen since version 3.15.91 did not properly restrict all\n contextual actions. An attacker with physical access to a locked workstation could invoke certain keyboard\n shortcuts, and potentially other actions. (CVE-2019-3820)\n\n - A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches\n performed when processing referrals can, through the use of specially crafted referrals, cause a recursing\n server to issue a very large number of fetches in an attempt to process the referral. This has at least\n two potential effects: The performance of the recursing server can potentially be degraded by the\n additional work required to perform these fetches, and The attacker can exploit this behavior to use the\n recursing server as a reflector in a reflection attack with a high amplification factor. (CVE-2020-8616)\n\n - Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an\n inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the\n server. Since BIND, by default, configures a local session key even on servers whose configuration does\n not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating\n from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately\n exits. Prior to the introduction of the check the server would continue operating in an inconsistent\n state, with potentially harmful results. (CVE-2020-8617)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://download.nutanix.com/advisories/NXSA-AOS-5-15-3.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the Nutanix AOS software to recommended version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9503\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-19948\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:nutanix:aos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"nutanix_collect.nasl\");\n script_require_keys(\"Host/Nutanix/Data/lts\", \"Host/Nutanix/Data/Service\", \"Host/Nutanix/Data/Version\", \"Host/Nutanix/Data/arch\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::nutanix::get_app_info();\n\nvar constraints = [\n { 'fixed_version' : '5.15.3', 'product' : 'AOS', 'fixed_display' : 'Upgrade the AOS install to 5.15.3 or higher.', 'lts' : TRUE },\n { 'fixed_version' : '5.15.3', 'product' : 'NDFS', 'fixed_display' : 'Upgrade the AOS install to 5.15.3 or higher.', 'lts' : TRUE }\n];\n\nvcf::nutanix::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-06T06:29:17", "description": "The version of AOS installed on the remote host is prior to 5.17.1. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.17.1 advisory.\n\n - It's been found that multiple functions in ipmitool before 1.8.19 neglect proper checking of the data received from a remote LAN party, which may lead to buffer overflows and potentially to remote code execution on the ipmitool side. This is especially dangerous if ipmitool is run as a privileged user. This problem is fixed in version 1.8.19. (CVE-2020-5208)\n\n - The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after- free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests. (CVE-2019-11487)\n\n - rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow. (CVE-2019-17666)\n\n - A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.\n (CVE-2019-19338)\n\n - avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) and may cause information leakage by obtaining potentially sensitive information from the responding device via port-5353 UDP packets. NOTE: this may overlap CVE-2015-2809. (CVE-2017-6519)\n\n - The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.\n (CVE-2015-8035)\n\n - Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (CVE-2016-5131)\n\n - Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2017-15412)\n\n - The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. (CVE-2017-18258)\n\n - A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case.\n Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. (CVE-2018-14404)\n\n - libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251. (CVE-2018-14567)\n\n - http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. (CVE-2018-20852)\n\n - An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally. (CVE-2019-16056)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2754, CVE-2020-2755)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2756, CVE-2020-2757)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2773)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2781)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded:\n 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2020-2800)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). (CVE-2020-2803, CVE-2020-2805)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency).\n Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.\n Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2830)\n\n - An issue was discovered in Rsyslog v8.1908.0. contrib/pmaixforwardedfrom/pmaixforwardedfrom.c has a heap overflow in the parser for AIX log messages. The parser tries to locate a log message delimiter (in this case, a space or a colon) but fails to account for strings that do not satisfy this constraint. If the string does not match, then the variable lenMsg will reach the value zero and will skip the sanity check that detects invalid log messages. The message will then be considered valid, and the parser will eat up the nonexistent colon delimiter. In doing so, it will decrement lenMsg, a signed integer, whose value was zero and now becomes minus one. The following step in the parser is to shift left the contents of the message. To do this, it will call memmove with the right pointers to the target and destination strings, but the lenMsg will now be interpreted as a huge value, causing a heap overflow. (CVE-2019-17041)\n\n - An issue was discovered in Rsyslog v8.1908.0. contrib/pmcisconames/pmcisconames.c has a heap overflow in the parser for Cisco log messages. The parser tries to locate a log message delimiter (in this case, a space or a colon), but fails to account for strings that do not satisfy this constraint. If the string does not match, then the variable lenMsg will reach the value zero and will skip the sanity check that detects invalid log messages. The message will then be considered valid, and the parser will eat up the nonexistent colon delimiter. In doing so, it will decrement lenMsg, a signed integer, whose value was zero and now becomes minus one. The following step in the parser is to shift left the contents of the message.\n To do this, it will call memmove with the right pointers to the target and destination strings, but the lenMsg will now be interpreted as a huge value, causing a heap overflow. (CVE-2019-17042)\n\n - A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger authentication of unrelated processes owned by other users. This may result in a local DoS and information disclosure. (CVE-2018-1116)\n\n - ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service. (CVE-2017-1000476)\n\n - The ReadXWDImage function in coders\\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can cause memory exhaustion via a crafted length (number of color-map entries) field in the header of an XWD file. (CVE-2017-11166)\n\n - In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function ReadTIFFImage, which allows attackers to cause a denial of service. (CVE-2017-12805)\n\n - In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function format8BIM, which allows attackers to cause a denial of service. (CVE-2017-12806)\n\n - An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerability was found in the function ReadPCDImage in coders/pcd.c, which allow remote attackers to cause a denial of service via a crafted file. (CVE-2017-18251)\n\n - An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList function in MagickWand/mogrify.c allows attackers to cause a denial of service (assertion failure and application exit in ReplaceImageInList) via a crafted file. (CVE-2017-18252)\n\n - An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerability was found in the function WriteGIFImage in coders/gif.c, which allow remote attackers to cause a denial of service via a crafted file. (CVE-2017-18254)\n\n - In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted MIFF image file. (CVE-2017-18271)\n\n - In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadTXTImage in coders/txt.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted image file that is mishandled in a GetImageIndexInList call. (CVE-2017-18273)\n\n - In ImageMagick 7.0.7-28, there is an infinite loop in the ReadOneMNGImage function of the coders/png.c file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted mng file. (CVE-2018-10177)\n\n - ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage in coders/tiff.c. (CVE-2018-10804)\n\n - ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c. (CVE-2018-10805)\n\n - In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function ReadDCMImage in coders/dcm.c, which allows attackers to cause a denial of service via a crafted DCM image file.\n (CVE-2018-11656)\n\n - In ImageMagick 7.0.8-3 Q16, ReadBMPImage and WriteBMPImage in coders/bmp.c allow attackers to cause an out of bounds write via a crafted file. (CVE-2018-12599)\n\n - In ImageMagick 7.0.8-3 Q16, ReadDIBImage and WriteDIBImage in coders/dib.c allow attackers to cause an out of bounds write via a crafted file. (CVE-2018-12600)\n\n - In ImageMagick 7.0.8-4, there is a memory leak in the XMagickCommand function in MagickCore/animate.c.\n (CVE-2018-13153)\n\n - ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c. (CVE-2018-14434)\n\n - ImageMagick 7.0.8-4 has a memory leak in DecodeImage in coders/pcd.c. (CVE-2018-14435)\n\n - ImageMagick 7.0.8-4 has a memory leak in ReadMIFFImage in coders/miff.c. (CVE-2018-14436)\n\n - ImageMagick 7.0.8-4 has a memory leak in parse8BIM in coders/meta.c. (CVE-2018-14437)\n\n - In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file. (CVE-2018-15607)\n\n - In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the CheckEventLogging function in MagickCore/log.c. (CVE-2018-16328)\n\n - In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ReadOneJNGImage in coders/png.c allows an attacker to cause a denial of service (WriteBlob assertion failure and application exit) via a crafted file. (CVE-2018-16749)\n\n - In ImageMagick 7.0.7-29 and earlier, a memory leak in the formatIPTCfromBuffer function in coders/meta.c was found. (CVE-2018-16750)\n\n - There is a memory leak in the function WriteMSLImage of coders/msl.c in ImageMagick 7.0.8-13 Q16, and the function ProcessMSLScript of coders/msl.c in GraphicsMagick before 1.3.31. (CVE-2018-18544)\n\n - In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can result in an infinite loop and hang, with high CPU and memory consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file. (CVE-2018-20467)\n\n - WriteEPTImage in coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote attackers to cause a denial of service (MagickCore/memory.c double free and application crash) or possibly have unspecified other impact via a crafted file. (CVE-2018-8804)\n\n - ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage and EncodeLabImage functions (coders/tiff.c), which results in a hang (tens of minutes) with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tiff file. (CVE-2018-9133)\n\n - An off-by-one read vulnerability was discovered in ImageMagick before version 7.0.7-28 in the formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end of the buffer or to crash the program. (CVE-2019-10131)\n\n - In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file. (CVE-2019-10650)\n\n - The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size. This occurs because ReadCINImage in coders/cin.c lacks a check for insufficient image data in a file.\n (CVE-2019-11470)\n\n - ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first. (CVE-2019-11472)\n\n - In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. (CVE-2019-11597)\n\n - In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. This is related to SetGrayscaleImage in MagickCore/quantize.c. (CVE-2019-11598)\n\n - A NULL pointer dereference in the function ReadPANGOImage in coders/pango.c and the function ReadVIDImage in coders/vid.c in ImageMagick 7.0.8-34 allows remote attackers to cause a denial of service via a crafted image. (CVE-2019-12974)\n\n - ImageMagick 7.0.8-34 has a memory leak vulnerability in the WriteDPXImage function in coders/dpx.c.\n (CVE-2019-12975)\n\n - ImageMagick 7.0.8-34 has a memory leak in the ReadPCLImage function in coders/pcl.c. (CVE-2019-12976)\n\n - ImageMagick 7.0.8-34 has a use of uninitialized value vulnerability in the ReadPANGOImage function in coders/pango.c. (CVE-2019-12978)\n\n - ImageMagick 7.0.8-34 has a use of uninitialized value vulnerability in the SyncImageSettings function in MagickCore/image.c. This is related to AcquireImage in magick/image.c. (CVE-2019-12979)\n\n - ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c.\n (CVE-2019-13133)\n\n - ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadVIFFImage in coders/viff.c. (CVE-2019-13134)\n\n - ImageMagick before 7.0.8-50 has a use of uninitialized value vulnerability in the function ReadCUTImage in coders/cut.c. (CVE-2019-13135)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage because a width of zero is mishandled. (CVE-2019-13295)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage because a height of zero is mishandled. (CVE-2019-13297)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages because of mishandling columns. (CVE-2019-13300)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory because of an AnnotateImage error.\n (CVE-2019-13301)\n\n - ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a misplaced assignment. (CVE-2019-13304)\n\n - ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a misplaced strncpy and an off-by-one error. (CVE-2019-13305)\n\n - ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of off-by-one errors. (CVE-2019-13306)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages because of mishandling rows. (CVE-2019-13307)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of mishandling the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c. (CVE-2019-13309)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of an error in MagickWand/mogrify.c. (CVE-2019-13310)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of a wand/mogrify.c error.\n (CVE-2019-13311)\n\n - ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c.\n (CVE-2019-13454)\n\n - In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file.\n (CVE-2019-14980)\n\n - In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is a divide-by-zero vulnerability in the MeanShiftImage function. It allows an attacker to cause a denial of service by sending a crafted file.\n (CVE-2019-14981)\n\n - The XWD image (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (application crash resulting from an out-of-bounds Read) in ReadXWDImage in coders/xwd.c by crafting a corrupted XWD image file, a different vulnerability than CVE-2019-11472. (CVE-2019-15139)\n\n - coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to cause a denial of service (use-after- free and application crash) or possibly have unspecified other impact by crafting a Matlab image file that is mishandled in ReadImage in MagickCore/constitute.c. (CVE-2019-15140)\n\n - WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in tif_dirwrite.c of LibTIFF. NOTE: this occurs because of an incomplete fix for CVE-2019-11597.\n (CVE-2019-15141)\n\n - ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage. (CVE-2019-16708)\n\n - ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage. (CVE-2019-16709)\n\n - ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c. (CVE-2019-16710)\n\n - ImageMagick 7.0.8-40 has a memory leak in Huffman2DEncodeImage in coders/ps2.c. (CVE-2019-16711)\n\n - ImageMagick 7.0.8-43 has a memory leak in Huffman2DEncodeImage in coders/ps3.c, as demonstrated by WritePS3Image. (CVE-2019-16712)\n\n - ImageMagick 7.0.8-43 has a memory leak in coders/dot.c, as demonstrated by PingImage in MagickCore/constitute.c. (CVE-2019-16713)\n\n - ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.\n (CVE-2019-17540)\n\n - ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo in MagickCore/string.c because the error manager is mishandled in coders/jpeg.c. (CVE-2019-17541)\n\n - In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer overflow in the function WriteSGIImage of coders/sgi.c. (CVE-2019-19948)\n\n - In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WritePNGImage of coders/png.c, related to Magick_png_write_raw_profile and LocaleNCompare. (CVE-2019-19949)\n\n - In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c. (CVE-2019-7175)\n\n - In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in WritePDFImage in coders/pdf.c. (CVE-2019-7397)\n\n - In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage in coders/dib.c. (CVE-2019-7398)\n\n - In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image file. (CVE-2019-9956)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: Applies to client and server deployment of Java.\n This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2020-2767)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2020-2778)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data.\n Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2020-2816)\n\n - In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all. (CVE-2017-15710)\n\n - A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage. (CVE-2018-1301)\n\n - In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded. (CVE-2018-17199)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Pluggable Auth).\n Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2737)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges).\n Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.1 (Integrity and Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). (CVE-2019-2739)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: XML). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2740)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2805)\n\n - The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. (CVE-2018-18074)\n\n - urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext. (CVE-2018-20060)\n\n - In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter. (CVE-2019-11236)\n\n - The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument. (CVE-2019-11324)\n\n - In macOS High Sierra before 10.13.5, an issue existed in CUPS. This issue was addressed with improved access restrictions. (CVE-2018-4180, CVE-2018-4181)\n\n - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-4300. Reason: This candidate is a duplicate of CVE-2018-4300. Notes: All CVE users should reference CVE-2018-4300 instead of this candidate.\n All references and descriptions in this candidate have been removed to prevent accidental usage.\n (CVE-2018-4700)\n\n - In the Linux kernel before 4.1.4, a buffer overflow occurs when checking userspace params in drivers/media/dvb-frontends/cx24116.c. The maximum size for a DiSEqC command is 6, according to the userspace API. However, the code allows larger values such as 23. (CVE-2015-9289)\n\n - The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to the current task's default request-key keyring via the request_key() system call, allowing a local user to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.\n (CVE-2017-17807)\n\n - The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds (OOB) read that potentially allows arbitrary read in the kernel address space. (CVE-2018-19985)\n\n - An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.\n (CVE-2018-20169)\n\n - In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. This is similar to CVE-2013-4343. (CVE-2018-7191)\n\n - A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.\n (CVE-2019-10207)\n\n - In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses. (CVE-2019-10638)\n\n - The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to have a dependency on an address associated with a network namespace. (CVE-2019-10639)\n\n - The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. (CVE-2019-11190)\n\n - The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a '\\0' character. (CVE-2019-11884)\n\n - ** DISPUTED ** An issue was discovered in drm_load_edid_firmware in drivers/gpu/drm/drm_edid_load.c in the Linux kernel through 5.1.5. There is an unchecked kstrdup of fwstr, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: The vendor disputes this issues as not being a vulnerability because kstrdup() returning NULL is handled sufficiently and there is no chance for a NULL pointer dereference. (CVE-2019-12382)\n\n - In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds violation. (CVE-2019-13233)\n\n - In the Linux kernel through 5.2.1 on the powerpc platform, when hardware transactional memory is disabled, a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn() system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c. (CVE-2019-13648)\n\n - In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default. (CVE-2019-14283)\n\n - A vulnerability was found in Linux Kernel, where a Heap Overflow was found in mwifiex_set_wmm_params() function of Marvell Wifi Driver. (CVE-2019-14815)\n\n - An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. In the qedi_dbg_* family of functions, there is an out-of-bounds read. (CVE-2019-15090)\n\n - An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver. (CVE-2019-15221)\n\n - An issue was discovered in the Linux kernel before 5.0.1. There is a memory leak in register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service. (CVE-2019-15916)\n\n - An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow. (CVE-2019-16746)\n\n - The Linux kernel before 5.4.1 on powerpc allows Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs, aka CID-39e72bf96f58. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c. (CVE-2019-18660)\n\n - A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs.\n As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it is possible for the specified target task to perform an execve() syscall with setuid execution before perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls. This issue affects kernel versions before 4.8. (CVE-2019-3901)\n\n - The Broadcom brcmfmac WiFi driver prior to commit a4176ec356c73a46c07c181c6d04039fafa34a9f is vulnerable to a frame validation bypass. If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and unprocessed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be bypassed if the bus used is USB (for instance by a wifi dongle). This can allow firmware event frames from a remote source to be processed. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.\n More typically, this vulnerability will result in denial-of-service conditions. (CVE-2019-9503)\n\n - GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment. (CVE-2018-15587)\n\n - It was discovered evolution-ews before 3.31.3 does not check the validity of SSL certificates. An attacker could abuse this flaw to get confidential information by tricking the user into connecting to a fake server without the user noticing the difference. (CVE-2019-3890)\n\n - The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file. (CVE-2018-10360)\n\n - Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code by providing a large amount of compressed XML data, a related issue to CVE-2015-1283. (CVE-2015-2716)\n\n - snmp_oid_compare in snmplib/snmp_api.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an unauthenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. (CVE-2018-18066)\n\n - Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a better zip bomb issue. (CVE-2019-13232)\n\n - managed-keys is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if, during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm.\n Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5745. (CVE-2018-5745)\n\n - Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465. (CVE-2019-6465)\n\n - With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).\n (CVE-2019-6477)\n\n - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell. (CVE-2019-9924)\n\n - The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-0199)\n\n - The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-10072)\n\n - When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. (CVE-2019-12418)\n\n - When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. (CVE-2019-17563)\n\n - The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. (CVE-2019-17569)\n\n - A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.\n (CVE-2020-11996)\n\n - An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service. (CVE-2020-13934)\n\n - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. (CVE-2020-13935)\n\n - In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. (CVE-2020-1935)\n\n - When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.\n (CVE-2020-1938)\n\n - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. (CVE-2020-9484)\n\n - An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp. (CVE-2020-10531)\n\n - A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1. (CVE-2019-5436)\n\n - It was discovered that the gnome-shell lock screen since version 3.15.91 did not properly restrict all contextual actions. An attacker with physical access to a locked workstation could invoke certain keyboard shortcuts, and potentially other actions. (CVE-2019-3820)\n\n - A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor. (CVE-2020-8616)\n\n - Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results. (CVE-2020-8617)\n\n - TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. (CVE-2019-11135)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-09-01T00:00:00", "type": "nessus", "title": "Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.17.1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-4343", "CVE-2015-1283", "CVE-2015-2716", "CVE-2015-2809", "CVE-2015-8035", "CVE-2015-9289", "CVE-2016-5131", "CVE-2017-1000476", "CVE-2017-11166", "CVE-2017-12805", "CVE-2017-12806", "CVE-2017-15412", "CVE-2017-15710", "CVE-2017-17807", "CVE-2017-18251", "CVE-2017-18252", "CVE-2017-18254", "CVE-2017-18258", "CVE-2017-18271", "CVE-2017-18273", "CVE-2017-6519", "CVE-2018-10177", "CVE-2018-10360", "CVE-2018-10804", "CVE-2018-10805", "CVE-2018-1116", "CVE-2018-11656", "CVE-2018-12599", "CVE-2018-12600", "CVE-2018-1301", "CVE-2018-13153", "CVE-2018-14404", "CVE-2018-14434", "CVE-2018-14435", "CVE-2018-14436", "CVE-2018-14437", "CVE-2018-14567", "CVE-2018-15587", "CVE-2018-15607", "CVE-2018-16328", "CVE-2018-16749", "CVE-2018-16750", "CVE-2018-17199", "CVE-2018-18066", "CVE-2018-18074", "CVE-2018-18544", "CVE-2018-19985", "CVE-2018-20060", "CVE-2018-20169", "CVE-2018-20467", "CVE-2018-20852", "CVE-2018-4180", "CVE-2018-4181", "CVE-2018-4300", "CVE-2018-4700", "CVE-2018-5745", "CVE-2018-7191", "CVE-2018-8804", "CVE-2018-9133", "CVE-2018-9251", "CVE-2019-0199", "CVE-2019-10072", "CVE-2019-10131", "CVE-2019-10207", "CVE-2019-10638", "CVE-2019-10639", "CVE-2019-10650", "CVE-2019-11135", "CVE-2019-11190", "CVE-2019-11236", "CVE-2019-11324", "CVE-2019-11340", "CVE-2019-11470", "CVE-2019-11472", "CVE-2019-11487", "CVE-2019-11597", "CVE-2019-11598", "CVE-2019-11884", "CVE-2019-12382", "CVE-2019-12418", "CVE-2019-12974", "CVE-2019-12975", "CVE-2019-12976", "CVE-2019-12978", "CVE-2019-12979", "CVE-2019-13133", "CVE-2019-13134", "CVE-2019-13135", "CVE-2019-13232", "CVE-2019-13233", "CVE-2019-13295", "CVE-2019-13297", "CVE-2019-13300", "CVE-2019-13301", "CVE-2019-13304", "CVE-2019-13305", "CVE-2019-13306", "CVE-2019-13307", "CVE-2019-13309", "CVE-2019-13310", "CVE-2019-13311", "CVE-2019-13454", "CVE-2019-13648", "CVE-2019-14283", "CVE-2019-14815", "CVE-2019-14980", "CVE-2019-14981", "CVE-2019-15090", "CVE-2019-15139", "CVE-2019-15140", "CVE-2019-15141", "CVE-2019-15221", "CVE-2019-15916", "CVE-2019-16056", "CVE-2019-16708", "CVE-2019-16709", "CVE-2019-16710", "CVE-2019-16711", "CVE-2019-16712", "CVE-2019-16713", "CVE-2019-16746", "CVE-2019-17041", "CVE-2019-17042", "CVE-2019-17540", "CVE-2019-17541", "CVE-2019-17563", "CVE-2019-17569", "CVE-2019-17666", "CVE-2019-18660", "CVE-2019-19338", "CVE-2019-19948", "CVE-2019-19949", "CVE-2019-2737", "CVE-2019-2739", "CVE-2019-2740", "CVE-2019-2805", "CVE-2019-3820", "CVE-2019-3890", "CVE-2019-3901", "CVE-2019-5436", "CVE-2019-6465", "CVE-2019-6477", "CVE-2019-7175", "CVE-2019-7397", "CVE-2019-7398", "CVE-2019-9503", "CVE-2019-9924", "CVE-2019-9956", "CVE-2020-10531", "CVE-2020-11996", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-1935", "CVE-2020-1938", "CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2767", "CVE-2020-2773", "CVE-2020-2778", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2805", "CVE-2020-2816", "CVE-2020-2830", "CVE-2020-5208", "CVE-2020-8616", "CVE-2020-8617", "CVE-2020-9484"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:nutanix:aos"], "id": "NUTANIX_NXSA-AOS-5_17_1.NASL", "href": "https://www.tenable.com/plugins/nessus/164612", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164612);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2015-2716\",\n \"CVE-2015-8035\",\n \"CVE-2015-9289\",\n \"CVE-2016-5131\",\n \"CVE-2017-6519\",\n \"CVE-2017-11166\",\n \"CVE-2017-12805\",\n \"CVE-2017-12806\",\n \"CVE-2017-15412\",\n \"CVE-2017-15710\",\n \"CVE-2017-17807\",\n \"CVE-2017-18251\",\n \"CVE-2017-18252\",\n \"CVE-2017-18254\",\n \"CVE-2017-18258\",\n \"CVE-2017-18271\",\n \"CVE-2017-18273\",\n \"CVE-2017-1000476\",\n \"CVE-2018-1116\",\n \"CVE-2018-1301\",\n \"CVE-2018-4180\",\n \"CVE-2018-4181\",\n \"CVE-2018-4700\",\n \"CVE-2018-5745\",\n \"CVE-2018-7191\",\n \"CVE-2018-8804\",\n \"CVE-2018-9133\",\n \"CVE-2018-10177\",\n \"CVE-2018-10360\",\n \"CVE-2018-10804\",\n \"CVE-2018-10805\",\n \"CVE-2018-11656\",\n \"CVE-2018-12599\",\n \"CVE-2018-12600\",\n \"CVE-2018-13153\",\n \"CVE-2018-14404\",\n \"CVE-2018-14434\",\n \"CVE-2018-14435\",\n \"CVE-2018-14436\",\n \"CVE-2018-14437\",\n \"CVE-2018-14567\",\n \"CVE-2018-15587\",\n \"CVE-2018-15607\",\n \"CVE-2018-16328\",\n \"CVE-2018-16749\",\n \"CVE-2018-16750\",\n \"CVE-2018-17199\",\n \"CVE-2018-18066\",\n \"CVE-2018-18074\",\n \"CVE-2018-18544\",\n \"CVE-2018-19985\",\n \"CVE-2018-20060\",\n \"CVE-2018-20169\",\n \"CVE-2018-20467\",\n \"CVE-2018-20852\",\n \"CVE-2019-0199\",\n \"CVE-2019-2737\",\n \"CVE-2019-2739\",\n \"CVE-2019-2740\",\n \"CVE-2019-2805\",\n \"CVE-2019-3820\",\n \"CVE-2019-3890\",\n \"CVE-2019-3901\",\n \"CVE-2019-5436\",\n \"CVE-2019-6465\",\n \"CVE-2019-6477\",\n \"CVE-2019-7175\",\n \"CVE-2019-7397\",\n \"CVE-2019-7398\",\n \"CVE-2019-9503\",\n \"CVE-2019-9924\",\n \"CVE-2019-9956\",\n \"CVE-2019-10072\",\n \"CVE-2019-10131\",\n \"CVE-2019-10207\",\n \"CVE-2019-10638\",\n \"CVE-2019-10639\",\n \"CVE-2019-10650\",\n \"CVE-2019-11135\",\n \"CVE-2019-11190\",\n \"CVE-2019-11236\",\n \"CVE-2019-11324\",\n \"CVE-2019-11470\",\n \"CVE-2019-11472\",\n \"CVE-2019-11487\",\n \"CVE-2019-11597\",\n \"CVE-2019-11598\",\n \"CVE-2019-11884\",\n \"CVE-2019-12382\",\n \"CVE-2019-12418\",\n \"CVE-2019-12974\",\n \"CVE-2019-12975\",\n \"CVE-2019-12976\",\n \"CVE-2019-12978\",\n \"CVE-2019-12979\",\n \"CVE-2019-13133\",\n \"CVE-2019-13134\",\n \"CVE-2019-13135\",\n \"CVE-2019-13232\",\n \"CVE-2019-13233\",\n \"CVE-2019-13295\",\n \"CVE-2019-13297\",\n \"CVE-2019-13300\",\n \"CVE-2019-13301\",\n \"CVE-2019-13304\",\n \"CVE-2019-13305\",\n \"CVE-2019-13306\",\n \"CVE-2019-13307\",\n \"CVE-2019-13309\",\n \"CVE-2019-13310\",\n \"CVE-2019-13311\",\n \"CVE-2019-13454\",\n \"CVE-2019-13648\",\n \"CVE-2019-14283\",\n \"CVE-2019-14815\",\n \"CVE-2019-14980\",\n \"CVE-2019-14981\",\n \"CVE-2019-15090\",\n \"CVE-2019-15139\",\n \"CVE-2019-15140\",\n \"CVE-2019-15141\",\n \"CVE-2019-15221\",\n \"CVE-2019-15916\",\n \"CVE-2019-16056\",\n \"CVE-2019-16708\",\n \"CVE-2019-16709\",\n \"CVE-2019-16710\",\n \"CVE-2019-16711\",\n \"CVE-2019-16712\",\n \"CVE-2019-16713\",\n \"CVE-2019-16746\",\n \"CVE-2019-17041\",\n \"CVE-2019-17042\",\n \"CVE-2019-17540\",\n \"CVE-2019-17541\",\n \"CVE-2019-17563\",\n \"CVE-2019-17569\",\n \"CVE-2019-17666\",\n \"CVE-2019-18660\",\n \"CVE-2019-19338\",\n \"CVE-2019-19948\",\n \"CVE-2019-19949\",\n \"CVE-2020-1935\",\n \"CVE-2020-1938\",\n \"CVE-2020-2754\",\n \"CVE-2020-2755\",\n \"CVE-2020-2756\",\n \"CVE-2020-2757\",\n \"CVE-2020-2767\",\n \"CVE-2020-2773\",\n \"CVE-2020-2778\",\n \"CVE-2020-2781\",\n \"CVE-2020-2800\",\n \"CVE-2020-2803\",\n \"CVE-2020-2805\",\n \"CVE-2020-2816\",\n \"CVE-2020-2830\",\n \"CVE-2020-5208\",\n \"CVE-2020-8616\",\n \"CVE-2020-8617\",\n \"CVE-2020-9484\",\n \"CVE-2020-10531\",\n \"CVE-2020-11996\",\n \"CVE-2020-13934\",\n \"CVE-2020-13935\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0021\");\n\n script_name(english:\"Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.17.1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Nutanix AOS host is affected by multiple vulnerabilities .\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of AOS installed on the remote host is prior to 5.17.1. It is, therefore, affected by multiple\nvulnerabilities as referenced in the NXSA-AOS-5.17.1 advisory.\n\n - It's been found that multiple functions in ipmitool before 1.8.19 neglect proper checking of the data\n received from a remote LAN party, which may lead to buffer overflows and potentially to remote code\n execution on the ipmitool side. This is especially dangerous if ipmitool is run as a privileged user. This\n problem is fixed in version 1.8.19. (CVE-2020-5208)\n\n - The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-\n free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,\n include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can\n occur with FUSE requests. (CVE-2019-11487)\n\n - rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a\n certain upper-bound check, leading to a buffer overflow. (CVE-2019-17666)\n\n - A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where,\n the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error\n occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by\n the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction\n mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism\n to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that\n host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.\n (CVE-2019-19338)\n\n - avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source\n addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic\n amplification) and may cause information leakage by obtaining potentially sensitive information from the\n responding device via port-5353 UDP packets. NOTE: this may overlap CVE-2015-2809. (CVE-2017-6519)\n\n - The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which\n allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.\n (CVE-2015-8035)\n\n - Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82,\n allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors\n related to the XPointer range-to function. (CVE-2016-5131)\n\n - Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products,\n allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2017-15412)\n\n - The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of\n service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict\n memory usage to what is required for a legitimate file. (CVE-2017-18258)\n\n - A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2\n through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case.\n Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable\n to a denial of service attack due to a crash of the application. (CVE-2018-14404)\n\n - libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite\n loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different\n vulnerability than CVE-2015-8035 and CVE-2018-9251. (CVE-2018-14567)\n\n - http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not\n correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An\n attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix\n (e.g., pythonicexample.com to steal cookies for example.com). When a program uses\n http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing\n cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before\n 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. (CVE-2018-20852)\n\n - An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x\n through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An\n application that uses the email module and implements some kind of checks on the From/To headers of a\n message could be tricked into accepting an email address that should be denied. An attack may be the same\n as in CVE-2019-11340; however, this CVE applies to Python more generally. (CVE-2019-16056)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported\n versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to\n client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2754, CVE-2020-2755)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through\n sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying\n data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed\n Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2756, CVE-2020-2757)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported\n versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to\n client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2773)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported\n versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily\n exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java\n SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause\n a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server\n deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and\n sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component\n without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web\n service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2781)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP\n Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded:\n 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well\n as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This\n vulnerability can only be exploited by supplying data to APIs in the specified Component without using\n Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0\n Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2020-2800)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly\n impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE,\n Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not\n apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed\n by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS\n Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). (CVE-2020-2803, CVE-2020-2805)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency).\n Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.\n Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through\n sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying\n data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed\n Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2830)\n\n - An issue was discovered in Rsyslog v8.1908.0. contrib/pmaixforwardedfrom/pmaixforwardedfrom.c has a heap\n overflow in the parser for AIX log messages. The parser tries to locate a log message delimiter (in this\n case, a space or a colon) but fails to account for strings that do not satisfy this constraint. If the\n string does not match, then the variable lenMsg will reach the value zero and will skip the sanity check\n that detects invalid log messages. The message will then be considered valid, and the parser will eat up\n the nonexistent colon delimiter. In doing so, it will decrement lenMsg, a signed integer, whose value was\n zero and now becomes minus one. The following step in the parser is to shift left the contents of the\n message. To do this, it will call memmove with the right pointers to the target and destination strings,\n but the lenMsg will now be interpreted as a huge value, causing a heap overflow. (CVE-2019-17041)\n\n - An issue was discovered in Rsyslog v8.1908.0. contrib/pmcisconames/pmcisconames.c has a heap overflow in\n the parser for Cisco log messages. The parser tries to locate a log message delimiter (in this case, a\n space or a colon), but fails to account for strings that do not satisfy this constraint. If the string\n does not match, then the variable lenMsg will reach the value zero and will skip the sanity check that\n detects invalid log messages. The message will then be considered valid, and the parser will eat up the\n nonexistent colon delimiter. In doing so, it will decrement lenMsg, a signed integer, whose value was zero\n and now becomes minus one. The following step in the parser is to shift left the contents of the message.\n To do this, it will call memmove with the right pointers to the target and destination strings, but the\n lenMsg will now be interpreted as a huge value, causing a heap overflow. (CVE-2019-17042)\n\n - A flaw was found in polkit before version 0.116. The implementation of the\n polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for\n authentication and trigger authentication of unrelated processes owned by other users. This may result in\n a local DoS and information disclosure. (CVE-2018-1116)\n\n - ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in\n coders/dds.c, which allows attackers to cause a denial of service. (CVE-2017-1000476)\n\n - The ReadXWDImage function in coders\\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can\n cause memory exhaustion via a crafted length (number of color-map entries) field in the header of an XWD\n file. (CVE-2017-11166)\n\n - In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function ReadTIFFImage, which\n allows attackers to cause a denial of service. (CVE-2017-12805)\n\n - In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function format8BIM, which\n allows attackers to cause a denial of service. (CVE-2017-12806)\n\n - An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerability was found in the function\n ReadPCDImage in coders/pcd.c, which allow remote attackers to cause a denial of service via a crafted\n file. (CVE-2017-18251)\n\n - An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList function in MagickWand/mogrify.c allows\n attackers to cause a denial of service (assertion failure and application exit in ReplaceImageInList) via\n a crafted file. (CVE-2017-18252)\n\n - An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerability was found in the function\n WriteGIFImage in coders/gif.c, which allow remote attackers to cause a denial of service via a crafted\n file. (CVE-2017-18254)\n\n - In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function\n ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (CPU exhaustion) via a\n crafted MIFF image file. (CVE-2017-18271)\n\n - In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function\n ReadTXTImage in coders/txt.c, which allows attackers to cause a denial of service (CPU exhaustion) via a\n crafted image file that is mishandled in a GetImageIndexInList call. (CVE-2017-18273)\n\n - In ImageMagick 7.0.7-28, there is an infinite loop in the ReadOneMNGImage function of the coders/png.c\n file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted mng\n file. (CVE-2018-10177)\n\n - ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage in coders/tiff.c. (CVE-2018-10804)\n\n - ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c. (CVE-2018-10805)\n\n - In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function ReadDCMImage in\n coders/dcm.c, which allows attackers to cause a denial of service via a crafted DCM image file.\n (CVE-2018-11656)\n\n - In ImageMagick 7.0.8-3 Q16, ReadBMPImage and WriteBMPImage in coders/bmp.c allow attackers to cause an out\n of bounds write via a crafted file. (CVE-2018-12599)\n\n - In ImageMagick 7.0.8-3 Q16, ReadDIBImage and WriteDIBImage in coders/dib.c allow attackers to cause an out\n of bounds write via a crafted file. (CVE-2018-12600)\n\n - In ImageMagick 7.0.8-4, there is a memory leak in the XMagickCommand function in MagickCore/animate.c.\n (CVE-2018-13153)\n\n - ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c. (CVE-2018-14434)\n\n - ImageMagick 7.0.8-4 has a memory leak in DecodeImage in coders/pcd.c. (CVE-2018-14435)\n\n - ImageMagick 7.0.8-4 has a memory leak in ReadMIFFImage in coders/miff.c. (CVE-2018-14436)\n\n - ImageMagick 7.0.8-4 has a memory leak in parse8BIM in coders/meta.c. (CVE-2018-14437)\n\n - In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36\n 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory\n resources are consumed until ultimately an attempted large memory allocation fails. Remote attackers could\n leverage this vulnerability to cause a denial of service via a crafted file. (CVE-2018-15607)\n\n - In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the CheckEventLogging function in\n MagickCore/log.c. (CVE-2018-16328)\n\n - In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ReadOneJNGImage in coders/png.c allows an\n attacker to cause a denial of service (WriteBlob assertion failure and application exit) via a crafted\n file. (CVE-2018-16749)\n\n - In ImageMagick 7.0.7-29 and earlier, a memory leak in the formatIPTCfromBuffer function in coders/meta.c\n was found. (CVE-2018-16750)\n\n - There is a memory leak in the function WriteMSLImage of coders/msl.c in ImageMagick 7.0.8-13 Q16, and the\n function ProcessMSLScript of coders/msl.c in GraphicsMagick before 1.3.31. (CVE-2018-18544)\n\n - In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can result in an infinite loop and hang,\n with high CPU and memory consumption. Remote attackers could leverage this vulnerability to cause a denial\n of service via a crafted file. (CVE-2018-20467)\n\n - WriteEPTImage in coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote attackers to cause a denial of\n service (MagickCore/memory.c double free and application crash) or possibly have unspecified other impact\n via a crafted file. (CVE-2018-8804)\n\n - ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage and EncodeLabImage functions\n (coders/tiff.c), which results in a hang (tens of minutes) with a tiny PoC file. Remote attackers could\n leverage this vulnerability to cause a denial of service via a crafted tiff file. (CVE-2018-9133)\n\n - An off-by-one read vulnerability was discovered in ImageMagick before version 7.0.7-28 in the\n formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end\n of the buffer or to crash the program. (CVE-2019-10131)\n\n - In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of\n coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a\n crafted image file. (CVE-2019-10650)\n\n - The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service\n (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size. This\n occurs because ReadCINImage in coders/cin.c lacks a check for insufficient image data in a file.\n (CVE-2019-11470)\n\n - ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows\n attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the\n header indicates neither LSB first nor MSB first. (CVE-2019-11472)\n\n - In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of\n coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure\n via a crafted image file. (CVE-2019-11597)\n\n - In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of\n coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via\n a crafted image file. This is related to SetGrayscaleImage in MagickCore/quantize.c. (CVE-2019-11598)\n\n - A NULL pointer dereference in the function ReadPANGOImage in coders/pango.c and the function ReadVIDImage\n in coders/vid.c in ImageMagick 7.0.8-34 allows remote attackers to cause a denial of service via a crafted\n image. (CVE-2019-12974)\n\n - ImageMagick 7.0.8-34 has a memory leak vulnerability in the WriteDPXImage function in coders/dpx.c.\n (CVE-2019-12975)\n\n - ImageMagick 7.0.8-34 has a memory leak in the ReadPCLImage function in coders/pcl.c. (CVE-2019-12976)\n\n - ImageMagick 7.0.8-34 has a use of uninitialized value vulnerability in the ReadPANGOImage function in\n coders/pango.c. (CVE-2019-12978)\n\n - ImageMagick 7.0.8-34 has a use of uninitialized value vulnerability in the SyncImageSettings function in\n MagickCore/image.c. This is related to AcquireImage in magick/image.c. (CVE-2019-12979)\n\n - ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c.\n (CVE-2019-13133)\n\n - ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadVIFFImage in\n coders/viff.c. (CVE-2019-13134)\n\n - ImageMagick before 7.0.8-50 has a use of uninitialized value vulnerability in the function ReadCUTImage\n in coders/cut.c. (CVE-2019-13135)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in\n AdaptiveThresholdImage because a width of zero is mishandled. (CVE-2019-13295)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in\n AdaptiveThresholdImage because a height of zero is mishandled. (CVE-2019-13297)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages\n because of mishandling columns. (CVE-2019-13300)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory because of an AnnotateImage error.\n (CVE-2019-13301)\n\n - ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a\n misplaced assignment. (CVE-2019-13304)\n\n - ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a\n misplaced strncpy and an off-by-one error. (CVE-2019-13305)\n\n - ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of\n off-by-one errors. (CVE-2019-13306)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages\n because of mishandling rows. (CVE-2019-13307)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of mishandling the NoSuchImage\n error in CLIListOperatorImages in MagickWand/operation.c. (CVE-2019-13309)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of an error in\n MagickWand/mogrify.c. (CVE-2019-13310)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of a wand/mogrify.c error.\n (CVE-2019-13311)\n\n - ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c.\n (CVE-2019-13454)\n\n - In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in\n the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file.\n (CVE-2019-14980)\n\n - In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is a divide-by-zero vulnerability in\n the MeanShiftImage function. It allows an attacker to cause a denial of service by sending a crafted file.\n (CVE-2019-14981)\n\n - The XWD image (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 allows\n attackers to cause a denial-of-service (application crash resulting from an out-of-bounds Read) in\n ReadXWDImage in coders/xwd.c by crafting a corrupted XWD image file, a different vulnerability than\n CVE-2019-11472. (CVE-2019-15139)\n\n - coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to cause a denial of service (use-after-\n free and application crash) or possibly have unspecified other impact by crafting a Matlab image file that\n is mishandled in ReadImage in MagickCore/constitute.c. (CVE-2019-15140)\n\n - WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service\n (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to\n TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in\n tif_dirwrite.c of LibTIFF. NOTE: this occurs because of an incomplete fix for CVE-2019-11597.\n (CVE-2019-15141)\n\n - ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage. (CVE-2019-16708)\n\n - ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage. (CVE-2019-16709)\n\n - ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in\n MagickCore/memory.c. (CVE-2019-16710)\n\n - ImageMagick 7.0.8-40 has a memory leak in Huffman2DEncodeImage in coders/ps2.c. (CVE-2019-16711)\n\n - ImageMagick 7.0.8-43 has a memory leak in Huffman2DEncodeImage in coders/ps3.c, as demonstrated by\n WritePS3Image. (CVE-2019-16712)\n\n - ImageMagick 7.0.8-43 has a memory leak in coders/dot.c, as demonstrated by PingImage in\n MagickCore/constitute.c. (CVE-2019-16713)\n\n - ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.\n (CVE-2019-17540)\n\n - ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo in MagickCore/string.c because the\n error manager is mishandled in coders/jpeg.c. (CVE-2019-17541)\n\n - In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer overflow in the function WriteSGIImage of\n coders/sgi.c. (CVE-2019-19948)\n\n - In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WritePNGImage of\n coders/png.c, related to Magick_png_write_raw_profile and LocaleNCompare. (CVE-2019-19949)\n\n - In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c. (CVE-2019-7175)\n\n - In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in\n WritePDFImage in coders/pdf.c. (CVE-2019-7397)\n\n - In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage in coders/dib.c. (CVE-2019-7398)\n\n - In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of\n coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image\n file. (CVE-2019-9956)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are\n affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker\n with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result\n in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized\n read access to a subset of Java SE accessible data. Note: Applies to client and server deployment of Java.\n This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java\n applets. It can also be exploited by supplying data to APIs in the specified Component without using\n sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0\n Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2020-2767)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are\n affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker\n with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result\n in unauthorized read access to a subset of Java SE accessible data. Note: Applies to client and server\n deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and\n sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component\n without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web\n service. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2020-2778)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are\n affected are Java SE: 11.0.6 and 14. Easily exploitable vulnerability allows unauthenticated attacker with\n network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in\n unauthorized creation, deletion or modification access to critical data or all Java SE accessible data.\n Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component\n without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web\n service. CVSS 3.0 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2020-2816)\n\n - In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured\n with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding\n when verifying the user's credentials. If the header value is not present in the charset conversion table,\n a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example,\n 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of\n one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the\n process would crash which could be used as a Denial of Service attack. In the more likely case, this\n memory is already reserved for future use and the issue has no effect at all. (CVE-2017-15710)\n\n - A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an\n out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is\n considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is\n classified as low risk for common server usage. (CVE-2018-1301)\n\n - In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before\n decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since\n the expiry time is loaded when the session is decoded. (CVE-2018-17199)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Pluggable Auth).\n Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily\n exploitable vulnerability allows high privileged attacker with network access via multiple protocols to\n compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to\n cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9\n (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2737)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges).\n Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily\n exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL\n Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well\n as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base\n Score 5.1 (Integrity and Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). (CVE-2019-2739)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: XML). Supported\n versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability\n impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2740)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported\n versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability\n impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2805)\n\n - The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon\n receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover\n credentials by sniffing the network. (CVE-2018-18074)\n\n - urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin\n redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the\n Authorization header to be exposed to unintended hosts or transmitted in cleartext. (CVE-2018-20060)\n\n - In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the\n request parameter. (CVE-2019-11236)\n\n - The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA\n certificates is different from the OS store of CA certificates, which results in SSL connections\n succeeding in situations where a verification failure is the correct outcome. This is related to use of\n the ssl_context, ca_certs, or ca_certs_dir argument. (CVE-2019-11324)\n\n - In macOS High Sierra before 10.13.5, an issue existed in CUPS. This issue was addressed with improved\n access restrictions. (CVE-2018-4180, CVE-2018-4181)\n\n - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-4300. Reason: This candidate is a\n duplicate of CVE-2018-4300. Notes: All CVE users should reference CVE-2018-4300 instead of this candidate.\n All references and descriptions in this candidate have been removed to prevent accidental usage.\n (CVE-2018-4700)\n\n - In the Linux kernel before 4.1.4, a buffer overflow occurs when checking userspace params in\n drivers/media/dvb-frontends/cx24116.c. The maximum size for a DiSEqC command is 6, according to the\n userspace API. However, the code allows larger values such as 23. (CVE-2015-9289)\n\n - The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to\n the current task's default request-key keyring via the request_key() system call, allowing a local user\n to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write\n permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.\n (CVE-2017-17807)\n\n - The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num\n from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds\n (OOB) read that potentially allows arbitrary read in the kernel address space. (CVE-2018-19985)\n\n - An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during\n the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.\n (CVE-2018-20169)\n\n - In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before\n register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and\n panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. This is similar to\n CVE-2013-4343. (CVE-2018-7191)\n\n - A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before\n 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware\n could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.\n (CVE-2019-10207)\n\n - In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel\n produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple\n destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and\n thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page\n that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses. (CVE-2019-10638)\n\n - The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel\n address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel\n image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and\n ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash\n collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This\n key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via\n enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the\n attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled\n IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic\n is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the\n attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP\n addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to\n have a dependency on an address associated with a network namespace. (CVE-2019-10639)\n\n - The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because\n install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the\n ptrace_may_access() check has a race condition when reading /proc/pid/stat. (CVE-2019-11190)\n\n - The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a\n local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command,\n because a name field may not end with a '\\0' character. (CVE-2019-11884)\n\n - ** DISPUTED ** An issue was discovered in drm_load_edid_firmware in drivers/gpu/drm/drm_edid_load.c in the\n Linux kernel through 5.1.5. There is an unchecked kstrdup of fwstr, which might allow an attacker to cause\n a denial of service (NULL pointer dereference and system crash). NOTE: The vendor disputes this issues as\n not being a vulnerability because kstrdup() returning NULL is handled sufficiently and there is no chance\n for a NULL pointer dereference. (CVE-2019-12382)\n\n - In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an\n LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds\n violation. (CVE-2019-13233)\n\n - In the Linux kernel through 5.2.1 on the powerpc platform, when hardware transactional memory is disabled,\n a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn()\n system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and\n arch/powerpc/kernel/signal_64.c. (CVE-2019-13648)\n\n - In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and\n head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an\n unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by\n default. (CVE-2019-14283)\n\n - A vulnerability was found in Linux Kernel, where a Heap Overflow was found in mwifiex_set_wmm_params()\n function of Marvell Wifi Driver. (CVE-2019-14815)\n\n - An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. In the\n qedi_dbg_* family of functions, there is an out-of-bounds read. (CVE-2019-15090)\n\n - An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a\n malicious USB device in the sound/usb/line6/pcm.c driver. (CVE-2019-15221)\n\n - An issue was discovered in the Linux kernel before 5.0.1. There is a memory leak in\n register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service. (CVE-2019-15916)\n\n - An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check\n the length of variable elements in a beacon head, leading to a buffer overflow. (CVE-2019-16746)\n\n - The Linux kernel before 5.4.1 on powerpc allows Information Exposure because the Spectre-RSB mitigation is\n not in place for all applicable CPUs, aka CID-39e72bf96f58. This is related to\n arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c. (CVE-2019-18660)\n\n - A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs.\n As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it\n is possible for the specified target task to perform an execve() syscall with setuid execution before\n perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check\n and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged\n execve() calls. This issue affects kernel versions before 4.8. (CVE-2019-3901)\n\n - The Broadcom brcmfmac WiFi driver prior to commit a4176ec356c73a46c07c181c6d04039fafa34a9f is vulnerable\n to a frame validation bypass. If the brcmfmac driver receives a firmware event frame from a remote source,\n the is_wlc_event_frame function will cause this frame to be discarded and unprocessed. If the driver\n receives the firmware event frame from the host, the appropriate handler is called. This frame validation\n can be bypassed if the bus used is USB (for instance by a wifi dongle). This can allow firmware event\n frames from a remote source to be processed. In the worst case scenario, by sending specially-crafted WiFi\n packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.\n More typically, this vulnerability will result in denial-of-service conditions. (CVE-2019-9503)\n\n - GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a\n specially crafted email that contains a valid signature from the entity to be impersonated as an\n attachment. (CVE-2018-15587)\n\n - It was discovered evolution-ews before 3.31.3 does not check the validity of SSL certificates. An attacker\n could abuse this flaw to get confidential information by tricking the user into connecting to a fake\n server without the user noticing the difference. (CVE-2019-3890)\n\n - The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a\n denial of service (out-of-bounds read and application crash) via a crafted ELF file. (CVE-2018-10360)\n\n - Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and\n Thunderbird before 31.7 allows remote attackers to execute arbitrary code by providing a large amount of\n compressed XML data, a related issue to CVE-2015-1283. (CVE-2015-2716)\n\n - snmp_oid_compare in snmplib/snmp_api.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be\n used by an unauthenticated attacker to remotely cause the instance to crash via a crafted UDP packet,\n resulting in Denial of Service. (CVE-2018-18066)\n\n - Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of\n service (resource consumption), aka a better zip bomb issue. (CVE-2019-13232)\n\n - managed-keys is a feature which allows a BIND resolver to automatically maintain the keys used by trust\n anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys\n feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if,\n during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm.\n Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions\n 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13\n development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for\n vulnerability to CVE-2018-5745. (CVE-2018-5745)\n\n - Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones\n are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and\n versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13\n development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for\n vulnerability to CVE-2019-6465. (CVE-2019-6465)\n\n - With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to\n a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection\n to a server could consume more resources than the server has been provisioned to handle. When a TCP\n connection with a large number of pipelined queries is closed, the load on the server releasing these\n multiple resources can cause it to become unresponsive, even for queries that can be answered\n authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).\n (CVE-2019-6477)\n\n - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the\n user to execute any command with the permissions of the shell. (CVE-2019-9924)\n\n - The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with\n excessive numbers of SETTINGS frames and also permitted clients to keep streams open without\n reading/writing request/response data. By keeping streams open for requests that utilised the Servlet\n API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread\n exhaustion and a DoS. (CVE-2019-0199)\n\n - The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write\n in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages\n for the connection window (stream 0) clients were able to cause server-side threads to block eventually\n leading to thread exhaustion and a DoS. (CVE-2019-10072)\n\n - When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote\n Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able\n to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords\n used to access the JMX interface. The attacker can then use these credentials to access the JMX interface\n and gain complete control over the Tomcat instance. (CVE-2019-12418)\n\n - When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98\n there was a narrow window where an attacker could perform a session fixation attack. The window was\n considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has\n been treated as a security vulnerability. (CVE-2019-17563)\n\n - The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99\n introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were\n incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a\n reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a\n reverse proxy is considered unlikely. (CVE-2019-17569)\n\n - A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to\n 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of\n such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.\n (CVE-2020-11996)\n\n - An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56\n did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such\n requests were made, an OutOfMemoryException could occur leading to a denial of service. (CVE-2020-13934)\n\n - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to\n 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could\n trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of\n service. (CVE-2020-13935)\n\n - In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used\n an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led\n to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly\n handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered\n unlikely. (CVE-2020-1935)\n\n - When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to\n Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP\n connection. If such connections are available to an attacker, they can be exploited in ways that may be\n surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped\n with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected\n (and recommended in the security guide) that this Connector would be disabled if not required. This\n vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the\n web application - processing any file in the web application as a JSP Further, if the web application\n allowed file upload and stored those files within the web application (or the attacker was able to control\n the content of the web application by some other means) then this, along with the ability to process a\n file as a JSP, made remote code execution possible. It is important to note that mitigation is only\n required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth\n approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to\n Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP\n Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading\n to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.\n (CVE-2020-1938)\n\n - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to\n 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the\n server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is\n configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used)\n or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker\n knows the relative file path from the storage location used by FileStore to the file the attacker has\n control over; then, using a specifically crafted request, the attacker will be able to trigger remote code\n execution via deserialization of the file under their control. Note that all of conditions a) to d) must\n be true for the attack to succeed. (CVE-2020-9484)\n\n - An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer\n overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in\n common/unistr.cpp. (CVE-2020-10531)\n\n - A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl\n versions 7.19.4 through 7.64.1. (CVE-2019-5436)\n\n - It was discovered that the gnome-shell lock screen since version 3.15.91 did not properly restrict all\n contextual actions. An attacker with physical access to a locked workstation could invoke certain keyboard\n shortcuts, and potentially other actions. (CVE-2019-3820)\n\n - A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches\n performed when processing referrals can, through the use of specially crafted referrals, cause a recursing\n server to issue a very large number of fetches in an attempt to process the referral. This has at least\n two potential effects: The performance of the recursing server can potentially be degraded by the\n additional work required to perform these fetches, and The attacker can exploit this behavior to use the\n recursing server as a reflector in a reflection attack with a high amplification factor. (CVE-2020-8616)\n\n - Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an\n inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the\n server. Since BIND, by default, configures a local session key even on servers whose configuration does\n not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating\n from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately\n exits. Prior to the introduction of the check the server would continue operating in an inconsistent\n state, with potentially harmful results. (CVE-2020-8617)\n\n - TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated\n user to potentially enable information disclosure via a side channel with local access. (CVE-2019-11135)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://download.nutanix.com/advisories/NXSA-AOS-5-17-1.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the Nutanix AOS software to recommended version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17666\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1938\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:nutanix:aos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"nutanix_collect.nasl\");\n script_require_keys(\"Host/Nutanix/Data/lts\", \"Host/Nutanix/Data/Service\", \"Host/Nutanix/Data/Version\", \"Host/Nutanix/Data/arch\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::nutanix::get_app_info();\n\nvar constraints = [\n { 'fixed_version' : '5.17.1', 'product' : 'AOS', 'fixed_display' : 'Upgrade the AOS install to 5.17.1 or higher.', 'lts' : FALSE },\n { 'fixed_version' : '5.17.1', 'product' : 'NDFS', 'fixed_display' : 'Upgrade the AOS install to 5.17.1 or higher.', 'lts' : FALSE }\n];\n\nvcf::nutanix::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-06T06:29:31", "description": "The version of AOS installed on the remote host is prior to 5.18. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.18 advisory.\n\n - It's been found that multiple functions in ipmitool before 1.8.19 neglect proper checking of the data received from a remote LAN party, which may lead to buffer overflows and potentially to remote code execution on the ipmitool side. This is especially dangerous if ipmitool is run as a privileged user. This problem is fixed in version 1.8.19. (CVE-2020-5208)\n\n - The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after- free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests. (CVE-2019-11487)\n\n - rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow. (CVE-2019-17666)\n\n - A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.\n (CVE-2019-19338)\n\n - avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) and may cause information leakage by obtaining potentially sensitive information from the responding device via port-5353 UDP packets. NOTE: this may overlap CVE-2015-2809. (CVE-2017-6519)\n\n - The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.\n (CVE-2015-8035)\n\n - Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (CVE-2016-5131)\n\n - Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2017-15412)\n\n - The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. (CVE-2017-18258)\n\n - A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case.\n Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. (CVE-2018-14404)\n\n - libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251. (CVE-2018-14567)\n\n - http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. (CVE-2018-20852)\n\n - An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally. (CVE-2019-16056)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2754, CVE-2020-2755)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2756, CVE-2020-2757)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2773)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2781)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded:\n 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2020-2800)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). (CVE-2020-2803, CVE-2020-2805)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency).\n Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.\n Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2830)\n\n - An issue was discovered in Rsyslog v8.1908.0. contrib/pmaixforwardedfrom/pmaixforwardedfrom.c has a heap overflow in the parser for AIX log messages. The parser tries to locate a log message delimiter (in this case, a space or a colon) but fails to account for strings that do not satisfy this constraint. If the string does not match, then the variable lenMsg will reach the value zero and will skip the sanity check that detects invalid log messages. The message will then be considered valid, and the parser will eat up the nonexistent colon delimiter. In doing so, it will decrement lenMsg, a signed integer, whose value was zero and now becomes minus one. The following step in the parser is to shift left the contents of the message. To do this, it will call memmove with the right pointers to the target and destination strings, but the lenMsg will now be interpreted as a huge value, causing a heap overflow. (CVE-2019-17041)\n\n - An issue was discovered in Rsyslog v8.1908.0. contrib/pmcisconames/pmcisconames.c has a heap overflow in the parser for Cisco log messages. The parser tries to locate a log message delimiter (in this case, a space or a colon), but fails to account for strings that do not satisfy this constraint. If the string does not match, then the variable lenMsg will reach the value zero and will skip the sanity check that detects invalid log messages. The message will then be considered valid, and the parser will eat up the nonexistent colon delimiter. In doing so, it will decrement lenMsg, a signed integer, whose value was zero and now becomes minus one. The following step in the parser is to shift left the contents of the message.\n To do this, it will call memmove with the right pointers to the target and destination strings, but the lenMsg will now be interpreted as a huge value, causing a heap overflow. (CVE-2019-17042)\n\n - An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c. (CVE-2017-18595)\n\n - In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub- buffer). (CVE-2019-19768)\n\n - A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7.\n This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network user to crash the system kernel, resulting in a denial of service. (CVE-2020-10711)\n\n - An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus- daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. (CVE-2020-12049)\n\n - A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger authentication of unrelated processes owned by other users. This may result in a local DoS and information disclosure. (CVE-2018-1116)\n\n - ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service. (CVE-2017-1000476)\n\n - The ReadXWDImage function in coders\\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can cause memory exhaustion via a crafted length (number of color-map entries) field in the header of an XWD file. (CVE-2017-11166)\n\n - In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function ReadTIFFImage, which allows attackers to cause a denial of service. (CVE-2017-12805)\n\n - In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function format8BIM, which allows attackers to cause a denial of service. (CVE-2017-12806)\n\n - An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerability was found in the function ReadPCDImage in coders/pcd.c, which allow remote attackers to cause a denial of service via a crafted file. (CVE-2017-18251)\n\n - An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList function in MagickWand/mogrify.c allows attackers to cause a denial of service (assertion failure and application exit in ReplaceImageInList) via a crafted file. (CVE-2017-18252)\n\n - An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerability was found in the function WriteGIFImage in coders/gif.c, which allow remote attackers to cause a denial of service via a crafted file. (CVE-2017-18254)\n\n - In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted MIFF image file. (CVE-2017-18271)\n\n - In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadTXTImage in coders/txt.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted image file that is mishandled in a GetImageIndexInList call. (CVE-2017-18273)\n\n - In ImageMagick 7.0.7-28, there is an infinite loop in the ReadOneMNGImage function of the coders/png.c file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted mng file. (CVE-2018-10177)\n\n - ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage in coders/tiff.c. (CVE-2018-10804)\n\n - ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c. (CVE-2018-10805)\n\n - In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function ReadDCMImage in coders/dcm.c, which allows attackers to cause a denial of service via a crafted DCM image file.\n (CVE-2018-11656)\n\n - In ImageMagick 7.0.8-3 Q16, ReadBMPImage and WriteBMPImage in coders/bmp.c allow attackers to cause an out of bounds write via a crafted file. (CVE-2018-12599)\n\n - In ImageMagick 7.0.8-3 Q16, ReadDIBImage and WriteDIBImage in coders/dib.c allow attackers to cause an out of bounds write via a crafted file. (CVE-2018-12600)\n\n - In ImageMagick 7.0.8-4, there is a memory leak in the XMagickCommand function in MagickCore/animate.c.\n (CVE-2018-13153)\n\n - ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c. (CVE-2018-14434)\n\n - ImageMagick 7.0.8-4 has a memory leak in DecodeImage in coders/pcd.c. (CVE-2018-14435)\n\n - ImageMagick 7.0.8-4 has a memory leak in ReadMIFFImage in coders/miff.c. (CVE-2018-14436)\n\n - ImageMagick 7.0.8-4 has a memory leak in parse8BIM in coders/meta.c. (CVE-2018-14437)\n\n - In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file. (CVE-2018-15607)\n\n - In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the CheckEventLogging function in MagickCore/log.c. (CVE-2018-16328)\n\n - In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ReadOneJNGImage in coders/png.c allows an attacker to cause a denial of service (WriteBlob assertion failure and application exit) via a crafted file. (CVE-2018-16749)\n\n - In ImageMagick 7.0.7-29 and earlier, a memory leak in the formatIPTCfromBuffer function in coders/meta.c was found. (CVE-2018-16750)\n\n - There is a memory leak in the function WriteMSLImage of coders/msl.c in ImageMagick 7.0.8-13 Q16, and the function ProcessMSLScript of coders/msl.c in GraphicsMagick before 1.3.31. (CVE-2018-18544)\n\n - In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can result in an infinite loop and hang, with high CPU and memory consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file. (CVE-2018-20467)\n\n - WriteEPTImage in coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote attackers to cause a denial of service (MagickCore/memory.c double free and application crash) or possibly have unspecified other impact via a crafted file. (CVE-2018-8804)\n\n - ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage and EncodeLabImage functions (coders/tiff.c), which results in a hang (tens of minutes) with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tiff file. (CVE-2018-9133)\n\n - An off-by-one read vulnerability was discovered in ImageMagick before version 7.0.7-28 in the formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end of the buffer or to crash the program. (CVE-2019-10131)\n\n - In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file. (CVE-2019-10650)\n\n - The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size. This occurs because ReadCINImage in coders/cin.c lacks a check for insufficient image data in a file.\n (CVE-2019-11470)\n\n - ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first. (CVE-2019-11472)\n\n - In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. (CVE-2019-11597)\n\n - In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. This is related to SetGrayscaleImage in MagickCore/quantize.c. (CVE-2019-11598)\n\n - A NULL pointer dereference in the function ReadPANGOImage in coders/pango.c and the function ReadVIDImage in coders/vid.c in ImageMagick 7.0.8-34 allows remote attackers to cause a denial of service via a crafted image. (CVE-2019-12974)\n\n - ImageMagick 7.0.8-34 has a memory leak vulnerability in the WriteDPXImage function in coders/dpx.c.\n (CVE-2019-12975)\n\n - ImageMagick 7.0.8-34 has a memory leak in the ReadPCLImage function in coders/pcl.c. (CVE-2019-12976)\n\n - ImageMagick 7.0.8-34 has a use of uninitialized value vulnerability in the ReadPANGOImage function in coders/pango.c. (CVE-2019-12978)\n\n - ImageMagick 7.0.8-34 has a use of uninitialized value vulnerability in the SyncImageSettings function in MagickCore/image.c. This is related to AcquireImage in magick/image.c. (CVE-2019-12979)\n\n - ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c.\n (CVE-2019-13133)\n\n - ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadVIFFImage in coders/viff.c. (CVE-2019-13134)\n\n - ImageMagick before 7.0.8-50 has a use of uninitialized value vulnerability in the function ReadCUTImage in coders/cut.c. (CVE-2019-13135)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage because a width of zero is mishandled. (CVE-2019-13295)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage because a height of zero is mishandled. (CVE-2019-13297)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages because of mishandling columns. (CVE-2019-13300)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory because of an AnnotateImage error.\n (CVE-2019-13301)\n\n - ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a misplaced assignment. (CVE-2019-13304)\n\n - ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a misplaced strncpy and an off-by-one error. (CVE-2019-13305)\n\n - ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of off-by-one errors. (CVE-2019-13306)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages because of mishandling rows. (CVE-2019-13307)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of mishandling the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c. (CVE-2019-13309)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of an error in MagickWand/mogrify.c. (CVE-2019-13310)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of a wand/mogrify.c error.\n (CVE-2019-13311)\n\n - ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c.\n (CVE-2019-13454)\n\n - In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file.\n (CVE-2019-14980)\n\n - In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is a divide-by-zero vulnerability in the MeanShiftImage function. It allows an attacker to cause a denial of service by sending a crafted file.\n (CVE-2019-14981)\n\n - The XWD image (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (application crash resulting from an out-of-bounds Read) in ReadXWDImage in coders/xwd.c by crafting a corrupted XWD image file, a different vulnerability than CVE-2019-11472. (CVE-2019-15139)\n\n - coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to cause a denial of service (use-after- free and application crash) or possibly have unspecified other impact by crafting a Matlab image file that is mishandled in ReadImage in MagickCore/constitute.c. (CVE-2019-15140)\n\n - WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in tif_dirwrite.c of LibTIFF. NOTE: this occurs because of an incomplete fix for CVE-2019-11597.\n (CVE-2019-15141)\n\n - ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage. (CVE-2019-16708)\n\n - ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage. (CVE-2019-16709)\n\n - ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c. (CVE-2019-16710)\n\n - ImageMagick 7.0.8-40 has a memory leak in Huffman2DEncodeImage in coders/ps2.c. (CVE-2019-16711)\n\n - ImageMagick 7.0.8-43 has a memory leak in Huffman2DEncodeImage in coders/ps3.c, as demonstrated by WritePS3Image. (CVE-2019-16712)\n\n - ImageMagick 7.0.8-43 has a memory leak in coders/dot.c, as demonstrated by PingImage in MagickCore/constitute.c. (CVE-2019-16713)\n\n - ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.\n (CVE-2019-17540)\n\n - ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo in MagickCore/string.c because the error manager is mishandled in coders/jpeg.c. (CVE-2019-17541)\n\n - In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer overflow in the function WriteSGIImage of coders/sgi.c. (CVE-2019-19948)\n\n - In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WritePNGImage of coders/png.c, related to Magick_png_write_raw_profile and LocaleNCompare. (CVE-2019-19949)\n\n - In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c. (CVE-2019-7175)\n\n - In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in WritePDFImage in coders/pdf.c. (CVE-2019-7397)\n\n - In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage in coders/dib.c. (CVE-2019-7398)\n\n - In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image file. (CVE-2019-9956)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: Applies to client and server deployment of Java.\n This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2020-2767)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2020-2778)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data.\n Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2020-2816)\n\n - In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all. (CVE-2017-15710)\n\n - A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage. (CVE-2018-1301)\n\n - In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded. (CVE-2018-17199)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Pluggable Auth).\n Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2737)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges).\n Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.1 (Integrity and Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). (CVE-2019-2739)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: XML). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2740)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2805)\n\n - The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. (CVE-2018-18074)\n\n - urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext. (CVE-2018-20060)\n\n - In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter. (CVE-2019-11236)\n\n - The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument. (CVE-2019-11324)\n\n - In macOS High Sierra before 10.13.5, an issue existed in CUPS. This issue was addressed with improved access restrictions. (CVE-2018-4180, CVE-2018-4181)\n\n - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-4300. Reason: This candidate is a duplicate of CVE-2018-4300. Notes: All CVE users should reference CVE-2018-4300 instead of this candidate.\n All references and descriptions in this candidate have been removed to prevent accidental usage.\n (CVE-2018-4700)\n\n - In the Linux kernel before 4.1.4, a buffer overflow occurs when checking userspace params in drivers/media/dvb-frontends/cx24116.c. The maximum size for a DiSEqC command is 6, according to the userspace API. However, the code allows larger values such as 23. (CVE-2015-9289)\n\n - The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to the current task's default request-key keyring via the request_key() system call, allowing a local user to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.\n (CVE-2017-17807)\n\n - The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds (OOB) read that potentially allows arbitrary read in the kernel address space. (CVE-2018-19985)\n\n - An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.\n (CVE-2018-20169)\n\n - In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. This is similar to CVE-2013-4343. (CVE-2018-7191)\n\n - A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.\n (CVE-2019-10207)\n\n - In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses. (CVE-2019-10638)\n\n - The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to have a dependency on an address associated with a network namespace. (CVE-2019-10639)\n\n - The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. (CVE-2019-11190)\n\n - The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a '\\0' character. (CVE-2019-11884)\n\n - ** DISPUTED ** An issue was discovered in drm_load_edid_firmware in drivers/gpu/drm/drm_edid_load.c in the Linux kernel through 5.1.5. There is an unchecked kstrdup of fwstr, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: The vendor disputes this issues as not being a vulnerability because kstrdup() returning NULL is handled sufficiently and there is no chance for a NULL pointer dereference. (CVE-2019-12382)\n\n - In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds violation. (CVE-2019-13233)\n\n - In the Linux kernel through 5.2.1 on the powerpc platform, when hardware transactional memory is disabled, a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn() system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c. (CVE-2019-13648)\n\n - In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default. (CVE-2019-14283)\n\n - A vulnerability was found in Linux Kernel, where a Heap Overflow was found in mwifiex_set_wmm_params() function of Marvell Wifi Driver. (CVE-2019-14815)\n\n - An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. In the qedi_dbg_* family of functions, there is an out-of-bounds read. (CVE-2019-15090)\n\n - An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver. (CVE-2019-15221)\n\n - An issue was discovered in the Linux kernel before 5.0.1. There is a memory leak in register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service. (CVE-2019-15916)\n\n - An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow. (CVE-2019-16746)\n\n - The Linux kernel before 5.4.1 on powerpc allows Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs, aka CID-39e72bf96f58. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c. (CVE-2019-18660)\n\n - A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs.\n As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it is possible for the specified target task to perform an execve() syscall with setuid execution before perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls. This issue affects kernel versions before 4.8. (CVE-2019-3901)\n\n - The Broadcom brcmfmac WiFi driver prior to commit a4176ec356c73a46c07c181c6d04039fafa34a9f is vulnerable to a frame validation bypass. If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and unprocessed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be bypassed if the bus used is USB (for instance by a wifi dongle). This can allow firmware event frames from a remote source to be processed. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.\n More typically, this vulnerability will result in denial-of-service conditions. (CVE-2019-9503)\n\n - GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment. (CVE-2018-15587)\n\n - It was discovered evolution-ews before 3.31.3 does not check the validity of SSL certificates. An attacker could abuse this flaw to get confidential information by tricking the user into connecting to a fake server without the user noticing the difference. (CVE-2019-3890)\n\n - The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file. (CVE-2018-10360)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2020-14556)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2020-14577)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-14578, CVE-2020-14579)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). (CVE-2020-14583)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note:\n This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N). (CVE-2020-14593)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2020-14621)\n\n - ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address, because transmissions are rescheduled even when a packet lacks a valid origin timestamp. (CVE-2020-11868)\n\n - ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can query time from the victim's ntpd instance. (CVE-2020-13817)\n\n - Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code by providing a large amount of compressed XML data, a related issue to CVE-2015-1283. (CVE-2015-2716)\n\n - snmp_oid_compare in snmplib/snmp_api.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an unauthenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. (CVE-2018-18066)\n\n - Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a better zip bomb issue. (CVE-2019-13232)\n\n - managed-keys is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if, during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm.\n Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5745. (CVE-2018-5745)\n\n - Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465. (CVE-2019-6465)\n\n - With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).\n (CVE-2019-6477)\n\n - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell. (CVE-2019-9924)\n\n - The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-0199)\n\n - The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-10072)\n\n - When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. (CVE-2019-12418)\n\n - When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. (CVE-2019-17563)\n\n - The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. (CVE-2019-17569)\n\n - A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.\n (CVE-2020-11996)\n\n - An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service. (CVE-2020-13934)\n\n - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. (CVE-2020-13935)\n\n - In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. (CVE-2020-1935)\n\n - When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.\n (CVE-2020-1938)\n\n - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. (CVE-2020-9484)\n\n - The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory space. (CVE-2020-12888)\n\n - An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp. (CVE-2020-10531)\n\n - A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1. (CVE-2019-5436)\n\n - It was discovered that the gnome-shell lock screen since version 3.15.91 did not properly restrict all contextual actions. An attacker with physical access to a locked workstation could invoke certain keyboard shortcuts, and potentially other actions. (CVE-2019-3820)\n\n - A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor. (CVE-2020-8616)\n\n - Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results. (CVE-2020-8617)\n\n - TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. (CVE-2019-11135)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-09-01T00:00:00", "type": "nessus", "title": "Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.18)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-4343", "CVE-2015-1283", "CVE-2015-2716", "CVE-2015-2809", "CVE-2015-8035", "CVE-2015-9289", "CVE-2016-5131", "CVE-2017-1000476", "CVE-2017-11166", "CVE-2017-12805", "CVE-2017-12806", "CVE-2017-15412", "CVE-2017-15710", "CVE-2017-17807", "CVE-2017-18251", "CVE-2017-18252", "CVE-2017-18254", "CVE-2017-18258", "CVE-2017-18271", "CVE-2017-18273", "CVE-2017-18595", "CVE-2017-6519", "CVE-2018-10177", "CVE-2018-10360", "CVE-2018-10804", "CVE-2018-10805", "CVE-2018-1116", "CVE-2018-11656", "CVE-2018-12599", "CVE-2018-12600", "CVE-2018-1301", "CVE-2018-13153", "CVE-2018-14404", "CVE-2018-14434", "CVE-2018-14435", "CVE-2018-14436", "CVE-2018-14437", "CVE-2018-14567", "CVE-2018-15587", "CVE-2018-15607", "CVE-2018-16328", "CVE-2018-16749", "CVE-2018-16750", "CVE-2018-17199", "CVE-2018-18066", "CVE-2018-18074", "CVE-2018-18544", "CVE-2018-19985", "CVE-2018-20060", "CVE-2018-20169", "CVE-2018-20467", "CVE-2018-20852", "CVE-2018-4180", "CVE-2018-4181", "CVE-2018-4300", "CVE-2018-4700", "CVE-2018-5745", "CVE-2018-7191", "CVE-2018-8804", "CVE-2018-9133", "CVE-2018-9251", "CVE-2019-0199", "CVE-2019-10072", "CVE-2019-10131", "CVE-2019-10207", "CVE-2019-10638", "CVE-2019-10639", "CVE-2019-10650", "CVE-2019-11135", "CVE-2019-11190", "CVE-2019-11236", "CVE-2019-11324", "CVE-2019-11340", "CVE-2019-11470", "CVE-2019-11472", "CVE-2019-11487", "CVE-2019-11597", "CVE-2019-11598", "CVE-2019-11884", "CVE-2019-12382", "CVE-2019-12418", "CVE-2019-12974", "CVE-2019-12975", "CVE-2019-12976", "CVE-2019-12978", "CVE-2019-12979", "CVE-2019-13133", "CVE-2019-13134", "CVE-2019-13135", "CVE-2019-13232", "CVE-2019-13233", "CVE-2019-13295", "CVE-2019-13297", "CVE-2019-13300", "CVE-2019-13301", "CVE-2019-13304", "CVE-2019-13305", "CVE-2019-13306", "CVE-2019-13307", "CVE-2019-13309", "CVE-2019-13310", "CVE-2019-13311", "CVE-2019-13454", "CVE-2019-13648", "CVE-2019-14283", "CVE-2019-14815", "CVE-2019-14980", "CVE-2019-14981", "CVE-2019-15090", "CVE-2019-15139", "CVE-2019-15140", "CVE-2019-15141", "CVE-2019-15221", "CVE-2019-15916", "CVE-2019-16056", "CVE-2019-16708", "CVE-2019-16709", "CVE-2019-16710", "CVE-2019-16711", "CVE-2019-16712", "CVE-2019-16713", "CVE-2019-16746", "CVE-2019-17041", "CVE-2019-17042", "CVE-2019-17540", "CVE-2019-17541", "CVE-2019-17563", "CVE-2019-17569", "CVE-2019-17666", "CVE-2019-18660", "CVE-2019-19338", "CVE-2019-19768", "CVE-2019-19948", "CVE-2019-19949", "CVE-2019-2737", "CVE-2019-2739", "CVE-2019-2740", "CVE-2019-2805", "CVE-2019-3820", "CVE-2019-3890", "CVE-2019-3901", "CVE-2019-5436", "CVE-2019-6465", "CVE-2019-6477", "CVE-2019-7175", "CVE-2019-7397", "CVE-2019-7398", "CVE-2019-9503", "CVE-2019-9924", "CVE-2019-9956", "CVE-2020-10531", "CVE-2020-10711", "CVE-2020-11868", "CVE-2020-11996", "CVE-2020-12049", "CVE-2020-12888", "CVE-2020-13817", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-14556", "CVE-2020-14577", "CVE-2020-14578", "CVE-2020-14579", "CVE-2020-14583", "CVE-2020-14593", "CVE-2020-14621", "CVE-2020-1935", "CVE-2020-1938", "CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2767", "CVE-2020-2773", "CVE-2020-2778", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2805", "CVE-2020-2816", "CVE-2020-2830", "CVE-2020-5208", "CVE-2020-8616", "CVE-2020-8617", "CVE-2020-9484"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:nutanix:aos"], "id": "NUTANIX_NXSA-AOS-5_18.NASL", "href": "https://www.tenable.com/plugins/nessus/164595", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164595);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2015-2716\",\n \"CVE-2015-8035\",\n \"CVE-2015-9289\",\n \"CVE-2016-5131\",\n \"CVE-2017-6519\",\n \"CVE-2017-11166\",\n \"CVE-2017-12805\",\n \"CVE-2017-12806\",\n \"CVE-2017-15412\",\n \"CVE-2017-15710\",\n \"CVE-2017-17807\",\n \"CVE-2017-18251\",\n \"CVE-2017-18252\",\n \"CVE-2017-18254\",\n \"CVE-2017-18258\",\n \"CVE-2017-18271\",\n \"CVE-2017-18273\",\n \"CVE-2017-18595\",\n \"CVE-2017-1000476\",\n \"CVE-2018-1116\",\n \"CVE-2018-1301\",\n \"CVE-2018-4180\",\n \"CVE-2018-4181\",\n \"CVE-2018-4700\",\n \"CVE-2018-5745\",\n \"CVE-2018-7191\",\n \"CVE-2018-8804\",\n \"CVE-2018-9133\",\n \"CVE-2018-10177\",\n \"CVE-2018-10360\",\n \"CVE-2018-10804\",\n \"CVE-2018-10805\",\n \"CVE-2018-11656\",\n \"CVE-2018-12599\",\n \"CVE-2018-12600\",\n \"CVE-2018-13153\",\n \"CVE-2018-14404\",\n \"CVE-2018-14434\",\n \"CVE-2018-14435\",\n \"CVE-2018-14436\",\n \"CVE-2018-14437\",\n \"CVE-2018-14567\",\n \"CVE-2018-15587\",\n \"CVE-2018-15607\",\n \"CVE-2018-16328\",\n \"CVE-2018-16749\",\n \"CVE-2018-16750\",\n \"CVE-2018-17199\",\n \"CVE-2018-18066\",\n \"CVE-2018-18074\",\n \"CVE-2018-18544\",\n \"CVE-2018-19985\",\n \"CVE-2018-20060\",\n \"CVE-2018-20169\",\n \"CVE-2018-20467\",\n \"CVE-2018-20852\",\n \"CVE-2019-0199\",\n \"CVE-2019-2737\",\n \"CVE-2019-2739\",\n \"CVE-2019-2740\",\n \"CVE-2019-2805\",\n \"CVE-2019-3820\",\n \"CVE-2019-3890\",\n \"CVE-2019-3901\",\n \"CVE-2019-5436\",\n \"CVE-2019-6465\",\n \"CVE-2019-6477\",\n \"CVE-2019-7175\",\n \"CVE-2019-7397\",\n \"CVE-2019-7398\",\n \"CVE-2019-9503\",\n \"CVE-2019-9924\",\n \"CVE-2019-9956\",\n \"CVE-2019-10072\",\n \"CVE-2019-10131\",\n \"CVE-2019-10207\",\n \"CVE-2019-10638\",\n \"CVE-2019-10639\",\n \"CVE-2019-10650\",\n \"CVE-2019-11135\",\n \"CVE-2019-11190\",\n \"CVE-2019-11236\",\n \"CVE-2019-11324\",\n \"CVE-2019-11470\",\n \"CVE-2019-11472\",\n \"CVE-2019-11487\",\n \"CVE-2019-11597\",\n \"CVE-2019-11598\",\n \"CVE-2019-11884\",\n \"CVE-2019-12382\",\n \"CVE-2019-12418\",\n \"CVE-2019-12974\",\n \"CVE-2019-12975\",\n \"CVE-2019-12976\",\n \"CVE-2019-12978\",\n \"CVE-2019-12979\",\n \"CVE-2019-13133\",\n \"CVE-2019-13134\",\n \"CVE-2019-13135\",\n \"CVE-2019-13232\",\n \"CVE-2019-13233\",\n \"CVE-2019-13295\",\n \"CVE-2019-13297\",\n \"CVE-2019-13300\",\n \"CVE-2019-13301\",\n \"CVE-2019-13304\",\n \"CVE-2019-13305\",\n \"CVE-2019-13306\",\n \"CVE-2019-13307\",\n \"CVE-2019-13309\",\n \"CVE-2019-13310\",\n \"CVE-2019-13311\",\n \"CVE-2019-13454\",\n \"CVE-2019-13648\",\n \"CVE-2019-14283\",\n \"CVE-2019-14815\",\n \"CVE-2019-14980\",\n \"CVE-2019-14981\",\n \"CVE-2019-15090\",\n \"CVE-2019-15139\",\n \"CVE-2019-15140\",\n \"CVE-2019-15141\",\n \"CVE-2019-15221\",\n \"CVE-2019-15916\",\n \"CVE-2019-16056\",\n \"CVE-2019-16708\",\n \"CVE-2019-16709\",\n \"CVE-2019-16710\",\n \"CVE-2019-16711\",\n \"CVE-2019-16712\",\n \"CVE-2019-16713\",\n \"CVE-2019-16746\",\n \"CVE-2019-17041\",\n \"CVE-2019-17042\",\n \"CVE-2019-17540\",\n \"CVE-2019-17541\",\n \"CVE-2019-17563\",\n \"CVE-2019-17569\",\n \"CVE-2019-17666\",\n \"CVE-2019-18660\",\n \"CVE-2019-19338\",\n \"CVE-2019-19768\",\n \"CVE-2019-19948\",\n \"CVE-2019-19949\",\n \"CVE-2020-1935\",\n \"CVE-2020-1938\",\n \"CVE-2020-2754\",\n \"CVE-2020-2755\",\n \"CVE-2020-2756\",\n \"CVE-2020-2757\",\n \"CVE-2020-2767\",\n \"CVE-2020-2773\",\n \"CVE-2020-2778\",\n \"CVE-2020-2781\",\n \"CVE-2020-2800\",\n \"CVE-2020-2803\",\n \"CVE-2020-2805\",\n \"CVE-2020-2816\",\n \"CVE-2020-2830\",\n \"CVE-2020-5208\",\n \"CVE-2020-8616\",\n \"CVE-2020-8617\",\n \"CVE-2020-9484\",\n \"CVE-2020-10531\",\n \"CVE-2020-10711\",\n \"CVE-2020-11868\",\n \"CVE-2020-11996\",\n \"CVE-2020-12049\",\n \"CVE-2020-12888\",\n \"CVE-2020-13817\",\n \"CVE-2020-13934\",\n \"CVE-2020-13935\",\n \"CVE-2020-14556\",\n \"CVE-2020-14577\",\n \"CVE-2020-14578\",\n \"CVE-2020-14579\",\n \"CVE-2020-14583\",\n \"CVE-2020-14593\",\n \"CVE-2020-14621\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0021\");\n\n script_name(english:\"Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.18)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Nutanix AOS host is affected by multiple vulnerabilities .\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of AOS installed on the remote host is prior to 5.18. It is, therefore, affected by multiple vulnerabilities\nas referenced in the NXSA-AOS-5.18 advisory.\n\n - It's been found that multiple functions in ipmitool before 1.8.19 neglect proper checking of the data\n received from a remote LAN party, which may lead to buffer overflows and potentially to remote code\n execution on the ipmitool side. This is especially dangerous if ipmitool is run as a privileged user. This\n problem is fixed in version 1.8.19. (CVE-2020-5208)\n\n - The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-\n free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,\n include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can\n occur with FUSE requests. (CVE-2019-11487)\n\n - rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a\n certain upper-bound check, leading to a buffer overflow. (CVE-2019-17666)\n\n - A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where,\n the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error\n occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by\n the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction\n mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism\n to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that\n host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.\n (CVE-2019-19338)\n\n - avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source\n addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic\n amplification) and may cause information leakage by obtaining potentially sensitive information from the\n responding device via port-5353 UDP packets. NOTE: this may overlap CVE-2015-2809. (CVE-2017-6519)\n\n - The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which\n allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.\n (CVE-2015-8035)\n\n - Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82,\n allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors\n related to the XPointer range-to function. (CVE-2016-5131)\n\n - Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products,\n allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2017-15412)\n\n - The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of\n service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict\n memory usage to what is required for a legitimate file. (CVE-2017-18258)\n\n - A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2\n through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case.\n Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable\n to a denial of service attack due to a crash of the application. (CVE-2018-14404)\n\n - libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite\n loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different\n vulnerability than CVE-2015-8035 and CVE-2018-9251. (CVE-2018-14567)\n\n - http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not\n correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An\n attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix\n (e.g., pythonicexample.com to steal cookies for example.com). When a program uses\n http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing\n cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before\n 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. (CVE-2018-20852)\n\n - An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x\n through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An\n application that uses the email module and implements some kind of checks on the From/To headers of a\n message could be tricked into accepting an email address that should be denied. An attack may be the same\n as in CVE-2019-11340; however, this CVE applies to Python more generally. (CVE-2019-16056)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported\n versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to\n client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2754, CVE-2020-2755)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through\n sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying\n data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed\n Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2756, CVE-2020-2757)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported\n versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to\n client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2773)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported\n versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily\n exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java\n SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause\n a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server\n deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and\n sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component\n without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web\n service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2781)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP\n Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded:\n 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well\n as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This\n vulnerability can only be exploited by supplying data to APIs in the specified Component without using\n Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0\n Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2020-2800)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly\n impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE,\n Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not\n apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed\n by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS\n Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). (CVE-2020-2803, CVE-2020-2805)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency).\n Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.\n Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through\n sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying\n data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed\n Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2830)\n\n - An issue was discovered in Rsyslog v8.1908.0. contrib/pmaixforwardedfrom/pmaixforwardedfrom.c has a heap\n overflow in the parser for AIX log messages. The parser tries to locate a log message delimiter (in this\n case, a space or a colon) but fails to account for strings that do not satisfy this constraint. If the\n string does not match, then the variable lenMsg will reach the value zero and will skip the sanity check\n that detects invalid log messages. The message will then be considered valid, and the parser will eat up\n the nonexistent colon delimiter. In doing so, it will decrement lenMsg, a signed integer, whose value was\n zero and now becomes minus one. The following step in the parser is to shift left the contents of the\n message. To do this, it will call memmove with the right pointers to the target and destination strings,\n but the lenMsg will now be interpreted as a huge value, causing a heap overflow. (CVE-2019-17041)\n\n - An issue was discovered in Rsyslog v8.1908.0. contrib/pmcisconames/pmcisconames.c has a heap overflow in\n the parser for Cisco log messages. The parser tries to locate a log message delimiter (in this case, a\n space or a colon), but fails to account for strings that do not satisfy this constraint. If the string\n does not match, then the variable lenMsg will reach the value zero and will skip the sanity check that\n detects invalid log messages. The message will then be considered valid, and the parser will eat up the\n nonexistent colon delimiter. In doing so, it will decrement lenMsg, a signed integer, whose value was zero\n and now becomes minus one. The following step in the parser is to shift left the contents of the message.\n To do this, it will call memmove with the right pointers to the target and destination strings, but the\n lenMsg will now be interpreted as a huge value, causing a heap overflow. (CVE-2019-17042)\n\n - An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function\n allocate_trace_buffer in the file kernel/trace/trace.c. (CVE-2017-18595)\n\n - In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in\n kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-\n buffer). (CVE-2019-19768)\n\n - A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7.\n This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into\n the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO\n restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate\n that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer\n dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network\n user to crash the system kernel, resulting in a denial of service. (CVE-2020-10711)\n\n - An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-\n daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local\n attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use\n this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus\n clients. (CVE-2020-12049)\n\n - A flaw was found in polkit before version 0.116. The implementation of the\n polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for\n authentication and trigger authentication of unrelated processes owned by other users. This may result in\n a local DoS and information disclosure. (CVE-2018-1116)\n\n - ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in\n coders/dds.c, which allows attackers to cause a denial of service. (CVE-2017-1000476)\n\n - The ReadXWDImage function in coders\\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can\n cause memory exhaustion via a crafted length (number of color-map entries) field in the header of an XWD\n file. (CVE-2017-11166)\n\n - In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function ReadTIFFImage, which\n allows attackers to cause a denial of service. (CVE-2017-12805)\n\n - In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function format8BIM, which\n allows attackers to cause a denial of service. (CVE-2017-12806)\n\n - An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerability was found in the function\n ReadPCDImage in coders/pcd.c, which allow remote attackers to cause a denial of service via a crafted\n file. (CVE-2017-18251)\n\n - An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList function in MagickWand/mogrify.c allows\n attackers to cause a denial of service (assertion failure and application exit in ReplaceImageInList) via\n a crafted file. (CVE-2017-18252)\n\n - An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerability was found in the function\n WriteGIFImage in coders/gif.c, which allow remote attackers to cause a denial of service via a crafted\n file. (CVE-2017-18254)\n\n - In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function\n ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (CPU exhaustion) via a\n crafted MIFF image file. (CVE-2017-18271)\n\n - In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function\n ReadTXTImage in coders/txt.c, which allows attackers to cause a denial of service (CPU exhaustion) via a\n crafted image file that is mishandled in a GetImageIndexInList call. (CVE-2017-18273)\n\n - In ImageMagick 7.0.7-28, there is an infinite loop in the ReadOneMNGImage function of the coders/png.c\n file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted mng\n file. (CVE-2018-10177)\n\n - ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage in coders/tiff.c. (CVE-2018-10804)\n\n - ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c. (CVE-2018-10805)\n\n - In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function ReadDCMImage in\n coders/dcm.c, which allows attackers to cause a denial of service via a crafted DCM image file.\n (CVE-2018-11656)\n\n - In ImageMagick 7.0.8-3 Q16, ReadBMPImage and WriteBMPImage in coders/bmp.c allow attackers to cause an out\n of bounds write via a crafted file. (CVE-2018-12599)\n\n - In ImageMagick 7.0.8-3 Q16, ReadDIBImage and WriteDIBImage in coders/dib.c allow attackers to cause an out\n of bounds write via a crafted file. (CVE-2018-12600)\n\n - In ImageMagick 7.0.8-4, there is a memory leak in the XMagickCommand function in MagickCore/animate.c.\n (CVE-2018-13153)\n\n - ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c. (CVE-2018-14434)\n\n - ImageMagick 7.0.8-4 has a memory leak in DecodeImage in coders/pcd.c. (CVE-2018-14435)\n\n - ImageMagick 7.0.8-4 has a memory leak in ReadMIFFImage in coders/miff.c. (CVE-2018-14436)\n\n - ImageMagick 7.0.8-4 has a memory leak in parse8BIM in coders/meta.c. (CVE-2018-14437)\n\n - In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36\n 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory\n resources are consumed until ultimately an attempted large memory allocation fails. Remote attackers could\n leverage this vulnerability to cause a denial of service via a crafted file. (CVE-2018-15607)\n\n - In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the CheckEventLogging function in\n MagickCore/log.c. (CVE-2018-16328)\n\n - In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ReadOneJNGImage in coders/png.c allows an\n attacker to cause a denial of service (WriteBlob assertion failure and application exit) via a crafted\n file. (CVE-2018-16749)\n\n - In ImageMagick 7.0.7-29 and earlier, a memory leak in the formatIPTCfromBuffer function in coders/meta.c\n was found. (CVE-2018-16750)\n\n - There is a memory leak in the function WriteMSLImage of coders/msl.c in ImageMagick 7.0.8-13 Q16, and the\n function ProcessMSLScript of coders/msl.c in GraphicsMagick before 1.3.31. (CVE-2018-18544)\n\n - In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can result in an infinite loop and hang,\n with high CPU and memory consumption. Remote attackers could leverage this vulnerability to cause a denial\n of service via a crafted file. (CVE-2018-20467)\n\n - WriteEPTImage in coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote attackers to cause a denial of\n service (MagickCore/memory.c double free and application crash) or possibly have unspecified other impact\n via a crafted file. (CVE-2018-8804)\n\n - ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage and EncodeLabImage functions\n (coders/tiff.c), which results in a hang (tens of minutes) with a tiny PoC file. Remote attackers could\n leverage this vulnerability to cause a denial of service via a crafted tiff file. (CVE-2018-9133)\n\n - An off-by-one read vulnerability was discovered in ImageMagick before version 7.0.7-28 in the\n formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end\n of the buffer or to crash the program. (CVE-2019-10131)\n\n - In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of\n coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a\n crafted image file. (CVE-2019-10650)\n\n - The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service\n (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size. This\n occurs because ReadCINImage in coders/cin.c lacks a check for insufficient image data in a file.\n (CVE-2019-11470)\n\n - ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows\n attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the\n header indicates neither LSB first nor MSB first. (CVE-2019-11472)\n\n - In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of\n coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure\n via a crafted image file. (CVE-2019-11597)\n\n - In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of\n coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via\n a crafted image file. This is related to SetGrayscaleImage in MagickCore/quantize.c. (CVE-2019-11598)\n\n - A NULL pointer dereference in the function ReadPANGOImage in coders/pango.c and the function ReadVIDImage\n in coders/vid.c in ImageMagick 7.0.8-34 allows remote attackers to cause a denial of service via a crafted\n image. (CVE-2019-12974)\n\n - ImageMagick 7.0.8-34 has a memory leak vulnerability in the WriteDPXImage function in coders/dpx.c.\n (CVE-2019-12975)\n\n - ImageMagick 7.0.8-34 has a memory leak in the ReadPCLImage function in coders/pcl.c. (CVE-2019-12976)\n\n - ImageMagick 7.0.8-34 has a use of uninitialized value vulnerability in the ReadPANGOImage function in\n coders/pango.c. (CVE-2019-12978)\n\n - ImageMagick 7.0.8-34 has a use of uninitialized value vulnerability in the SyncImageSettings function in\n MagickCore/image.c. This is related to AcquireImage in magick/image.c. (CVE-2019-12979)\n\n - ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c.\n (CVE-2019-13133)\n\n - ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadVIFFImage in\n coders/viff.c. (CVE-2019-13134)\n\n - ImageMagick before 7.0.8-50 has a use of uninitialized value vulnerability in the function ReadCUTImage\n in coders/cut.c. (CVE-2019-13135)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in\n AdaptiveThresholdImage because a width of zero is mishandled. (CVE-2019-13295)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in\n AdaptiveThresholdImage because a height of zero is mishandled. (CVE-2019-13297)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages\n because of mishandling columns. (CVE-2019-13300)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory because of an AnnotateImage error.\n (CVE-2019-13301)\n\n - ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a\n misplaced assignment. (CVE-2019-13304)\n\n - ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a\n misplaced strncpy and an off-by-one error. (CVE-2019-13305)\n\n - ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of\n off-by-one errors. (CVE-2019-13306)\n\n - ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages\n because of mishandling rows. (CVE-2019-13307)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of mishandling the NoSuchImage\n error in CLIListOperatorImages in MagickWand/operation.c. (CVE-2019-13309)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of an error in\n MagickWand/mogrify.c. (CVE-2019-13310)\n\n - ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of a wand/mogrify.c error.\n (CVE-2019-13311)\n\n - ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c.\n (CVE-2019-13454)\n\n - In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in\n the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file.\n (CVE-2019-14980)\n\n - In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is a divide-by-zero vulnerability in\n the MeanShiftImage function. It allows an attacker to cause a denial of service by sending a crafted file.\n (CVE-2019-14981)\n\n - The XWD image (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 allows\n attackers to cause a denial-of-service (application crash resulting from an out-of-bounds Read) in\n ReadXWDImage in coders/xwd.c by crafting a corrupted XWD image file, a different vulnerability than\n CVE-2019-11472. (CVE-2019-15139)\n\n - coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to cause a denial of service (use-after-\n free and application crash) or possibly have unspecified other impact by crafting a Matlab image file that\n is mishandled in ReadImage in MagickCore/constitute.c. (CVE-2019-15140)\n\n - WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service\n (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to\n TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in\n tif_dirwrite.c of LibTIFF. NOTE: this occurs because of an incomplete fix for CVE-2019-11597.\n (CVE-2019-15141)\n\n - ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage. (CVE-2019-16708)\n\n - ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage. (CVE-2019-16709)\n\n - ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in\n MagickCore/memory.c. (CVE-2019-16710)\n\n - ImageMagick 7.0.8-40 has a memory leak in Huffman2DEncodeImage in coders/ps2.c. (CVE-2019-16711)\n\n - ImageMagick 7.0.8-43 has a memory leak in Huffman2DEncodeImage in coders/ps3.c, as demonstrated by\n WritePS3Image. (CVE-2019-16712)\n\n - ImageMagick 7.0.8-43 has a memory leak in coders/dot.c, as demonstrated by PingImage in\n MagickCore/constitute.c. (CVE-2019-16713)\n\n - ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.\n (CVE-2019-17540)\n\n - ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo in MagickCore/string.c because the\n error manager is mishandled in coders/jpeg.c. (CVE-2019-17541)\n\n - In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer overflow in the function WriteSGIImage of\n coders/sgi.c. (CVE-2019-19948)\n\n - In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WritePNGImage of\n coders/png.c, related to Magick_png_write_raw_profile and LocaleNCompare. (CVE-2019-19949)\n\n - In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c. (CVE-2019-7175)\n\n - In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in\n WritePDFImage in coders/pdf.c. (CVE-2019-7397)\n\n - In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage in coders/dib.c. (CVE-2019-7398)\n\n - In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of\n coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image\n file. (CVE-2019-9956)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are\n affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker\n with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result\n in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized\n read access to a subset of Java SE accessible data. Note: Applies to client and server deployment of Java.\n This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java\n applets. It can also be exploited by supplying data to APIs in the specified Component without using\n sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0\n Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2020-2767)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are\n affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker\n with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result\n in unauthorized read access to a subset of Java SE accessible data. Note: Applies to client and server\n deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and\n sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component\n without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web\n service. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2020-2778)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are\n affected are Java SE: 11.0.6 and 14. Easily exploitable vulnerability allows unauthenticated attacker with\n network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in\n unauthorized creation, deletion or modification access to critical data or all Java SE accessible data.\n Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component\n without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web\n service. CVSS 3.0 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2020-2816)\n\n - In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured\n with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding\n when verifying the user's credentials. If the header value is not present in the charset conversion table,\n a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example,\n 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of\n one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the\n process would crash which could be used as a Denial of Service attack. In the more likely case, this\n memory is already reserved for future use and the issue has no effect at all. (CVE-2017-15710)\n\n - A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an\n out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is\n considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is\n classified as low risk for common server usage. (CVE-2018-1301)\n\n - In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before\n decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since\n the expiry time is loaded when the session is decoded. (CVE-2018-17199)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Pluggable Auth).\n Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily\n exploitable vulnerability allows high privileged attacker with network access via multiple protocols to\n compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to\n cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9\n (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2737)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges).\n Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily\n exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL\n Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well\n as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base\n Score 5.1 (Integrity and Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). (CVE-2019-2739)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: XML). Supported\n versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability\n impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2740)\n\n - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported\n versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability\n impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2805)\n\n - The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon\n receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover\n credentials by sniffing the network. (CVE-2018-18074)\n\n - urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin\n redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the\n Authorization header to be exposed to unintended hosts or transmitted in cleartext. (CVE-2018-20060)\n\n - In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the\n request parameter. (CVE-2019-11236)\n\n - The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA\n certificates is different from the OS store of CA certificates, which results in SSL connections\n succeeding in situations where a verification failure is the correct outcome. This is related to use of\n the ssl_context, ca_certs, or ca_certs_dir argument. (CVE-2019-11324)\n\n - In macOS High Sierra before 10.13.5, an issue existed in CUPS. This issue was addressed with improved\n access restrictions. (CVE-2018-4180, CVE-2018-4181)\n\n - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-4300. Reason: This candidate is a\n duplicate of CVE-2018-4300. Notes: All CVE users should reference CVE-2018-4300 instead of this candidate.\n All references and descriptions in this candidate have been removed to prevent accidental usage.\n (CVE-2018-4700)\n\n - In the Linux kernel before 4.1.4, a buffer overflow occurs when checking userspace params in\n drivers/media/dvb-frontends/cx24116.c. The maximum size for a DiSEqC command is 6, according to the\n userspace API. However, the code allows larger values such as 23. (CVE-2015-9289)\n\n - The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to\n the current task's default request-key keyring via the request_key() system call, allowing a local user\n to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write\n permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.\n (CVE-2017-17807)\n\n - The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num\n from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds\n (OOB) read that potentially allows arbitrary read in the kernel address space. (CVE-2018-19985)\n\n - An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during\n the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.\n (CVE-2018-20169)\n\n - In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before\n register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and\n panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. This is similar to\n CVE-2013-4343. (CVE-2018-7191)\n\n - A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before\n 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware\n could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.\n (CVE-2019-10207)\n\n - In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel\n produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple\n destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and\n thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page\n that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses. (CVE-2019-10638)\n\n - The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel\n address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel\n image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and\n ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash\n collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This\n key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via\n enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the\n attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled\n IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic\n is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the\n attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP\n addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to\n have a dependency on an address associated with a network namespace. (CVE-2019-10639)\n\n - The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because\n install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the\n ptrace_may_access() check has a race condition when reading /proc/pid/stat. (CVE-2019-11190)\n\n - The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a\n local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command,\n because a name field may not end with a '\\0' character. (CVE-2019-11884)\n\n - ** DISPUTED ** An issue was discovered in drm_load_edid_firmware in drivers/gpu/drm/drm_edid_load.c in the\n Linux kernel through 5.1.5. There is an unchecked kstrdup of fwstr, which might allow an attacker to cause\n a denial of service (NULL pointer dereference and system crash). NOTE: The vendor disputes this issues as\n not being a vulnerability because kstrdup() returning NULL is handled sufficiently and there is no chance\n for a NULL pointer dereference. (CVE-2019-12382)\n\n - In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an\n LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds\n violation. (CVE-2019-13233)\n\n - In the Linux kernel through 5.2.1 on the powerpc platform, when hardware transactional memory is disabled,\n a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn()\n system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and\n arch/powerpc/kernel/signal_64.c. (CVE-2019-13648)\n\n - In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and\n head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an\n unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by\n default. (CVE-2019-14283)\n\n - A vulnerability was found in Linux Kernel, where a Heap Overflow was found in mwifiex_set_wmm_params()\n function of Marvell Wifi Driver. (CVE-2019-14815)\n\n - An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. In the\n qedi_dbg_* family of functions, there is an out-of-bounds read. (CVE-2019-15090)\n\n - An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a\n malicious USB device in the sound/usb/line6/pcm.c driver. (CVE-2019-15221)\n\n - An issue was discovered in the Linux kernel before 5.0.1. There is a memory leak in\n register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service. (CVE-2019-15916)\n\n - An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check\n the length of variable elements in a beacon head, leading to a buffer overflow. (CVE-2019-16746)\n\n - The Linux kernel before 5.4.1 on powerpc allows Information Exposure because the Spectre-RSB mitigation is\n not in place for all applicable CPUs, aka CID-39e72bf96f58. This is related to\n arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c. (CVE-2019-18660)\n\n - A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs.\n As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it\n is possible for the specified target task to perform an execve() syscall with setuid execution before\n perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check\n and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged\n execve() calls. This issue affects kernel versions before 4.8. (CVE-2019-3901)\n\n - The Broadcom brcmfmac WiFi driver prior to commit a4176ec356c73a46c07c181c6d04039fafa34a9f is vulnerable\n to a frame validation bypass. If the brcmfmac driver receives a firmware event frame from a remote source,\n the is_wlc_event_frame function will cause this frame to be discarded and unprocessed. If the driver\n receives the firmware event frame from the host, the appropriate handler is called. This frame validation\n can be bypassed if the bus used is USB (for instance by a wifi dongle). This can allow firmware event\n frames from a remote source to be processed. In the worst case scenario, by sending specially-crafted WiFi\n packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.\n More typically, this vulnerability will result in denial-of-service conditions. (CVE-2019-9503)\n\n - GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a\n specially crafted email that contains a valid signature from the entity to be impersonated as an\n attachment. (CVE-2018-15587)\n\n - It was discovered evolution-ews before 3.31.3 does not check the validity of SSL certificates. An attacker\n could abuse this flaw to get confidential information by tricking the user into connecting to a fake\n server without the user noticing the difference. (CVE-2019-3890)\n\n - The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a\n denial of service (out-of-bounds read and application crash) via a crafted ELF file. (CVE-2018-10360)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as\n unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client\n and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2020-14556)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported\n versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server\n deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and\n sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component\n without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web\n service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2020-14577)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and\n server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-14578, CVE-2020-14579)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a\n person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may\n significantly impact additional products. Successful attacks of this vulnerability can result in takeover\n of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code\n (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability\n does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code\n installed by an administrator). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability\n impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). (CVE-2020-14583)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported\n versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily\n exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly\n impact additional products. Successful attacks of this vulnerability can result in unauthorized creation,\n deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note:\n This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start\n applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java\n deployments, typically in servers, that load and run only trusted code (e.g., code installed by an\n administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N). (CVE-2020-14593)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported\n versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily\n exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This\n vulnerability can only be exploited by supplying data to APIs in the specified Component without using\n Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1\n Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2020-14621)\n\n - ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated\n synchronization via a server mode packet with a spoofed source IP address, because transmissions are\n rescheduled even when a packet lacks a valid origin timestamp. (CVE-2020-11868)\n\n - ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service\n (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The\n victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can\n query time from the victim's ntpd instance. (CVE-2020-13817)\n\n - Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and\n Thunderbird before 31.7 allows remote attackers to execute arbitrary code by providing a large amount of\n compressed XML data, a related issue to CVE-2015-1283. (CVE-2015-2716)\n\n - snmp_oid_compare in snmplib/snmp_api.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be\n used by an unauthenticated attacker to remotely cause the instance to crash via a crafted UDP packet,\n resulting in Denial of Service. (CVE-2018-18066)\n\n - Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of\n service (resource consumption), aka a better zip bomb issue. (CVE-2019-13232)\n\n - managed-keys is a feature which allows a BIND resolver to automatically maintain the keys used by trust\n anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys\n feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if,\n during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm.\n Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions\n 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13\n development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for\n vulnerability to CVE-2018-5745. (CVE-2018-5745)\n\n - Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones\n are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and\n versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13\n development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for\n vulnerability to CVE-2019-6465. (CVE-2019-6465)\n\n - With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to\n a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection\n to a server could consume more resources than the server has been provisioned to handle. When a TCP\n connection with a large number of pipelined queries is closed, the load on the server releasing these\n multiple resources can cause it to become unresponsive, even for queries that can be answered\n authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).\n (CVE-2019-6477)\n\n - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the\n user to execute any command with the permissions of the shell. (CVE-2019-9924)\n\n - The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with\n excessive numbers of SETTINGS frames and also permitted clients to keep streams open without\n reading/writing request/response data. By keeping streams open for requests that utilised the Servlet\n API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread\n exhaustion and a DoS. (CVE-2019-0199)\n\n - The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write\n in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages\n for the connection window (stream 0) clients were able to cause server-side threads to block eventually\n leading to thread exhaustion and a DoS. (CVE-2019-10072)\n\n - When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote\n Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able\n to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords\n used to access the JMX interface. The attacker can then use these credentials to access the JMX interface\n and gain complete control over the Tomcat instance. (CVE-2019-12418)\n\n - When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98\n there was a narrow window where an attacker could perform a session fixation attack. The window was\n considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has\n been treated as a security vulnerability. (CVE-2019-17563)\n\n - The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99\n introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were\n incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a\n reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a\n reverse proxy is considered unlikely. (CVE-2019-17569)\n\n - A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to\n 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of\n such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.\n (CVE-2020-11996)\n\n - An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56\n did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such\n requests were made, an OutOfMemoryException could occur leading to a denial of service. (CVE-2020-13934)\n\n - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to\n 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could\n trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of\n service. (CVE-2020-13935)\n\n - In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used\n an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led\n to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly\n handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered\n unlikely. (CVE-2020-1935)\n\n - When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to\n Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP\n connection. If such connections are available to an attacker, they can be exploited in ways that may be\n surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped\n with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected\n (and recommended in the security guide) that this Connector would be disabled if not required. This\n vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the\n web application - processing any file in the web application as a JSP Further, if the web application\n allowed file upload and stored those files within the web application (or the attacker was able to control\n the content of the web application by some other means) then this, along with the ability to process a\n file as a JSP, made remote code execution possible. It is important to note that mitigation is only\n required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth\n approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to\n Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP\n Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading\n to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.\n (CVE-2020-1938)\n\n - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to\n 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the\n server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is\n configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used)\n or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker\n knows the relative file path from the storage location used by FileStore to the file the attacker has\n control over; then, using a specifically crafted request, the attacker will be able to trigger remote code\n execution via deserialization of the file under their control. Note that all of conditions a) to d) must\n be true for the attack to succeed. (CVE-2020-9484)\n\n - The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory\n space. (CVE-2020-12888)\n\n - An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer\n overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in\n common/unistr.cpp. (CVE-2020-10531)\n\n - A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl\n versions 7.19.4 through 7.64.1. (CVE-2019-5436)\n\n - It was discovered that the gnome-shell lock screen since version 3.15.91 did not properly restrict all\n contextual actions. An attacker with physical access to a locked workstation could invoke certain keyboard\n shortcuts, and potentially other actions. (CVE-2019-3820)\n\n - A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches\n performed when processing referrals can, through the use of specially crafted referrals, cause a recursing\n server to issue a very large number of fetches in an attempt to process the referral. This has at least\n two potential effects: The performance of the recursing server can potentially be degraded by the\n additional work required to perform these fetches, and The attacker can exploit this behavior to use the\n recursing server as a reflector in a reflection attack with a high amplification factor. (CVE-2020-8616)\n\n - Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an\n inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the\n server. Since BIND, by default, configures a local session key even on servers whose configuration does\n not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating\n from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately\n exits. Prior to the introduction of the check the server would continue operating in an inconsistent\n state, with potentially harmful results. (CVE-2020-8617)\n\n - TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated\n user to potentially enable information disclosure via a side channel with local access. (CVE-2019-11135)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://download.nutanix.com/advisories/NXSA-AOS-5-18.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the Nutanix AOS software to recommended version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17666\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1938\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:nutanix:aos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"nutanix_collect.nasl\");\n script_require_keys(\"Host/Nutanix/Data/lts\", \"Host/Nutanix/Data/Service\", \"Host/Nutanix/Data/Version\", \"Host/Nutanix/Data/arch\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::nutanix::get_app_info();\n\nvar constraints = [\n { 'fixed_version' : '5.18', 'product' : 'AOS', 'fixed_display' : 'Upgrade the AOS install to 5.18 or higher.', 'lts' : FALSE },\n { 'fixed_version' : '5.18', 'product' : 'NDFS', 'fixed_display' : 'Upgrade the AOS install to 5.18 or higher.', 'lts' : FALSE }\n];\n\nvcf::nutanix::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2022-08-04T13:41:52", "description": "rbash in Bash before 4.4-beta2 did not prevent the shell user from\nmodifying BASH_CMDS, thus allowing the user to execute any command with the\npermissions of the shell.\n\n#### Bugs\n\n * <https://savannah.gnu.org/support/?108969>\n * <https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441>\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-03-22T00:00:00", "type": "ubuntucve", "title": "CVE-2019-9924", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9924"], "modified": "2019-03-22T00:00:00", "id": "UB:CVE-2019-9924", "href": "https://ubuntu.com/security/CVE-2019-9924", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2022-04-06T01:31:13", "description": "The bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux.\n\nSecurity Fix(es):\n\n* bash: BASH_CMD is writable in restricted bash shells (CVE-2019-9924)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-22T10:59:46", "type": "redhat", "title": "(RHSA-2020:3803) Moderate: bash security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9924"], "modified": "2020-09-22T11:21:07", "id": "RHSA-2020:3803", "href": "https://access.redhat.com/errata/RHSA-2020:3803", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-06T01:30:59", "description": "The bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux.\n\nSecurity Fix(es):\n\n* bash: BASH_CMD is writable in restricted bash shells (CVE-2019-9924)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-01T15:22:07", "type": "redhat", "title": "(RHSA-2020:3592) Moderate: bash security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9924"], "modified": "2020-09-01T15:51:42", "id": "RHSA-2020:3592", "href": "https://access.redhat.com/errata/RHSA-2020:3592", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-06T01:29:10", "description": "The bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux.\n\nSecurity Fix(es):\n\n* bash: BASH_CMD is writable in restricted bash shells (CVE-2019-9924)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-31T09:20:26", "type": "redhat", "title": "(RHSA-2020:1113) Moderate: bash security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9924"], "modified": "2020-03-31T10:09:11", "id": "RHSA-2020:1113", "href": "https://access.redhat.com/errata/RHSA-2020:1113", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-06T01:32:30", "description": "The bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux.\n\nSecurity Fix(es):\n\n* bash: BASH_CMD is writable in restricted bash shells (CVE-2019-9924)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-18T09:17:37", "type": "redhat", "title": "(RHSA-2020:3474) Moderate: bash security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9924"], "modified": "2020-08-18T09:41:06", "id": "RHSA-2020:3474", "href": "https://access.redhat.com/errata/RHSA-2020:3474", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2022-11-10T08:11:42", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for bash fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user\n BASH_CMDS allowing the user to execute any command with the permissions\n of the shell (bsc#1130324).\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2019-1178=1", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-09T00:00:00", "type": "suse", "title": "Security update for bash (important)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9924"], "modified": "2019-04-09T00:00:00", "id": "OPENSUSE-SU-2019:1178-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SVH6QJJCHYJ53EFLFFAFGHUTDZQLEQO4/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "photon": [{"lastseen": "2022-05-12T18:04:11", "description": "Updates of ['bash'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-29T00:00:00", "type": "photon", "title": "Important Photon OS Security Update - PHSA-2019-0229", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9924"], "modified": "2019-04-29T00:00:00", "id": "PHSA-2019-0229", "href": "https://github.com/vmware/photon/wiki/Security-Update-1.0-229", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-03T17:50:21", "description": "An update of {'bash'} packages of Photon OS has been released.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-04-29T00:00:00", "type": "photon", "title": "Home\nDownload Photon OS\nUser Documentation\nFAQ\nSecurity Advisories\nRelated Information\n\nLightwave - PHSA-2019-1.0-0229", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9924"], "modified": "2019-04-29T00:00:00", "id": "PHSA-2019-1.0-0229", "href": "https://github.com/vmware/photon/wiki/Security-Updates-1.0-229", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-01-31T16:46:55", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-04-09T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for bash (openSUSE-SU-2019:1178-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310852410", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852410", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852410\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2019-9924\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-04-09 02:01:01 +0000 (Tue, 09 Apr 2019)\");\n script_name(\"openSUSE: Security Advisory for bash (openSUSE-SU-2019:1178-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:1178-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00049.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bash'\n package(s) announced via the openSUSE-SU-2019:1178-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for bash fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user\n BASH_CMDS allowing the user to execute any command with the permissions\n of the shell (bsc#1130324).\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2019-1178=1\");\n\n script_tag(name:\"affected\", value:\"'bash' package(s) on openSUSE Leap 42.3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.3~83.15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-debuginfo\", rpm:\"bash-debuginfo~4.3~83.15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-debugsource\", rpm:\"bash-debugsource~4.3~83.15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-devel\", rpm:\"bash-devel~4.3~83.15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-loadables\", rpm:\"bash-loadables~4.3~83.15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-loadables-debuginfo\", rpm:\"bash-loadables-debuginfo~4.3~83.15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libreadline6\", rpm:\"libreadline6~6.3~83.15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libreadline6-debuginfo\", rpm:\"libreadline6-debuginfo~6.3~83.15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"readline-devel\", rpm:\"readline-devel~6.3~83.15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-debuginfo-32bit\", rpm:\"bash-debuginfo-32bit~4.3~83.15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libreadline6-32bit\", rpm:\"libreadline6-32bit~6.3~83.15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libreadline6-debuginfo-32bit\", rpm:\"libreadline6-debuginfo-32bit~6.3~83.15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"readline-devel-32bit\", rpm:\"readline-devel-32bit~6.3~83.15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-doc\", rpm:\"bash-doc~4.3~83.15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-lang\", rpm:\"bash-lang~4.3~83.15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eadline-doc\", rpm:\"eadline-doc~6.3~83.15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:33:02", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for bash (EulerOS-SA-2019-1565)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191565", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191565", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1565\");\n script_version(\"2020-01-23T12:15:10+0000\");\n script_cve_id(\"CVE-2019-9924\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:15:10 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:15:10 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for bash (EulerOS-SA-2019-1565)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1565\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1565\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'bash' package(s) announced via the EulerOS-SA-2019-1565 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.(CVE-2019-9924)\");\n\n script_tag(name:\"affected\", value:\"'bash' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.2.46~30.h5.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:36:08", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for bash (EulerOS-SA-2019-1564)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191564", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191564", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1564\");\n script_version(\"2020-01-23T12:15:09+0000\");\n script_cve_id(\"CVE-2019-9924\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:15:09 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:15:09 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for bash (EulerOS-SA-2019-1564)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1564\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1564\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'bash' package(s) announced via the EulerOS-SA-2019-1564 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.(CVE-2019-9924)\");\n\n script_tag(name:\"affected\", value:\"'bash' package(s) on Huawei EulerOS V2.0SP3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.2.46~28.h3\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-19T21:46:38", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-07-16T00:00:00", "type": "openvas", "title": "Ubuntu Update for bash USN-4058-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2019-07-17T00:00:00", "id": "OPENVAS:1361412562310844091", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844091", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844091\");\n script_version(\"2019-07-17T08:19:47+0000\");\n script_cve_id(\"CVE-2019-9924\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 08:19:47 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-07-16 02:00:41 +0000 (Tue, 16 Jul 2019)\");\n script_name(\"Ubuntu Update for bash USN-4058-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n script_xref(name:\"USN\", value:\"4058-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-July/005011.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bash'\n package(s) announced via the USN-4058-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that Bash incorrectly handled the restricted shell. An\nattacker could possibly use this issue to escape restrictions and execute\nany command.\");\n\n script_tag(name:\"affected\", value:\"'bash' package(s) on Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"bash\", ver:\"4.3-14ubuntu1.4\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:39:03", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for bash (EulerOS-SA-2019-1563)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191563", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191563", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1563\");\n script_version(\"2020-01-23T12:15:08+0000\");\n script_cve_id(\"CVE-2019-9924\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:15:08 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:15:08 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for bash (EulerOS-SA-2019-1563)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1563\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1563\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'bash' package(s) announced via the EulerOS-SA-2019-1563 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.(CVE-2019-9924)\");\n\n script_tag(name:\"affected\", value:\"'bash' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.2.46~28.h3\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:34:20", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for bash (EulerOS-SA-2019-1621)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191621", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191621", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1621\");\n script_version(\"2020-01-23T12:17:38+0000\");\n script_cve_id(\"CVE-2019-9924\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:17:38 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:17:38 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for bash (EulerOS-SA-2019-1621)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.2\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1621\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1621\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'bash' package(s) announced via the EulerOS-SA-2019-1621 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.(CVE-2019-9924)\");\n\n script_tag(name:\"affected\", value:\"'bash' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.2.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.2.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.2.46~30.h5\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:38:55", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for bash (EulerOS-SA-2019-1609)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191609", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191609", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1609\");\n script_version(\"2020-01-23T12:16:54+0000\");\n script_cve_id(\"CVE-2019-9924\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:16:54 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:16:54 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for bash (EulerOS-SA-2019-1609)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1609\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1609\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'bash' package(s) announced via the EulerOS-SA-2019-1609 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.(CVE-2019-9924)\");\n\n script_tag(name:\"affected\", value:\"'bash' package(s) on Huawei EulerOS Virtualization 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.2.46~30.h5\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-29T19:29:11", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-03-25T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for bash (DLA-1726-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9924", "CVE-2016-9401"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891726", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891726", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891726\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2016-9401\", \"CVE-2019-9924\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-03-25 23:00:00 +0100 (Mon, 25 Mar 2019)\");\n script_name(\"Debian LTS: Security Advisory for bash (DLA-1726-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/03/msg00028.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1726-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bash'\n package(s) announced via the DLA-1726-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Two issues have been fixed in bash, the GNU Bourne-Again Shell:\n\nCVE-2016-9401\n\nThe popd builtin segfaulted when called with negative out of range\noffsets.\n\nCVE-2019-9924\n\nSylvain Beucler discovered that it was possible to call commands\nthat contained a slash when in restricted mode (rbash) by adding\nthem to the BASH_CMDS array.\");\n\n script_tag(name:\"affected\", value:\"'bash' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n4.3-11+deb8u2.\n\nWe recommend that you upgrade your bash packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"bash\", ver:\"4.3-11+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"bash-builtins\", ver:\"4.3-11+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"bash-doc\", ver:\"4.3-11+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"bash-static\", ver:\"4.3-11+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mageia": [{"lastseen": "2022-04-18T11:19:34", "description": "Updated bash package fixes security vulnerability: A vulnerability in which shell did not prevent user BASH_CMDS, allowing the user to execute any command with the permissions of the shell (CVE-2019-9924). \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-12T09:35:33", "type": "mageia", "title": "Updated bash packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9924"], "modified": "2019-05-12T09:35:32", "id": "MGASA-2019-0163", "href": "https://advisories.mageia.org/MGASA-2019-0163.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2021-07-28T14:25:03", "description": "[4.2.46-34]\n- BASH_CMD should not be writable in restricted shell\n Resolves: #1693181", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-04-06T00:00:00", "type": "oraclelinux", "title": "bash security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9924"], "modified": "2020-04-06T00:00:00", "id": "ELSA-2020-1113", "href": "http://linux.oracle.com/errata/ELSA-2020-1113.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2022-04-06T00:14:24", "description": "**CentOS Errata and Security Advisory** CESA-2020:1113\n\n\nThe bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux.\n\nSecurity Fix(es):\n\n* bash: BASH_CMD is writable in restricted bash shells (CVE-2019-9924)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttps://lists.centos.org/pipermail/centos-cr-announce/2020-April/019102.html\n\n**Affected packages:**\nbash\nbash-doc\n\n**Upstream details at:**\nhttps://access.redhat.com/errata/RHSA-2020:1113", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-08T17:44:32", "type": "centos", "title": "bash security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9924"], "modified": "2020-04-08T17:44:32", "id": "CESA-2020:1113", "href": "https://lists.centos.org/pipermail/centos-cr-announce/2020-April/019102.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "ibm": [{"lastseen": "2022-10-01T02:01:37", "description": "## Summary\n\nA vulnerability in Bash could allow a remote attacker to executive arbitrary commands on the system which may affect IBM Spectrum Protect Plus.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-9924](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9924>) \n** DESCRIPTION: **Bash could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by the failure to prevent the shell user from modifying BASH_CMDS in the rbash. By modifying BASH_CMDS, an attacker could exploit this vulnerability to execute arbitrary commands on the system with the permissions of the shell. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/158906](<https://exchange.xforce.ibmcloud.com/vulnerabilities/158906>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Spectrum Protect Plus| 10.1.0-10.1.6 \n \n## Remediation/Fixes\n\n**Spectrum Protect** \n**Plus Release**| **First Fixing** \n**VRM Level**| **Platform**| **Link to Fix/Target Availability** \n---|---|---|--- \n10.1| 10.1.6 ifix3| Linux| ** \n<https://www.ibm.com/support/pages/node/6254732>** \n \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n03 August 2020: Initial Publication19 August 2020; Modified First Fixing VRM Level to be 10.1.6 ifix3 targeted for 3Q2020.31 August 2020; Added link to 10.1.6 ifix3\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Product\":{\"code\":\"SSNQFQ\",\"label\":\"IBM Spectrum Protect Plus\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"10.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}}]", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-31T19:29:57", "type": "ibm", "title": "Security Bulletin: Vulnerability in Bash affects IBM Spectrum Protect Plus (CVE-2019-9924)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9924"], "modified": "2020-08-31T19:29:57", "id": "1AF4510F1082C8515FF192613F3D01CB2AB69352E4268045DECE7E2631E514B6", "href": "https://www.ibm.com/support/pages/node/6255086", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:48:11", "description": "## Summary\n\nThe product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-7226](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7226>) \n** DESCRIPTION: **Cryptacular is vulnerable to a denial of service, caused by an excessive memory allocation during a decode operation in CiphertextHeader.java. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/175399](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175399>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2021-29425](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425>) \n** DESCRIPTION: **Apache Commons IO could allow a remote attacker to traverse directories on the system, caused by improper input validation by the FileNameUtils.normalize method. An attacker could send a specially-crafted URL request containing \"dot dot\" sequences (/../) to view arbitrary files on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/199852](<https://exchange.xforce.ibmcloud.com/vulnerabilities/199852>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2021-28165](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28165>) \n** DESCRIPTION: **Eclipse Jetty is vulnerable to a denial of service, caused by improper input valistion. By sending a specially-crafted TLS frame, a remote attacker could exploit this vulnerability to cause CPU resources to reach to 100% usage. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/199305](<https://exchange.xforce.ibmcloud.com/vulnerabilities/199305>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-28169](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28169>) \n** DESCRIPTION: **Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the ConcatServlet. By sending a specially-crafted request using a doubly encoded path, an attacker could exploit this vulnerability to obtain sensitive information from protected resources within the WEB-INF directory, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/203492](<https://exchange.xforce.ibmcloud.com/vulnerabilities/203492>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2021-28163](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28163>) \n** DESCRIPTION: **Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain webapp directory contents information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 2.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/199303](<https://exchange.xforce.ibmcloud.com/vulnerabilities/199303>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2021-22696](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22696>) \n** DESCRIPTION: **Apache CXF is vulnerable to a denial of service, caused by improper validation of request_uri parameter by the OAuth 2 authorization service. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition on the authorization server. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/199335](<https://exchange.xforce.ibmcloud.com/vulnerabilities/199335>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-13954](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13954>) \n** DESCRIPTION: **Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using the styleSheetPath in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/191650](<https://exchange.xforce.ibmcloud.com/vulnerabilities/191650>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2018-8029](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029>) \n** DESCRIPTION: **Apache Hadoop could allow a remote authenticated attacker to gain elevated privileges on the system. An attacker could exploit this vulnerability to run arbitrary commands as root user. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/161812](<https://exchange.xforce.ibmcloud.com/vulnerabilities/161812>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-9492](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9492>) \n** DESCRIPTION: **Apache Hadoop could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper validation of SPNEGO authorization header. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges to trigger services to send server credentials to a webhdfs path for capturing the service principal. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/195656](<https://exchange.xforce.ibmcloud.com/vulnerabilities/195656>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-11768](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11768>) \n** DESCRIPTION: **Apache Hadoop is vulnerable to a denial of service, caused by a mismatch in the size of the fields used to store user/group information between memory and disk representation. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the user/group information to be corrupted across storing in fsimage and reading back from fsimage. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168305](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168305>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2017-15713](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713>) \n** DESCRIPTION: **Apache Hadoop could allow a remote authenticated attacker to obtain sensitive information. By using a specially-crafted file, a remote attacker could exploit this vulnerability to expose private files. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138064](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138064>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-18751](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18751>) \n** DESCRIPTION: **GNU gettext is vulnerable to a denial of service, caused by a double free flaw in the default_add_message function in read-catalog.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/152105](<https://exchange.xforce.ibmcloud.com/vulnerabilities/152105>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-9924](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9924>) \n** DESCRIPTION: **Bash could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by the failure to prevent the shell user from modifying BASH_CMDS in the rbash. By modifying BASH_CMDS, an attacker could exploit this vulnerability to execute arbitrary commands on the system with the permissions of the shell. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/158906](<https://exchange.xforce.ibmcloud.com/vulnerabilities/158906>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-3715](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3715>) \n** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a use-after-free in route4_change() in net/sched/cls_route.c. By sending a specially-crafted request, an attacker could exploit this vulnerability to escalate privileges. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208836](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208836>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-27777](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27777>) \n** DESCRIPTION: **Linux Kernel for PowerPC could allow a local authenticated attacker to bypass security restrictions, caused by a flaw with the Run-Time Abstraction Services (RTAS) interface. By sending a specially-crafted request, an attacker could exploit this vulnerability to overwrite some parts of memory, including kernel memory. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192283](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192283>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-22555](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22555>) \n** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a heap out-of-bounds write flaw in net/netfilter/x_tables.c. By sending a specially-crafted request through user name space, an authenticated attacker could exploit this vulnerability to gain elevated privileges or cause a denial of service condition. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/204997](<https://exchange.xforce.ibmcloud.com/vulnerabilities/204997>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-29154](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29154>) \n** DESCRIPTION: **Linux Kernel could allow a could allow a local authenticated attacker to gain elevated privileges on the system, caused by an issue with incorrect computation of branch displacements in BPF JIT compiler. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges, and execute arbitrary code in the Kernel mode. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/199609](<https://exchange.xforce.ibmcloud.com/vulnerabilities/199609>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-29650](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29650>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by the lack of a full memory barrier upon the assignment of a new table value in the netfilter subsystem. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause the system to crash. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/199201](<https://exchange.xforce.ibmcloud.com/vulnerabilities/199201>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-32399](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32399>) \n** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a race condition in the BlueTooth subsystem. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to execute arbitrary code with elevated privileges. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/201653](<https://exchange.xforce.ibmcloud.com/vulnerabilities/201653>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9\n\nIBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2\n\n## Remediation/Fixes\n\n \n[QRadar / QRM / QVM / QRIF / QNI 7.3.3 Fix Pack 10](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.3.3-QRADAR-QRSIEM-20211125190208&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=SAR> \"QRadar / QRM / QVM / QRIF / QNI 7.3.3 Fix Pack 10\" )\n\nQRadar / QRM / QVM / QRIF / QNI 7.4.3 Fix Pack 3\n\n[QRadar / QRM / QVM / QRIF / QNI 7.4.3 Fix Pack 4](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.3-QRADAR-QRSIEM-20211113154131&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"QRadar / QRM / QVM / QRIF / QNI 7.4.3 Fix Pack 4\" )\n\n**Note**: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 [was removed for on-premise QRadar SIEM users](<https://www.ibm.com/support/pages/node/6509562>).\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n26 Nov 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSBQAC\",\"label\":\"IBM QRadar SIEM\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"7.3, 7.4\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-03T18:47:00", "type": "ibm", "title": "Security Bulletin: IBM QRadar SIEM is vulnerable to using components with known vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15713", "CVE-2018-11768", "CVE-2018-18751", "CVE-2018-8029", "CVE-2019-9924", "CVE-2020-13954", "CVE-2020-27777", "CVE-2020-7226", "CVE-2020-9492", "CVE-2021-22555", "CVE-2021-22696", "CVE-2021-28163", "CVE-2021-28165", "CVE-2021-28169", "CVE-2021-29154", "CVE-2021-29425", "CVE-2021-29650", "CVE-2021-32399", "CVE-2021-3715"], "modified": "2021-12-03T18:47:00", "id": "516C78282E257BAD924E6FC3088367963BA15FCD8305B1B9C4978CA225F03D64", "href": "https://www.ibm.com/support/pages/node/6520472", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:41:10", "description": "## Summary\n\nThe product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. The product has addressed these issues.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-42574](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574>) \n** DESCRIPTION: **Unicode could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the bidirectional algorithm in the unicode specification. By creating a malicious patch containing well placed BiDi characters, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: This vulnerability also affects Rust. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/212526](<https://exchange.xforce.ibmcloud.com/vulnerabilities/212526>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-37750](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37750>) \n** DESCRIPTION: **MIT Kerberos 5 (aka krb5) is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in kdc/do_tgs_req.c in the Key Distribution Center (KDC). By sending a specially-crafted FAST TGS request with no server field, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208020](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208020>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-20271](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20271>) \n** DESCRIPTION: **RPM could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the signature check function. By persuading a victim to open a specially-crafted package file, an attacker could exploit this vulnerability to cause RPM database corruption and execute arbitrary code on the system. \nCVSS Base score: 6.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198961](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198961>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-41617](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41617>) \n** DESCRIPTION: **OpenSSH could allow a local attacker to gain elevated privileges on the system, caused by an error in sshd when certain non-default configurations are used. By executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a non-root user, an attacker could exploit this vulnerability to gain privileges associated with group memberships of the sshd process. \nCVSS Base score: 7.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/210062](<https://exchange.xforce.ibmcloud.com/vulnerabilities/210062>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-36385](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36385>) \n** DESCRIPTION: **Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a use-after-free flaw in drivers/infiniband/core/ucma.c. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. \nCVSS Base score: 8.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/203845](<https://exchange.xforce.ibmcloud.com/vulnerabilities/203845>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-9924](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9924>) \n** DESCRIPTION: **Bash could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by the failure to prevent the shell user from modifying BASH_CMDS in the rbash. By modifying BASH_CMDS, an attacker could exploit this vulnerability to execute arbitrary commands on the system with the permissions of the shell. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/158906](<https://exchange.xforce.ibmcloud.com/vulnerabilities/158906>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-43527](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43527>) \n** DESCRIPTION: **Mozilla Network Security Services (NSS), as used in Mozilla Firefox is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when handling DER-encoded DSA or RSA-PSS signatures. By sending an overly long signature, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214347](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214347>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-25704](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25704>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the perf_event_parse_addr_filter function. By executing a specially-crafted program, a local attacker could exploit this vulnerability to exhaust available memory on the system. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/191348](<https://exchange.xforce.ibmcloud.com/vulnerabilities/191348>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-36322](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36322>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a flaw in the fuse_do_getattr function in the FUSE filesystem implementation in . By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause the system to crash. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/200230](<https://exchange.xforce.ibmcloud.com/vulnerabilities/200230>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-42739](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42739>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the avc_ca_pmt() function in the firedtv driver. By sending a specially-crafted request, a local attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 8.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211771](<https://exchange.xforce.ibmcloud.com/vulnerabilities/211771>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-0465](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0465>) \n** DESCRIPTION: **Google Android could allow a local attacker to gain elevated privileges on the system, caused by an out-of-bounds write in various methods of hid-multitouch.c. By executing a specially-crafted program, an attacker could exploit this vulnerability to escalate privileges. \nCVSS Base score: 8.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/193398](<https://exchange.xforce.ibmcloud.com/vulnerabilities/193398>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-0466](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0466>) \n** DESCRIPTION: **Google Android could allow a local attacker to gain elevated privileges on the system, caused by a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c. By executing a specially-crafted program, an attacker could exploit this vulnerability to escalate privileges. \nCVSS Base score: 8.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/193397](<https://exchange.xforce.ibmcloud.com/vulnerabilities/193397>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-0920](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0920>) \n** DESCRIPTION: **Google Android could allow a local attacker to gain elevated privileges on the system, caused by a use after free flaw due to a race condition in unix_scm_to_skb of af_unix.c. By executing a specially-crafted program, an attacker could exploit this vulnerability to escalate privileges. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215673](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215673>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-3573](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3573>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a use-after-free flaw in the hci_sock_bound_ioctl function. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause the kernel to crash. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/203249](<https://exchange.xforce.ibmcloud.com/vulnerabilities/203249>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-3752](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3752>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a use-after-free flaw in the Bluetooth module. By sending a specially-crafted payload, a local attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209448](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209448>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-4155](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4155>) \n** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by data leak flaw in the way how XFS_IOC_ALLOCSP IOCTL in the XFS filesystem is allowed for size increase of files with unaligned size. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information on the XFS filesystem, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216919](<https://exchange.xforce.ibmcloud.com/vulnerabilities/216919>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2022-0330](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0330>) \n** DESCRIPTION: **Linux Kernel could allow a local attacker to obtain sensitive information, caused by a security sensitive bug in the i915 kernel driver. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause random memory corruption. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/218086](<https://exchange.xforce.ibmcloud.com/vulnerabilities/218086>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2022-22942](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22942>) \n** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by improper file descriptor handling in the vmwgfx driver. By sending a specially-crafted ioctl call, an attacker could exploit this vulnerability to gain access to files opened by other processes on the system, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/218323](<https://exchange.xforce.ibmcloud.com/vulnerabilities/218323>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-25709](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25709>) \n** DESCRIPTION: **OpenLDAP is vulnerable to a denial of service, caused by an assertion failure in certificateListValidate function in servers/slapd/schema_init.c. By sending a specially crafted packet, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192486](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192486>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-25710](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25710>) \n** DESCRIPTION: **OpenLDAP is vulnerable to a denial of service, caused by an assertion failure in csnNormalize23 function in servers/slapd/schema_init.c. By sending a specially crafted packet, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192487](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192487>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-4034](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034>) \n** DESCRIPTION: **Polkit could allow a local authenticated attacker to gain elevated privileges on the system, caused by incorrect handling of the argument vectors in the pkexec utility. By crafting environment variables in a specific way, an attacker could exploit this vulnerability to execute commands with root privileges. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/218087](<https://exchange.xforce.ibmcloud.com/vulnerabilities/218087>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM QRadar Network Packet Capture 7.3.0 - 7.3.3 FP9\n\nIBM QRadar Network Packet Capture 7.4.0 - 7.4.3 FP3\n\nIBM QRadar Network Packet Capture 7.5.0 GA\n\n \n\n\n## Remediation/Fixes\n\nIBM recommends customers update their systems promptly. \n\n**_Product_**| **_VRMF_**| \n\n**_Remediation/First Fix_** \n \n---|---|--- \nIBM QRadar Network Packet Capture| 7.3.0 - 7.3.3 FP9| [IBM QRadar Network Packet Capture 7.3.3 FP10](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+QRadar+Network+Packet+Capture+Appliance&release=All&platform=All&function=fixId&fixids=7.3.3-QRadar-NETPCAP-Upgrade-22&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc> \"IBM QRadar Network Packet Capture 7.3.3 FP10\" ) \nIBM QRadar Network Packet Capture| 7.4.0 - 7.4.3 FP3| [IBM QRadar Network Packet Capture 7.4.3 FP4](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+QRadar+Network+Packet+Capture+Appliance&release=All&platform=All&function=fixId&fixids=7.4.3-QRadar-NETPCAP-Upgrade-1306&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc> \"IBM QRadar Network Packet Capture 7.4.3 FP4\" ) \nIBM QRadar Network Packet Capture| 7.5.0 GA| [IBM QRadar Network Packet Capture 7.5.0 UP1](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+QRadar+Network+Packet+Capture+Appliance&release=All&platform=All&function=fixId&fixids=7.5.0-QRadar-NETPCAP-Upgrade-1501&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc> \"IBM QRadar Network Packet Capture 7.5.0 UP1\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n29 Mar 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSMU35\",\"label\":\"IBM QRadar Network Packet Capture Software\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"7.3, 7.4, 7.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T14:40:20", "type": "ibm", "title": "Security Bulletin: IBM QRadar Network Packet Capture is using components with known vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.9, "vectorString": "AV:A/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9924", "CVE-2020-0465", "CVE-2020-0466", "CVE-2020-25704", "CVE-2020-25709", "CVE-2020-25710", "CVE-2020-36322", "CVE-2020-36385", "CVE-2021-0920", "CVE-2021-20271", "CVE-2021-3573", "CVE-2021-3752", "CVE-2021-37750", "CVE-2021-4034", "CVE-2021-4155", "CVE-2021-41617", "CVE-2021-42574", "CVE-2021-42739", "CVE-2021-43527", "CVE-2022-0330", "CVE-2022-22942"], "modified": "2022-03-31T14:40:20", "id": "72AD5D71FF571D991FCA51BDAC7D0D303109A868FA89340C6F8CD492F9F038E3", "href": "https://www.ibm.com/support/pages/node/6568365", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:51:21", "description": "## Summary\n\nIBM Data Risk Manager has addressed the following vulnerabilities:\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-13871](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13871>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by a use-after-free in resetAccumulator in select.c. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183370](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183370>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-9484](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484>) \n** DESCRIPTION: **Apache Tomcat could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization when the server is configured to use the PersistenceManager with a FileStore. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182231](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182231>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-15025](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15025>) \n** DESCRIPTION: **NTP is vulnerable to a denial of service, caused by a memory leak when a CMAC key is used and associated with a CMAC algorithm in the ntp.keys file in ntpd. By sending specially-crafted packets, a remote authenticated attacker could exploit this vulnerability to consume all available memory resources. \nCVSS Base score: 4.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184004](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184004>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-4620](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4620>) \n** DESCRIPTION: **IBM Data Risk Manager (iDNA) 2.0.6 could allow a remote authenticated attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious file, which could allow the attacker to execute arbitrary code on the vulnerable system. IBM X-Force ID: 184979. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184979](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184979>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-14892](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14892>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when using commons-configuration 1 and 2 JNDI classes. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177106](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177106>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-14893](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14893>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when using the xalan JNDI gadget. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177108](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177108>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2017-12626](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12626>) \n** DESCRIPTION: **Apache POI is vulnerable to a denial of service, caused by an error while parsing malicious WMF, EMF, MSG and macros and specially crafted DOC, PPT and XLS. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop or an out of memory exception. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138361](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138361>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-4621](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4621>) \n** DESCRIPTION: **IBM Data Risk Manager (iDNA) 2.0.6 could allow an authenticated user to escalate their privileges to administrator due to insufficient authorization checks. IBM X-Force ID: 184981. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184981](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184981>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-14195](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14195>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in rg.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183495](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183495>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-16168](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by missing validation of a sqlite_stat1 sz field in whereLoopAddBtreeIndex in sqlite3.c. By providing specially-crafted input, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166986](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166986>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-10673](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10673>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in com.caucho.config.types.ResourceRef (aka caucho-quercus). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178107](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178107>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-11112](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11112>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178902](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178902>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-11113](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178903](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178903>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-10672](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10672>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178104](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178104>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-10968](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10968>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178544](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178544>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-10969](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10969>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in javax.swing.JEditorPane. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178546](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178546>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-11619](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11619>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179430](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179430>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-11111](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11111>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178901](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178901>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-11620](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11620>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.commons.jelly.impl.Embedded (aka commons-jelly). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179431](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179431>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2017-15095](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15095>) \n** DESCRIPTION: **Jackson Library could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the readValue() method of the ObjectMapper. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/135123](<https://exchange.xforce.ibmcloud.com/vulnerabilities/135123>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2017-17485](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485>) \n** DESCRIPTION: **Jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the default-typing feature. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/137340](<https://exchange.xforce.ibmcloud.com/vulnerabilities/137340>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2017-7525](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw within the Jackson JSON library in the readValue method of the ObjectMapper. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/134639](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134639>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-1000873](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000873>) \n** DESCRIPTION: **FasterXML jackson-databind is vulnerable to a denial of service, caused by improper input validation by the nanoseconds time value field. By persuading a victim to deserialize specially-crafted input, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/154804](<https://exchange.xforce.ibmcloud.com/vulnerabilities/154804>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2018-14718](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14718>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the slf4j-ext class from polymorphic deserialization. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155139](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155139>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-5968](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by deserialization flaws. By using two different gadgets that bypass a blocklist, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138088](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138088>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2018-7489](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the readValue method of the ObjectMapper. By sending specially crafted JSON input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/139549](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139549>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-10172](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10172>) \n** DESCRIPTION: **Jackson-mapper-asl could allow a remote attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By sending a specially-crafted XML data, a remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172436](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172436>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2019-14540](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariConfig. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167354](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167354>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-16335](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16335>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariDataSource. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167205](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167205>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-17267](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17267>) \n** DESCRIPTION: **FasterXML jackson-databind could provide weaker than expected security, caused by a polymorphic typing issue in the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. A remote attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168514>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-11996](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11996>) \n** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service. By sending a specially crafted sequence of HTTP/2 requests, a remote attacker could exploit this vulnerability to trigger high CPU usage for several seconds. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184012](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184012>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-2949](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2949>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Kerberos component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169254](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169254>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-5398](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5398>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to obtain sensitive information, caused by a flaw when it sets a Content-Disposition header in the response. By using a reflected file download (RFD) attack, a remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174711](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174711>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-11023](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim&#39;s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim&#39;s cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11022](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim&#39;s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim&#39;s cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-4617](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4617>) \n** DESCRIPTION: **IBM Data Risk Manager (iDNA) 2.0.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 184930. \nCVSS Base score: 7.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184930](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184930>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) \n \n** CVEID: **[CVE-2019-19317](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19317>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by an error in lookupName in resolve.c. By providing specially crafted input, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172670](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172670>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-1935](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1935>) \n** DESCRIPTION: **Apache Tomcat is vulnerable to HTTP request smuggling, caused by a flaw when handling unusual Transfer-Encoding HTTP header. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176788](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176788>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-17569](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17569>) \n** DESCRIPTION: **Apache Tomcat is vulnerable to HTTP request smuggling, caused by a flaw when handling unusual Transfer-Encoding HTTP header. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176784](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176784>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-1938](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938>) \n** DESCRIPTION: **Apache Tomcat could allow a remote attacker to execute arbitrary code on the system, caused by a file read/inclusion vulnerability in the AJP connector. By sending a specially-crafted request, an attacker could exploit this vulnerability to read web application files from a vulnerable server and upload malicious JavaServer Pages (JSP) code within a variety of file types and execute arbitrary code on the system. Note: This vulnerability is known as Ghostcat. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176562](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176562>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-12384](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the logback-core class from polymorphic deserialization. By sending a specially-crafted JSON message, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162849](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162849>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-14816](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14816>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by mwifiex_update_vs_ie() function of Marvell Wifi Driver. By sending a specially-crafted packet, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the system to crash. \nCVSS Base score: 8.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166017](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166017>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-14895](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14895>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the mwifiex_process_country_ie function in drivers/net/wireless/marvell/mwifiex/sta_ioctl.c. By sending a specially-crafted beacon packet, a remote attacker could overflow a buffer and execute arbitrary code or cause a denial of service on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172101](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172101>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-14898](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14898>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a race condition in between mmget_not_zero()/get_task_mm() and core dumping. By using a specially-crafted system call, a local authenticated attacker could exploit this vulnerability to cause the system to crash or obtain sensitive information. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/175727](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175727>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H) \n \n** CVEID: **[CVE-2019-14901](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14901>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the mwifiex_process_tdls_action_frame function in marvell/mwifiex/tdls.c. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code or cause a denial of service on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172100](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172100>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-17133](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17133>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a buffer overflow, caused by improper bounds checking by the cfg80211_mgd_wext_giwessid functions in net/wireless/wext-sme.c. By sending an overly long long SSID IE, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168370](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168370>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-9924](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9924>) \n** DESCRIPTION: **Bash could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by the failure to prevent the shell user from modifying BASH_CMDS in the rbash. By modifying BASH_CMDS, an attacker could exploit this vulnerability to execute arbitrary commands on the system with the permissions of the shell. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/158906](<https://exchange.xforce.ibmcloud.com/vulnerabilities/158906>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2015-2716](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2716>) \n** DESCRIPTION: **Expat, as used in Mozilla Firefox and Thunderbird, is vulnerable to a buffer overflow, caused by improper bounds checking by the XML parser. By persuading a victim to open a specially crafted XML file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/103214](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103214>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2018-18751](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18751>) \n** DESCRIPTION: **GNU gettext is vulnerable to a denial of service, caused by a double free flaw in the default_add_message function in read-catalog.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/152105](<https://exchange.xforce.ibmcloud.com/vulnerabilities/152105>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-11487](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11487>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a page-&gt;_refcount overflow. A local attacker could exploit this vulnerability using FUSE with ~140GiB RAM usage to cause a denial of service. \nCVSS Base score: 4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/160017](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160017>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-17666](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17666>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a buffer overflow, caused by improper bounds checking by the rtl_p2p_noa_ie function in drivers/net/wireless/realtek/rtlwifi/ps.c. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169487](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169487>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-19338](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19338>) \n** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a Transaction Asynchronous Abort (TAA) h/w issue in KVM. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172836](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172836>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-17041](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17041>) \n** DESCRIPTION: **Rsyslog is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the contrib/pmaixforwardedfrom/pmaixforwardedfrom.c. By sending a specially-crafted message, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168504](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168504>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-17042](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17042>) \n** DESCRIPTION: **Rsyslog is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the contrib/pmcisconames/pmcisconames.c. By sending a specially-crafted message, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168503](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168503>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-18634](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18634>) \n** DESCRIPTION: **Apple macOS Catalina is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the privileged sudo process. By sending an overly long string to the stdin of getln() in tgetpass.c., a local attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 8.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/175358](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175358>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-1116](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1116>) \n** DESCRIPTION: **polkit is vulnerable to a denial of service, caused by a flaw in the implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service or obtain sensitive information. \nCVSS Base score: 7.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/146202](<https://exchange.xforce.ibmcloud.com/vulnerabilities/146202>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) \n \n** CVEID: **[CVE-2019-13734](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13734>) \n** DESCRIPTION: **Google Chrome could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write in SQLite. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172917](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172917>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-20852](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20852>) \n** DESCRIPTION: **Python could allow a remote attacker to obtain sensitive information, caused by the failure to correctly validate the domain by http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py. By using a server with a hostname that has another valid hostname as a suffix, an attacker could exploit this vulnerability to obtain leaked existing cookies. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169515](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169515>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-16056](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056>) \n** DESCRIPTION: **Python could allow a remote attacker to bypass security restrictions, caused by an issue with email module incorrectly parsing email address containing multiple &#64; characters. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass email filtering protection. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166645](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166645>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2019-11729](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729>) \n** DESCRIPTION: **Mozilla Firefox is vulnerable to a denial of service, caused by the improperly validation of empty or malformed p256-ECDH public keys before being copied into memory and used. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163507](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163507>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-11745](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745>) \n** DESCRIPTION: **Mozilla Network Security Services (NSS), as used in Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write when encrypting with a block cipher. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to corrupt the heap and execute arbitrary code on the vulnerable system or cause a denial of service. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172458](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172458>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-10531](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10531>) \n** DESCRIPTION: **International Components for Unicode (ICU) for C/C&#43;&#43; is vulnerable to a heap-based buffer overflow, caused by an integer overflow in UnicodeString::doAppend() function in common/unistr.cpp. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177660](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177660>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-3820](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3820>) \n** DESCRIPTION: **Gnome gnome-shell lock screen could allow a physical attacker to bypass security restrictions, caused by the failure to properly restrict all contextual actions. By performing specially-crafted operations, an attacker could exploit this vulnerability to invoke certain keyboard shortcuts. \nCVSS Base score: 4.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/157399](<https://exchange.xforce.ibmcloud.com/vulnerabilities/157399>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2018-10360](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10360>) \n** DESCRIPTION: **File is vulnerable to a denial of service, caused by an out-of-bounds read in the do_core_note function in readelf.c in libmagic.a. By persuading a victim to open a specially crafted ELF file, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/144797](<https://exchange.xforce.ibmcloud.com/vulnerabilities/144797>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-5436](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436>) \n** DESCRIPTION: **cURL libcurl is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the tftp_receive_packet() function. By sending overly long data, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 6.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/161431](<https://exchange.xforce.ibmcloud.com/vulnerabilities/161431>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2018-5745](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5745>) \n** DESCRIPTION: **ISC BIND is vulnerable to a denial of service, caused by an error in the managed-keys feature. By replacing a trust anchor&#39;s keys with keys which use an unsupported algorithm, a remote authenticated attacker could exploit this vulnerability to cause an assertion failure. \nCVSS Base score: 4.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/157386](<https://exchange.xforce.ibmcloud.com/vulnerabilities/157386>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-6465](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6465>) \n** DESCRIPTION: **ISC BIND could allow a remote attacker to obtain sensitive information, caused by the failure to properly apply controls for zone transfers to Dynamically Loadable Zones (DLZs) if the zones are writable. An attacker could exploit this vulnerability to request and receive a zone transfer of a DLZ even when not permitted to do so by the allow-transfer ACL. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/157377](<https://exchange.xforce.ibmcloud.com/vulnerabilities/157377>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-6477](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6477>) \n** DESCRIPTION: **ISC BIND is vulnerable to a denial of service. By sending TCP-pipelined queries, a remote attacker could exploit this vulnerability to bypass tcp-clients limit and cause the server to consume all available resources and become unresponsive. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172012](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172012>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2015-9289](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9289>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a buffer overflow, caused by a flaw when checking userspace params in drivers/media/dvb-frontends/cx24116.c. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166876](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166876>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2017-17807](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17807>) \n** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to bypass security restrictions, caused by omitting an access-control check when adding a key to the current task&#39;s default request-key keyring in the KEYS subsystem. By using a sequence of specially-crafted system calls, an attacker could exploit this vulnerability to add keys to a keyring with only Search permission. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/136628](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136628>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2018-7191](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7191>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the tun subsystem. By sending a specially-crafted ioctl(TUNSETIFF) cal, a local attacker could exploit this vulnerability to cause a system panic. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/161401](<https://exchange.xforce.ibmcloud.com/vulnerabilities/161401>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2018-19985](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19985>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds read in the hso_get_config_data function in drivers/net/usb/hso.c. A local attacker could exploit this vulnerability to cause the system to crash. \nCVSS Base score: 4.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/160204](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160204>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2018-20169](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20169>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by improper size validation by the __usb_get_extra_descriptor function in drivers/usb/core/usb.c in the USB subsystem. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/154367](<https://exchange.xforce.ibmcloud.com/vulnerabilities/154367>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-3901](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3901>) \n** DESCRIPTION: **Linux Kernel could allow a local attacker to obtain sensitive information, caused by a race condition in the perf_event_open function. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information from setuid programs. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159973](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159973>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-9503](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9503>) \n** DESCRIPTION: **The Broadcom brcmfmac driver could allow a remote attacker to bypass security restrictions. By receiving firmware event frames from a remote source, a remote attacker could exploit this vulnerability to bypass the frame validation. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159643](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159643>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2019-10207](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10207>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the hci_uart_set_flow_control function. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/164305](<https://exchange.xforce.ibmcloud.com/vulnerabilities/164305>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-10638](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10638>) \n** DESCRIPTION: **Linux Kernel could allow a remote attacker to obtain sensitive information, caused by the use of IP ID values for connection-less protocols. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to obtain the hash collisions then enumerate the hashing key. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163731](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163731>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-10639](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10639>) \n** DESCRIPTION: **Linux Kernel could allow a remote attacker to obtain sensitive information, caused by the use of a weak function to generate IP packet IDs. By sniffing the network, an attacker could exploit this vulnerability to obtain hash collisions information to derive the hashing key. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167414](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167414>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-11190](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11190>) \n** DESCRIPTION: **Linux Kernel could allow a local attacker to bypass security restrictions, caused by a race condition when reading /proc/pid/stat. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass ASLR on setuid programs. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159469](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159469>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2019-11884](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11884>) \n** DESCRIPTION: **Linux Kernel could allow a local attacker to obtain sensitive information, caused by a flaw in the do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c. By using a HIDPCONNADD command, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/161261](<https://exchange.xforce.ibmcloud.com/vulnerabilities/161261>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-12382](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12382>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the drm_load_edid_firmware function in drivers/gpu/drm/drm_edid_load.c. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause the system to crash. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/161695](<https://exchange.xforce.ibmcloud.com/vulnerabilities/161695>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-13233](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13233>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a use-after-free flaw when a race between modify_ldt() and #BR Exception occurs. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162780](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162780>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-13648](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13648>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a flaw in arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c when hardware transactional memory is disabled. By using a sigreturn() system call with crafted signal frame, a local attacker could exploit this vulnerability to cause the system to crash. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/164506](<https://exchange.xforce.ibmcloud.com/vulnerabilities/164506>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-14283](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14283>) \n** DESCRIPTION: **Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by an integer overflow and out-of-bounds read in the drivers/block/floppy.c. By using a specially-crafted floppy disk, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165352](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165352>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-15916](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15916>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a memory leak in register_queue_kobjects() in net/core/net-sysfs.c. A local attacker could exploit this vulnerability to cause the system to crash. \nCVSS Base score: 4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166559](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166559>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-16746](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16746>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a buffer overflow, caused by improper bounds checking by missing check of the length of variable elements in a beacon head by the net/wireless/nl80211.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the system to crash. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167566](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167566>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-18660](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18660>) \n** DESCRIPTION: **Linux Kernel for PowerPC could allow a local authenticated attacker to obtain sensitive information, caused by the failure to activate the mitigation for Spectre-RSB on context switch. By using side channel attacks, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172297](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172297>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2017-11166](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11166>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory-leak issue in the ReadXWDImage function in coders\\xwd.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to consume all available memory from the system. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/129048](<https://exchange.xforce.ibmcloud.com/vulnerabilities/129048>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2017-12805](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12805>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by an error in the function ReadTIFFImage. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163486](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163486>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2017-12806](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12806>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory exhaustion in the function format8BIM. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163485](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163485>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2017-18251](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18251>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in the ReadPCDImage function in coders/pcd.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/140899](<https://exchange.xforce.ibmcloud.com/vulnerabilities/140899>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2017-18252](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18252>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by an error in the MogrifyImageList function in MagickWand/mogrify.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause an assertion failure. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/140897](<https://exchange.xforce.ibmcloud.com/vulnerabilities/140897>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2017-18254](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18254>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in the WriteGIFImage function in coders/gif.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/140894](<https://exchange.xforce.ibmcloud.com/vulnerabilities/140894>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2017-18271](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18271>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by an infinite loop in the function ReadMIFFImage in coders/miff.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to consume all available CPU resources. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/143607](<https://exchange.xforce.ibmcloud.com/vulnerabilities/143607>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2017-18273](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18273>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by an infinite loop flaw in the function ReadTXTImage in coders/txt.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to consume all available CPU resources. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/143605](<https://exchange.xforce.ibmcloud.com/vulnerabilities/143605>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2017-1000476](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000476>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a CPU exhaustion flaw in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service. By persuading a victim to open a specailly-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/137214](<https://exchange.xforce.ibmcloud.com/vulnerabilities/137214>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2018-8804](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8804>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a double free flaw in the WriteEPTImage function in coders/ept.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/140527](<https://exchange.xforce.ibmcloud.com/vulnerabilities/140527>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2018-9133](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9133>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by excessive iteration in the DecodeLabImage and EncodeLabImage functions in coders/tiff.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/141069](<https://exchange.xforce.ibmcloud.com/vulnerabilities/141069>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2018-10177](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10177>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by an error in the ReadOneMNGImage function of the coders/png.c file. By persuading a victim to open a specially-crafted mng file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/141861](<https://exchange.xforce.ibmcloud.com/vulnerabilities/141861>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2018-10804](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10804>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in in WriteTIFFImage in coders/tiff.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/143002](<https://exchange.xforce.ibmcloud.com/vulnerabilities/143002>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2018-10805](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10805>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in ReadYCBCRImage in coders/ycbcr.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/142999](<https://exchange.xforce.ibmcloud.com/vulnerabilities/142999>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2018-11656](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11656>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in the ReadDCMImage function in coders/dcm.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/144266](<https://exchange.xforce.ibmcloud.com/vulnerabilities/144266>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2018-12599](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12599>) \n** DESCRIPTION: **ImageMagick is vulnerable to an out-of-bounds write, caused by improper bounds checking by the ReadBMPImage and WriteBMPImage in coders/bmp.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/145200](<https://exchange.xforce.ibmcloud.com/vulnerabilities/145200>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2018-12600](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12600>) \n** DESCRIPTION: **ImageMagick is vulnerable to an out-of-bounds write, caused by an error in the ReadDIBImage and WriteDIBImage functions in coders/dib.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/145199](<https://exchange.xforce.ibmcloud.com/vulnerabilities/145199>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2018-13153](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13153>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in the XMagickCommand function in MagickCore/animate.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to consume all available memory resources. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/145904](<https://exchange.xforce.ibmcloud.com/vulnerabilities/145904>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2018-14434](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14434>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in the WriteMPCImage function in coders/mpc.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/147148](<https://exchange.xforce.ibmcloud.com/vulnerabilities/147148>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2018-14435](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14435>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in the DecodeImage function in coders/pcd.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/147149](<https://exchange.xforce.ibmcloud.com/vulnerabilities/147149>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2018-14436](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14436>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in the ReadMIFFImage function in coders/miff.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/147150](<https://exchange.xforce.ibmcloud.com/vulnerabilities/147150>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2018-14437](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14437>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in the parse8BIM function in coders/meta.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/147151](<https://exchange.xforce.ibmcloud.com/vulnerabilities/147151>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2018-15607](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15607>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by improper input validation. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to consume all available CPU and memory resources. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148632](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148632>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2018-16328](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16328>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a NULL pointer dereference in the CheckEventLogging function in MagickCore/log.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/149251](<https://exchange.xforce.ibmcloud.com/vulnerabilities/149251>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2018-16749](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16749>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a missing NULL check in the ReadOneJNGImage function in coders/png.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/149742](<https://exchange.xforce.ibmcloud.com/vulnerabilities/149742>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2018-16750](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16750>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a missing NULL check in ReadOneJNGImage function in coders/png.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/149745](<https://exchange.xforce.ibmcloud.com/vulnerabilities/149745>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2018-18544](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18544>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in the WriteMSLImage function in coders/msl.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/151770](<https://exchange.xforce.ibmcloud.com/vulnerabilities/151770>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2018-20467](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20467>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by an error in coders/bmp.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/154790](<https://exchange.xforce.ibmcloud.com/vulnerabilities/154790>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-7175](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7175>) \n** DESCRIPTION: **ImageMagick could allow a remote attacker to obtain sensitive information, caused by memory leaks in DecodeImage in coders/pcd.c. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/158314](<https://exchange.xforce.ibmcloud.com/vulnerabilities/158314>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-7397](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7397>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by memory leaks in WritePDFImage in coders/pdf.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/156772](<https://exchange.xforce.ibmcloud.com/vulnerabilities/156772>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-7398](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7398>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in WriteDIBImage in coders/dib.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/156771](<https://exchange.xforce.ibmcloud.com/vulnerabilities/156771>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-9956](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9956>) \n** DESCRIPTION: **ImageMagick is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the PopHexPixel function in coders/ps.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code, or cause a denial of service condtion on the system. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/158832](<https://exchange.xforce.ibmcloud.com/vulnerabilities/158832>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-10131](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10131>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by an off-by-one read flaw in the formatIPTCfromBuffer function in coders/meta.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/160672](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160672>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-10650](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10650>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a heap-based buffer over-read in the WriteTIFFImage function in coders/tiff.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/160121](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160121>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-11470](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11470>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by uncontrolled resource consumption in the ReadXWDImage function in coders/xwd.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/160055](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160055>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-11472](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11472>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a divide-by-zero error in the ReadXWDImage function in coders/xwd.c. By persuading a victim to open a specially-crafted XWD image file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/160054](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160054>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-11597](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11597>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a heap-based buffer over-read in the WritePNMImage function in coders/pnm.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service or possibly obtain sensitive information. \nCVSS Base score: 4.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/160255](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160255>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L) \n \n** CVEID: **[CVE-2019-11598](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11598>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a heap-based buffer over-read in the WritePNMImage function in coders/pnm.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service or possibly obtain sensitive information. \nCVSS Base score: 4.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/160252](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160252>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L) \n \n** CVEID: **[CVE-2019-12974](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12974>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a NULL pointer dereference in the ReadPANGOImage function in coders/pango.c and the ReadVIDImage function in coders/vid.c By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166345](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166345>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-12975](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12975>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in the WriteDPXImage function in coders/dpx.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166344](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166344>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-12976](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12976>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in the ReadPCLImage function in coders/pcl.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166343](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166343>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-12978](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12978>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by the use of uninitialized value vulnerability in the ReadPANGOImage function in coders/pango.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166341](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166341>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-12979](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12979>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by the use of uninitialized value vulnerability in the SyncImageSettings function in MagickCore/image.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166340](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166340>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-13133](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13133>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in the function ReadBMPImage in coders/bmp.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166014](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166014>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-13134](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13134>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in the function ReadVIFFImage in coders/viff.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166013](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166013>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-13135](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13135>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by an uninitialized value vulnerability in the function ReadCUTImage in coders/cut.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166009](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166009>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-13295](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13295>) \n** DESCRIPTION: **ImageMagick is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by AdaptiveThresholdImage in MagickCore/threshold.c. By sending a specially crafted command, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165675](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165675>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-13297](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13297>) \n** DESCRIPTION: **ImageMagick is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by AdaptiveThresholdImage in MagickCore/threshold.c. By sending a specially crafted command, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165674](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165674>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-13300](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13300>) \n** DESCRIPTION: **ImageMagick is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by EvaluateImages in MagickCore/statistic.c. By sending a specially crafted command, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165669](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165669>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-13301](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13301>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by memory leaks in AcquireMagickMemory due to AnnotateImage error. By sending a specially crafted command, a local attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165668](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165668>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-13304](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13304>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a stack-based buffer overflow at coders/pnm.c in WritePNMImage. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165718](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165718>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-13305](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13305>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a stack-based buffer overflow at coders/pnm.c in WritePNMImage. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165717](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165717>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-13306](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13306>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a stack-based buffer overflow at coders/pnm.c in WritePNMImage. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165716](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165716>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-13307](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13307>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-13309](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13309>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by memory leaks in the CLIListOperatorImages function in operation.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165704](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165704>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-13310](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13310>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by memory leaks in mogrify.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165705](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165705>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-13311](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13311>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by memory leaks in mogrify.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165706](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165706>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-13454](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13454>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a divide by zero flaw in the RemoveDuplicateLayers function in MagickCore/layer.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165496](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165496>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-14980](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14980>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a use after free vulnerability in the UnmapBlob function. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165267](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165267>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-14981](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14981>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a divide-by-zero vulnerability in the MeanShiftImage function. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165265](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165265>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-15139](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15139>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by an out-of-bounds read in ReadXWDImage in coders/xwd.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165518](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165518>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-15140](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15140>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a use-after-free in the coders/mat.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165517](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165517>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-15141](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15141>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a heap-based buffer over-read in the WriteTIFFImage in coders/tiff.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165516](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165516>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-16708](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16708>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in magick/xwindow.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167438](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167438>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-16709](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16709>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in coders/dps.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167436](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167436>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-16710](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16710>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in in coders/dot.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167434](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167434>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-16711](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16711>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in Huffman2DEncodeImage in coders/ps2.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167431](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167431>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-16712](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16712>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in Huffman2DEncodeImage in coders/ps3.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167430](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167430>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-16713](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16713>) \n** DESCRIPTION: **ImageMagick is vulnerable to a denial of service, caused by a memory leak in coders/dot.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167429](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167429>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-17540](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17540>) \n** DESCRIPTION: **ImageMagick is vulnerable to a heap-based buffer overflow, caused by a flaw in the ReadPSInfo function in coders/ps.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168960](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168960>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-17541](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17541>) \n** DESCRIPTION: **ImageMagick could allow a remote attacker to execute arbitrary code on the system, caused by a heap use-after-free in the DestroyStringInfo function in MagickCore/string.c. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168961](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168961>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-19948](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19948>) \n** DESCRIPTION: **ImageMagick is vulnerable to a heap-based buffer overflow, caused by a flaw in the WriteSGIImage function in coders/sgi.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173480](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173480>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-19949](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19949>) \n** DESCRIPTION: **ImageMagick is vulnerable to a heap-based buffer overflow, caused by a flaw in the WritePNGImage function in coders/png.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173481](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173481>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-2654](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2654>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174601](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174601>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-10768](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10768>) \n** DESCRIPTION: **AngularJS could allow a remote attacker to bypass security restrictions, caused by a prototype pollution flaw in the merge function. By sending a specially-crafted request using a constructor payload, a remote attacker could exploit this vulnerability to add or modify properties of Object.prototype. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172185](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172185>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-4614](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4614>) \n** DESCRIPTION: **IBM Data Risk Manager (iDNA) 2.0.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt sensitive information. IBM X-Force ID: 184927. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184927](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184927>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-19242](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19242>) \n** DESCRIPTION: **An unspecified error with the mishandling of pExpr-&gt;y.pTab in the sqlite3ExprCodeTarget function in expr.c in SQLite has an unknown impact and attack vector. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172151](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172151>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-19244](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19244>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by an error in sqlite3Select in select.c. By providing specially crafted input, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172196](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172196>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-10072](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10072>) \n** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service, caused by HTTP/2 connection window exhaustion on write. By failing to send WINDOW_UPDATE messages, a remote attacker could exploit this vulnerability to block threads on the server and cause a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162806](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162806>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-7656](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7656>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the load method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim&#39;s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim&#39;s cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182264](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182264>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-4613](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4613>) \n** DESCRIPTION: **IBM Data Risk Manager (iDNA) 2.0.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 184925. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184925](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184925>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-12888](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12888>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by improper handling of attempts to access disabled memory space by the VFIO PCI driver. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182003](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182003>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-4618](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4618>) \n** DESCRIPTION: **IBM Data Risk Manager (iDNA) 2.0.6 could allow a privileged user to cause a denial of service due to improper input validation. IBM X-Force ID: 184937. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184937](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184937>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H) \n \n** CVEID: **[CVE-2020-4611](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4611>) \n** DESCRIPTION: **IBM Data Risk Manager (iDNA) 2.0.6 could allow an authenticated user to bypass security and execute actions reserved for admins. IBM X-Force ID: 184922. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184922](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184922>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-1720](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1720>) \n** DESCRIPTION: **PostgreSQL could allow a remote authenticated attacker to bypass security restrictions, caused by improper authorization validation by the ALTER \u2026 DEPENDS ON EXTENSION sub-commands. By sending a specially-crafted request, an attacker could exploit this vulnerability to drop any function, procedure, materialized view, index, or trigger under certain conditions. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176286](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176286>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) \n \n** CVEID: **[CVE-2013-7285](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285>) \n** DESCRIPTION: **XStream could allow a remote attacker to execute arbitrary code on the system, caused by an error in the XMLGenerator API. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause the application to crash. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/90229](<https://exchange.xforce.ibmcloud.com/vulnerabilities/90229>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2019-10173](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10173>) \n** DESCRIPTION: **xstream API could allow a remote attacker to execute arbitrary commands on the system, caused by insecure XML deserialization. By sending a specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary commands on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/164187](<https://exchange.xforce.ibmcloud.com/vulnerabilities/164187>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-14062](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14062>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183425](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183425>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-14061](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14061>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183424](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183424>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-14060](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14060>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183422](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183422>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-3774](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3774>) \n** DESCRIPTION: **Pivotal Spring Batch could allow a remote attacker to obtain sensitive information, caused by improper handling of XML External Entity (XXE). By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to obtain sensitive information from the system. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155922](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155922>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-2989](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2989>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169295](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169295>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2019-2958](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2958>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169264](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169264>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2019-2977](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2977>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the VM component could allow an unauthenticated attacker to cause low confidentiality impact, no integrity impact, and low availability impact. \nCVSS Base score: 4.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169283](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169283>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L) \n \n** CVEID: **[CVE-2019-2975](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2975>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Scripting component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and low availability impact. \nCVSS Base score: 4.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169281](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169281>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L) \n \n** CVEID: **[CVE-2019-2999](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2999>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Javadoc component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 4.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169305](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169305>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-2996](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2996>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Deployment component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 4.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169302](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169302>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-2894](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2894>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169207](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169207>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-2992](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2992>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the 2D component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169298](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169298>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-2988](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2988>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the 2D component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169294](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169294>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-2987](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2987>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the 2D component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169293](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169293>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-2983](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2983>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169289](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169289>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-2981](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2981>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169287](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169287>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-2978](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2978>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Networking component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169284](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169284>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-2973](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2973>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169279](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169279>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-2962](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2962>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the 2D component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169268](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169268>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-2964](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2964>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169270](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169270>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-2945](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2945>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Networking component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169250](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169250>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-2933](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2933>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. \nCVSS Base score: 3.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169238](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169238>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-17631](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17631>) \n** DESCRIPTION: **Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to performs an authorization check when an actor attempts to access a resource or perform an action. An attacker could exploit this vulnerability to gain access to diagnostic operations such as causing a GC or creating a diagnostic file. \nCVSS Base score: 8.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169513](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169513>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-20677](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677>) \n** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the affix configuration target property. A remote attacker could exploit this vulnerability to execute script in a victim&#39;s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim&#39;s cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155337](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155337>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2018-14042](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14042>) \n** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the data-container property of tooltip. A remote attacker could exploit this vulnerability to execute script in a victim&#39;s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim&#39;s cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/146466](<https://exchange.xforce.ibmcloud.com/vulnerabilities/146466>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2016-10735](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735>) \n** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the data-target attribute. A remote attacker could exploit this vulnerability to execute script in a victim&#39;s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim&#39;s cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155339](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155339>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-13990](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13990>) \n** DESCRIPTION: **Terracotta could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the initDocumentParser function in xml/XMLSchedulingDataProcessor.java. By persuading a victim to open specially-crafted XML content, a remote attacker could exploit this vulnerability to read arbitrary files. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165431](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165431>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-4612](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4612>) \n** DESCRIPTION: **IBM Data Risk Manager (iDNA) 2.0.6 could allow an authenticated user to obtain sensitive information using a specially crafted HTTP request. IBM X-Force ID: 184924. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184924](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184924>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-19925](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19925>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by the mishandling of a NULL pathname in the zipfileUpdate function in ext/misc/zipfile.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173496](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173496>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-19645](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by an infinite recursion flaw in alter.c. By sending a specially-crafted request using certain types of self-referential views in conjunction with ALTER TABLE statements, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172774](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172774>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-19603](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19603>) \n** DESCRIPTION: **An error during handling of CREATE TABLE and CREATE VIEW statements in SQLite has an unknown impact via a specially crafted table name. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172765](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172765>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-19924](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19924>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by the mishandling of certain parser-tree rewriting in the sqlite3WindowRewrite function in expr.c, vdbeaux.c, and window.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173495](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173495>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-19923](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19923>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in the lattenSubquery function in select.c. By sending a specially-crafted request with the use of SELECT DISTINCT involving a LEFT JOIN, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173490](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173490>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-19880](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19880>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by an invalid pointer dereference in exprListAppendList in window.c. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173387](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173387>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-19646](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19646>) \n** DESCRIPTION: **An unspecified error related to the mishandling of NOT NULL in an integrity_check PRAGMA command in pragma.c in SQLite has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172776](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172776>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2019-19926](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19926>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by the mishandling of certain errors during parsing in the multiSelect function in select.c. By sending specially-crafted sqlite3WindowRewrite() calls, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173497](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173497>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-19959](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19959>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by the mishandling of certain uses of INSERT INTO in situations involving embedded &#39;\\0&#39; characters in filenames. By using a specially-crafted filename, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174011](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174011>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-20218](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20218>) \n** DESCRIPTION: **An unspecified error in selectExpander in select.c in SQLite has an unknown impact and attack vector. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173900](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173900>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-4619](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4619>) \n** DESCRIPTION: **IBM Data Risk Manager (iDNA) 2.0.6 stores user credentials in plain in clear text which can be read by an authenticated user. IBM X-Force ID: 184976. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184976](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184976>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-11868](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11868>) \n** DESCRIPTION: **NTP is vulnerable to a denial of service, caused by a flaw in ntpd. By sending a server mode packet with a spoofed source IP address, a remote attacker could exploit this vulnerability to block unauthenticated synchronization resulting in a denial of service condition. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/180011](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180011>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-12418](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418>) \n** DESCRIPTION: **Apache Tomcat could allow a local attacker to gain elevated privileges on the system, caused by a flaw when configured with the JMX Remote Lifecycle Listener. By using man-in-the-middle attack techniques, an attacker could exploit this vulnerability to capture user names and passwords used to access the JMX interface and gain elevated privileges. \nCVSS Base score: 8.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173626](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173626>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-17563](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563>) \n** DESCRIPTION: **Apache Tomcat could allow a local attacker to hijack a user&#39;s session. By using the FORM authentication function, an attacker could exploit this vulnerability to gain access to another user&#39;s session. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173558](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173558>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-2805](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2805>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Libraries component could allow an unauthenticated attacker to take control of the system. \nCVSS Base score: 8.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179703](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179703>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-2803](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2803>) \n** DESCRIPTION: **An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to take control of the system. \nCVSS Base score: 8.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179701](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179701>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-2830](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2830>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179728](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179728>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-2781](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2781>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179681](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179681>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-2800](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2800>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Lightweight HTTP Server component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 4.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179698](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179698>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-2757](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2757>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179657](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179657>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-2756](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2756>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179656](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179656>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-2755](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2755>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Scripting component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179655](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179655>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-2754](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2754>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Scripting component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179654](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179654>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2017-12620](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12620>) \n** DESCRIPTION: **Apache OpenNLP could allow a remote attacker to obtain sensitive information, caused by an XXE attack when loading models or dictionaries that contain XML. By using a specially-crafted XML file, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/133034](<https://exchange.xforce.ibmcloud.com/vulnerabilities/133034>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L) \n \n** CVEID: **[CVE-2015-0254](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254>) \n** DESCRIPTION: **Apache Standard Taglibs could allow a remote attacker to execute arbitrary code on the system, caused by an XML External Entity Injection (XXE) error when processing XML data. By sending specially-crafted XML data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/101550](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101550>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2020-2604](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2604>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE could allow an unauthenticated attacker to take control of the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174551](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174551>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-2593](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2593>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 4.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174541](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174541>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-2659](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2659>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Networking component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174606](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174606>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-2583](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2583>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174531](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174531>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-4732](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4732>) \n** DESCRIPTION: **IBM SDK, Java Technology Edition Version 7.0.0.0 through 7.0.10.55, 7.1.0.0 through 7.1.4.55, and 8.0.0.0 through 8.0.6.0 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. By placing a specially-crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 172618. \nCVSS Base score: 7.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172618](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172618>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-4622](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4622>) \n** DESCRIPTION: **IBM Data Risk Manager (iDNA) 2.0.6 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 184983. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184983](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184983>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-4616](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4616>) \n** DESCRIPTION: **IBM Data Risk Manager (iDNA) 2.0.6 could disclose sensitive username information to an attacker using a specially crafted HTTP request. IBM X-Force ID: 184929. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184929](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184929>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-4615](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4615>) \n** DESCRIPTION: **IBM Data Risk Manager (iDNA) 2.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 184928. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184928](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184928>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Data Risk Manager| 2.0.6 \n \n## Remediation/Fixes\n\nTo obtain fixes for all reported issues, customers are advised first to upgrade to v2.0.6.4, and then apply the latest fixpacks (2.0.6.5 and then 2.0.6.6. None of them is cumulative - it must be applied on top of 2.0.6.4 in sequence).\n\n_Product_| _VRMF_| _APAR \n_| _Remediation / First Fix_ \n---|---|---|--- \nIBM Data Risk Manager| 2.0.6| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.1_Fixpack ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.4.1&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.2_Fixpack ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.1&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.3_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.2&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=All&platform=Linux&function=fixId&fixids=IDRM_2.0.6.4_Fixpack&includeSupersedes=0> \"DRM_2.0.6.4_FixPack\" )\n\n5) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=fixId&fixids=IDRM_2.0.6.5_Fixpack&includeSupersedes=0>)\n\n6) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=All&platform=Linux&function=fixId&fixids=IDRM_2.0.6.6_Fixpack&includeSupersedes=0> \"DRM_2.0.6.4_FixPack\" ) \n \nIBM Data Risk Manager| 2.0.6.1| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.2_Fixpack ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.1&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.3_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.2&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=All&platform=Linux&function=fixId&fixids=IDRM_2.0.6.4_Fixpack&includeSupersedes=0> \"DRM_2.0.6.4_FixPack\" )\n\n4) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=fixId&fixids=IDRM_2.0.6.5_Fixpack&includeSupersedes=0>)\n\n5) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=All&platform=Linux&function=fixId&fixids=IDRM_2.0.6.6_Fixpack&includeSupersedes=0> \"DRM_2.0.6.4_FixPack\" ) \n \nIBM Data Risk Manager| 2.0.6.2| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.3_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.2&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=All&platform=Linux&function=fixId&fixids=IDRM_2.0.6.4_Fixpack&includeSupersedes=0> \"DRM_2.0.6.4_FixPack\" )\n\n3) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=fixId&fixids=IDRM_2.0.6.5_Fixpack&includeSupersedes=0>)\n\n4) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=All&platform=Linux&function=fixId&fixids=IDRM_2.0.6.6_Fixpack&includeSupersedes=0> \"DRM_2.0.6.4_FixPack\" ) \n \nIBM Data Risk Manager| 2.0.6.3| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=All&platform=Linux&function=fixId&fixids=IDRM_2.0.6.4_Fixpack&includeSupersedes=0> \"DRM_2.0.6.4_FixPack\" )\n\n2) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=fixId&fixids=IDRM_2.0.6.5_Fixpack&includeSupersedes=0>)\n\n3) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=All&platform=Linux&function=fixId&fixids=IDRM_2.0.6.6_Fixpack&includeSupersedes=0> \"DRM_2.0.6.4_FixPack\" ) \n \nIBM Data Risk Manager| 2.0.6.4| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=fixId&fixids=IDRM_2.0.6.5_Fixpack&includeSupersedes=0>)\n\n2) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=All&platform=Linux&function=fixId&fixids=IDRM_2.0.6.6_Fixpack&includeSupersedes=0> \"DRM_2.0.6.4_FixPack\" ) \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nJohn Zuccato, Rodney Ryan, Chris Shepherd, Nathan Roane, Kamil Sarbinowski, Vince Dragnea, Troy Fisher and Elaheh Samani from IBM X-Force Ethical Hacking Team., John Zuccato, Rodney Ryan, Chris Shepherd, Nathan Roane, Kamil Sarbinowski, Vince Dragnea\n\n## Change History\n\n21 September, 2020: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSJQ6V\",\"label\":\"IBM Data Risk Manager\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"2.0.6\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-13T22:15:02", "type": "ibm", "title": "Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-7285", "CVE-2015-0254", "CVE-2015-2716", "CVE-2015-9289", "CVE-2016-10735", "CVE-2017-1000476", "CVE-2017-11166", "CVE-2017-12620", "CVE-2017-12626", "CVE-2017-12805", "CVE-2017-12806", "CVE-2017-15095", "CVE-2017-17485", "CVE-2017-17807", "CVE-2017-18251", "CVE-2017-18252", "CVE-2017-18254", "CVE-2017-18271", "CVE-2017-18273", "CVE-2017-7525", "CVE-2018-1000873", "CVE-2018-10177", "CVE-2018-10360", "CVE-2018-10804", "CVE-2018-10805", "CVE-2018-1116", "CVE-2018-11656", "CVE-2018-12599", "CVE-2018-12600", "CVE-2018-13153", "CVE-2018-14042", "CVE-2018-14434", "CVE-2018-14435", "CVE-2018-14436", "CVE-2018-14437", "CVE-2018-14718", "CVE-2018-15607", "CVE-2018-16328", "CVE-2018-16749", "CVE-2018-16750", "CVE-2018-18544", "CVE-2018-18751", "CVE-2018-19985", "CVE-2018-20169", "CVE-2018-20467", "CVE-2018-20677", "CVE-2018-20852", "CVE-2018-5745", "CVE-2018-5968", "CVE-2018-7191", "CVE-2018-7489", "CVE-2018-8804", "CVE-2018-9133", "CVE-2019-10072", "CVE-2019-10131", "CVE-2019-10172", "CVE-2019-10173", "CVE-2019-10207", "CVE-2019-10638", "CVE-2019-10639", "CVE-2019-10650", "CVE-2019-10768", "CVE-2019-11190", "CVE-2019-11470", "CVE-2019-11472", "CVE-2019-11487", "CVE-2019-11597", "CVE-2019-11598", "CVE-2019-11729", "CVE-2019-11745", "CVE-2019-11884", "CVE-2019-12382", "CVE-2019-12384", "CVE-2019-12418", "CVE-2019-12974", "CVE-2019-12975", "CVE-2019-12976", "CVE-2019-12978", "CVE-2019-12979", "CVE-2019-13133", "CVE-2019-13134", "CVE-2019-13135", "CVE-2019-13233", "CVE-2019-13295", "CVE-2019-13297", "CVE-2019-13300", "CVE-2019-13301", "CVE-2019-13304", "CVE-2019-13305", "CVE-2019-13306", "CVE-2019-13307", "CVE-2019-13309", "CVE-2019-13310", "CVE-2019-13311", "CVE-2019-13454", "CVE-2019-13648", "CVE-2019-13734", "CVE-2019-13990", "CVE-2019-14283", "CVE-2019-14540", "CVE-2019-14816", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-14895", "CVE-2019-14898", "CVE-2019-14901", "CVE-2019-14980", "CVE-2019-14981", "CVE-2019-15139", "CVE-2019-15140", "CVE-2019-15141", "CVE-2019-15916", "CVE-2019-16056", "CVE-2019-16168", "CVE-2019-16335", "CVE-2019-16708", "CVE-2019-16709", "CVE-2019-16710", "CVE-2019-16711", "CVE-2019-16712", "CVE-2019-16713", "CVE-2019-16746", "CVE-2019-17041", "CVE-2019-17042", "CVE-2019-17133", "CVE-2019-17267", "CVE-2019-17540", "CVE-2019-17541", "CVE-2019-17563", "CVE-2019-17569", "CVE-2019-17631", "CVE-2019-17666", "CVE-2019-18634", "CVE-2019-18660", "CVE-2019-19242", "CVE-2019-19244", "CVE-2019-19317", "CVE-2019-19338", "CVE-2019-19603", "CVE-2019-19645", "CVE-2019-19646", "CVE-2019-19880", "CVE-2019-19923", "CVE-2019-19924", "CVE-2019-19925", "CVE-2019-19926", "CVE-2019-19948", "CVE-2019-19949", "CVE-2019-19959", "CVE-2019-20218", "CVE-2019-2894", "CVE-2019-2933", "CVE-2019-2945", "CVE-2019-2949", "CVE-2019-2958", "CVE-2019-2962", "CVE-2019-2964", "CVE-2019-2973", "CVE-2019-2975", "CVE-2019-2977", "CVE-2019-2978", "CVE-2019-2981", "CVE-2019-2983", "CVE-2019-2987", "CVE-2019-2988", "CVE-2019-2989", "CVE-2019-2992", "CVE-2019-2996", "CVE-2019-2999", "CVE-2019-3774", "CVE-2019-3820", "CVE-2019-3901", "CVE-2019-4732", "CVE-2019-5436", "CVE-2019-6465", "CVE-2019-6477", "CVE-2019-7175", "CVE-2019-7397", "CVE-2019-7398", "CVE-2019-9503", "CVE-2019-9924", "CVE-2019-9956", "CVE-2020-10531", "CVE-2020-10672", "CVE-2020-10673", "CVE-2020-10968", "CVE-2020-10969", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11111", "CVE-2020-11112", "CVE-2020-11113", "CVE-2020-11619", "CVE-2020-11620", "CVE-2020-11868", "CVE-2020-11996", "CVE-2020-12888", "CVE-2020-13871", "CVE-2020-14060", "CVE-2020-14061", "CVE-2020-14062", "CVE-2020-14195", "CVE-2020-15025", "CVE-2020-1720", "CVE-2020-1935", "CVE-2020-1938", "CVE-2020-2583", "CVE-2020-2593", "CVE-2020-2604", "CVE-2020-2654", "CVE-2020-2659", "CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2805", "CVE-2020-2830", "CVE-2020-4611", "CVE-2020-4612", "CVE-2020-4613", "CVE-2020-4614", "CVE-2020-4615", "CVE-2020-4616", "CVE-2020-4617", "CVE-2020-4618", "CVE-2020-4619", "CVE-2020-4620", "CVE-2020-4621", "CVE-2020-4622", "CVE-2020-5398", "CVE-2020-7656", "CVE-2020-9484"], "modified": "2021-08-13T22:15:02", "id": "2FE97BC0DB8A3B1BCF85FF8F69828770D4396C7CC3ABD37202D8089D2CADF87B", "href": "https://www.ibm.com/support/pages/node/6335281", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:44:09", "description": "## Summary\n\nCloud Pak for Security (CP4S) v1.8.1.0 and earlier uses packages that are vulnerable to several CVEs. These have been remediated in the latest product release. Please see below for CVE details and the Remediation section for upgrade instructions. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2015-8985](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8985>) \n** DESCRIPTION: **glibc is vulnerable to a denial of service, caused by a flaw in the pop_fail_stack function. By using a specially crafted extended regular expression, a remote attacker could cause an assertion failure and application crash. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/126591](<https://exchange.xforce.ibmcloud.com/vulnerabilities/126591>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2015-8984](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8984>) \n** DESCRIPTION: **glibc is vulnerable to a denial of service, caused by an out-of-bounds read in the fnmatch function. By using a malformed pattern, a remote attacker could cause the application crash. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/126595](<https://exchange.xforce.ibmcloud.com/vulnerabilities/126595>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-3426](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3426>) \n** DESCRIPTION: **Python pydoc module could allow a remote attacker from within the local network obtain sensitive information. By starting the pydoc server, an attacker could exploit this vulnerability to extract arbitrary files. \nCVSS Base score: 5.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/201171](<https://exchange.xforce.ibmcloud.com/vulnerabilities/201171>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2007-3716](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3716>) \n** DESCRIPTION: **Sun JRE (Java Runtime Environment) and JDK (Java Developer's Kit) could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability in the XML Digital Signature implementation. By sending a specially-crafted XML signature containing a malicious XSLT stylesheet, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the application's permissions. \nCVSS Base score: 5.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/35332](<https://exchange.xforce.ibmcloud.com/vulnerabilities/35332>) for the current score. \nCVSS Vector: \n \n** CVEID: **[CVE-2017-18018](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018>) \n** DESCRIPTION: **GNU Coreutils could allow a local attacker to bypass security restrictions, caused by not preventing replacement of a plain file with a symlink issue in chown-core.c. By sending a specially-crafted request, an attacker could exploit this vulnerability to modify the ownership of arbitrary files. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/137123](<https://exchange.xforce.ibmcloud.com/vulnerabilities/137123>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2018-17101](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17101>) \n** DESCRIPTION: **LibTIFF is vulnerable to a denial of service, caused by an out-of-bounds write in cpTags in tools/tiff2bw.c and tools/pal2rgb.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/149976](<https://exchange.xforce.ibmcloud.com/vulnerabilities/149976>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-10001](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10001>) \n** DESCRIPTION: **Apple macOS could allow a remote attacker to obtain sensitive information, caused by improper input validation by the CUPS component. By persuading a victim to open a specially-crafted application, an attacker could exploit this vulnerability to obtain restricted memory information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/199353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/199353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-35448](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35448>) \n** DESCRIPTION: **GNU Binutils is vulnerable to a denial of service, caused by a heap-based buffer over-read can occur in bfd_getl_signed_32 in libbfd.c in the Binary File Descriptor (BFD) library (aka libbfd). By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/193875](<https://exchange.xforce.ibmcloud.com/vulnerabilities/193875>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-26927](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26927>) \n** DESCRIPTION: **JasPer is vulnerable to a denial of service, caused by a NULL pointer dereference in jp2_decode in jp2_dec.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197351](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197351>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-28153](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28153>) \n** DESCRIPTION: **GNOME GLib could allow a remote attacker to bypass security restrictions, caused by a flaw when g_file_replace() function is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink. By persuading a victim to open a specially-crafted ZIP archive, an attacker could exploit this vulnerability to overwrite arbitrary files on the sytem. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198147](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198147>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2017-13728](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13728>) \n** DESCRIPTION: **GNU ncurses is vulnerable to a denial of service, caused by an error in the next_char function in comp_scan.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/131172](<https://exchange.xforce.ibmcloud.com/vulnerabilities/131172>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2017-7613](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7613>) \n** DESCRIPTION: **Elfutils is vulnerable to a denial of service, caused by memory allocation failure in elflint.c . By persuading a victim to open a crafted ELF file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/124513](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124513>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2017-7612](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7612>) \n** DESCRIPTION: **Elfutils is vulnerable to a denial of service, caused by heap-based buffer over-read in the check_sysv_hash function in elflint.c. By persuading a victim to open a crafted ELF file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/124512](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124512>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2017-7611](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7611>) \n** DESCRIPTION: **Elfutils is vulnerable to a denial of service, caused by heap-based buffer over-read in check_symtab_shndx function in elflint.c . By persuading a victim to open a crafted ELF file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/124511](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124511>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2017-7610](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7610>) \n** DESCRIPTION: **Elfutils is vulnerable to a denial of service, caused by heap-based buffer over-read check_group function in elflint.c. By persuading a victim to open a crafted ELF file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/124510](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124510>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2017-7609](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7609>) \n** DESCRIPTION: **Elfutils is vulnerable to a denial of service, caused by memory consumption in elf_compress.c. By persuading a victim to open a crafted ELF file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/124509](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124509>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2017-7608](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7608>) \n** DESCRIPTION: **Elfutils is vulnerable to a denial of service, caused by heap-based buffer over-read in ebl_object_note_type_name function in eblobjnotetypename.c. By persuading a victim to open a crafted ELF file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/124508](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124508>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2017-7607](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7607>) \n** DESCRIPTION: **Elfutils is vulnerable to a denial of service, caused by heap-based buffer over-read handle_gnu_hash function in readelf.c. By persuading a victim to open a crafted ELF file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/124507](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124507>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2016-10255](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10255>) \n** DESCRIPTION: **Elfutils is vulnerable to a denial of service, caused by memory allocation failure in __libelf_set_rawdata_wrlock function in elf_getdata.c. By persuading a victim to open a specially crafted ELF file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/124088](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124088>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2016-10254](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10254>) \n** DESCRIPTION: **Elfutils is vulnerable to a denial of service, caused by memory allocation failure in allocate_elf function in common.h. By persuading a victim to open a crafted ELF file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/124086](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124086>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2017-14062](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14062>) \n** DESCRIPTION: **Libidn2 is vulnerable to a denial of service, caused by an integer overflow in the decode_digit function in puny_decode.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/131302](<https://exchange.xforce.ibmcloud.com/vulnerabilities/131302>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2017-7246](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7246>) \n** DESCRIPTION: **PCRE is vulnerable to a denial of service, caused by a stack-based buffer overflow flaw in the pcre32_copy_substring function in pcre_get.c in libpcre1. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash or other unspecified impact. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/123733](<https://exchange.xforce.ibmcloud.com/vulnerabilities/123733>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2017-7245](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7245>) \n** DESCRIPTION: **PCRE is vulnerable to a denial of service, caused by a stack-based buffer overflow flaw in the pcre32_copy_substring function in pcre_get.c in libpcre1. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash or other unspecified impact. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/123732](<https://exchange.xforce.ibmcloud.com/vulnerabilities/123732>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2016-4984](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4984>) \n** DESCRIPTION: **openldap-servers could allow a local authenticated attacker to obtain sensitive information, caused by a weak permission for /usr/libexec/openldap/generate-server-cert.sh issue. By leveraging a race condition between the creation of the certificate, a local attacker could exploit this vulnerability to obtain the TLS certificate. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/129440](<https://exchange.xforce.ibmcloud.com/vulnerabilities/129440>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2016-9318](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9318>) \n** DESCRIPTION: **Libxml2 could allow a remote attacker to obtain sensitive information, caused by failure to offer a flag directly indicating the status of current document. By using a specially-crafted document to conduct a XML external entity (XXE) attack, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/119018](<https://exchange.xforce.ibmcloud.com/vulnerabilities/119018>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2016-4493](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4493>) \n** DESCRIPTION: **GNU Compiler Collection (GCC) is vulnerable to a denial of service, caused by a read access violation in demangle_template_value_parm and do_hpacc_template_literal functions in cplus-dem.c in libiberty. An attacker could exploit this vulnerability using a specially crafted binary to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/116387](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116387>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2017-13685](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13685>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by a NULL pointer dereference in the dump_callback function. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/131204](<https://exchange.xforce.ibmcloud.com/vulnerabilities/131204>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2018-20483](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483>) \n** DESCRIPTION: **GNU Wget could allow a local authenticated attacker to obtain sensitive information, caused by the storing of the origin URL in the user.xdg.origin.url metadata in the set_file_metadata function in xattr.c. By reading the metadata attribute, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/154793](<https://exchange.xforce.ibmcloud.com/vulnerabilities/154793>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2021-30720](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30720>) \n** DESCRIPTION: **Apple iOS and iPadOS could allow a remote attacker to bypass security restrictions, caused by a logic issue in the WebKit component. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to access restricted ports on arbitrary servers. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/202349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/202349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-8908](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908>) \n** DESCRIPTION: **Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir(). By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192996](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192996>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2016-10707](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10707>) \n** DESCRIPTION: **jQuery is vulnerable to a denial of service, caused by removing a logic that lowercased attribute names. By using a mixed-cased name for boolean attributes, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138030](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138030>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2018-18074](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18074>) \n** DESCRIPTION: **The Requests package for Python could allow a remote attacker to obtain sensitive information, caused by sending information in an insecure manner. By sniffing the network, a remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/151296](<https://exchange.xforce.ibmcloud.com/vulnerabilities/151296>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-3721](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3721>) \n** DESCRIPTION: **Node.js lodash module could allow a remote attacker to bypass security restrictions, caused by a flaw in the defaultsDeep, 'merge, and mergeWith functions. By modifing the prototype of Object, an attacker could exploit this vulnerability to add or modify existing property that will exist on all objects. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/144603](<https://exchange.xforce.ibmcloud.com/vulnerabilities/144603>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2019-18874](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18874>) \n** DESCRIPTION: **psutil is vulnerable to a denial of service, caused by a double free. By using specially-crafted data, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/171612](<https://exchange.xforce.ibmcloud.com/vulnerabilities/171612>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-14145](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14145>) \n** DESCRIPTION: **OpenSSH is vulnerable to a man-in-the-middle attack, caused by an observable discrepancy flaw. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184514>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-24025](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24025>) \n** DESCRIPTION: **node-sass could allow a remote attacker to bypass security restrictions, caused by the disablement of certificate validation when requesting binaries even if the user is not specifying an alternative download path. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/195029](<https://exchange.xforce.ibmcloud.com/vulnerabilities/195029>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-24370](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24370>) \n** DESCRIPTION: **Lua is vulnerable to a denial of service, caused by a negation overflow and segmentation fault in getlocal and setlocal. A remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186868](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186868>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-28168](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28168>) \n** DESCRIPTION: **Node.js axios module is vulnerable to server-side request forgery, caused by improper input validation. By providing a URL that responds with a redirect to a restricted host or IP address, an attacker could exploit this vulnerability to conduct SSRF attack to bypass a proxy. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/191660](<https://exchange.xforce.ibmcloud.com/vulnerabilities/191660>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2021-30641](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30641>) \n** DESCRIPTION: **Apache HTTP Server could provide weaker than expected security, caused by unexpected URL matching behavior with 'MergeSlashes OFF. An attacker could exploit this vulnerability to match URLs from all sites in the same domain and launch further attacks on the system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/203459](<https://exchange.xforce.ibmcloud.com/vulnerabilities/203459>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2021-31535](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31535>) \n** DESCRIPTION: **X.Org libX11 is vulnerable to a denial of service, caused by improper input validation by the length of the string parameters. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause emission of extra X protocol requests to the X server, and results in a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/202043](<https://exchange.xforce.ibmcloud.com/vulnerabilities/202043>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2021-33503](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33503>) \n** DESCRIPTION: **urllib3 is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw due to catastrophic backtracking. By sending a specially-crafted URL request, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/203109](<https://exchange.xforce.ibmcloud.com/vulnerabilities/203109>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2021-33928](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33928>) \n** DESCRIPTION: **Libsolv is vulnerable to a denial of service, caused by a heap-based buffer overflow in the pool_installable in src/repo.h function. A remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2021-33929](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33929>) \n** DESCRIPTION: **Libsolv is vulnerable to a denial of service, caused by a heap-based buffer overflow in the pool_disabled_solvable in src/repo.h. A remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208665](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208665>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2021-33930](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33930>) \n** DESCRIPTION: **Libsolv is vulnerable to a denial of service, caused by a heap-based buffer overflow in the pool_installable_whatprovides in src/repo.h function. A remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208664](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208664>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2021-33938](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33938>) \n** DESCRIPTION: **Libsolv is vulnerable to a denial of service, caused by a heap-based buffer overflow in the prune_to_recommended in src/policy.c function. An attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208663](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208663>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2021-35556](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35556>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Swing component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211632](<https://exchange.xforce.ibmcloud.com/vulnerabilities/211632>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2021-35559](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35559>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Swing component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211635](<https://exchange.xforce.ibmcloud.com/vulnerabilities/211635>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2021-35561](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35561>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Utility component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211637](<https://exchange.xforce.ibmcloud.com/vulnerabilities/211637>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2021-35564](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35564>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Keytool component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211640](<https://exchange.xforce.ibmcloud.com/vulnerabilities/211640>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2021-35565](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35565>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211641](<https://exchange.xforce.ibmcloud.com/vulnerabilities/211641>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2021-35578](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35578>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211654](<https://exchange.xforce.ibmcloud.com/vulnerabilities/211654>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2021-35586](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35586>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the ImageIO component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211661](<https://exchange.xforce.ibmcloud.com/vulnerabilities/211661>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-29362](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29362>) \n** DESCRIPTION: **p11-glue p11-kit could allow a remote attacker to obtain sensitive information, caused by a heap-based buffer over-read flaw in the RPC protocol. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain up to 4 bytes of memory past the heap allocation, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/193533](<https://exchange.xforce.ibmcloud.com/vulnerabilities/193533>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2017-6891](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6891>) \n** DESCRIPTION: **GnuTLS libtasn1 is vulnerable to a stack-based buffer overflow, caused by 2 errors in the asn1_find_node function in lib/parser_aux.c. By persuading a victim to open a specially-crafted assignments file, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/127214](<https://exchange.xforce.ibmcloud.com/vulnerabilities/127214>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2016-4008](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4008>) \n** DESCRIPTION: **GNU Libtasn1 is vulnerable to a denial of service, caused by improper handling of the ASN1_DECODE_FLAG_STRICT_DER flag in _asn1_extract_der_octet function in lib/decoding.c. By using a malformed certificate, a remote attacker could exploit this vulnerability to cause the application to stop responding. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/113127](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113127>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2017-8817](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817>) \n** DESCRIPTION: **cURL libcurl could allow a remote attacker to bypass security restrictions, caused by an out-of-bounds read flaw in the FTP wildcard matching function (CURLOPT_WILDCARDMATCH). By using a string that ends with an '[' character, an attacker could exploit this vulnerability to redirect the victim to an arbitrary site. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/135658](<https://exchange.xforce.ibmcloud.com/vulnerabilities/135658>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2016-8625](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625>) \n** DESCRIPTION: **cURL/libcurl could provide weaker than expected security, caused by the translation of International Domain Names (IDNA) to puny code for DNS resolving using the IDNA 2003 standard. An attacker could exploit this vulnerability to issue network transfer requests to the wrong host. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/118644](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118644>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2016-8624](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624>) \n** DESCRIPTION: **cURL/libcurl could allow a remote attacker to bypass security restrictions, caused by the failure to parse the authority component of the URL when handling '#' character. By using a specially-crafted URL with '#' character, an attacker could exploit this vulnerability to bypass access restrictions. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/118642](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118642>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2016-8621](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8621>) \n** DESCRIPTION: **cURL/libcurl could allow a remote attacker to obtain sensitive information, caused by an out of bounds read error within the curl_getdate function. By using specially-crafted date strings, a remote attacker could exploit this vulnerability to execute arbitrary code in the context of the process and obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/118639](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118639>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2016-8616](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8616>) \n** DESCRIPTION: **cURL/libcurl could allow a remote attacker to bypass security restrictions, caused by the use of case insensitive comparisons. By using valid credentials exists for a protocol which supports connection-scoped credentials, an attacker could exploit this vulnerability to cause a connection to be reused. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/118633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2016-8615](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615>) \n** DESCRIPTION: **cURL/libcurl is vulnerable to cookie injection, caused by an error related to fgets() function. By using a malicious server that sends a very long cookie name and value, a remote attacker could exploit this vulnerability to inject a malicious cookie for arbitrary domains. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/118632](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118632>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2021-22924](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22924>) \n** DESCRIPTION: **An unspecified error with bad connection reused due to improper path name validation in cURL libcurl has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/206047](<https://exchange.xforce.ibmcloud.com/vulnerabilities/206047>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2016-0755](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0755>) \n** DESCRIPTION: **Libcurl could allow a remote attacker to bypass security restrictions, caused by the failure to check NTLM-authenticated proxy connections for reuse. An attacker could exploit this vulnerability to use a proxy connection for a different authenticated client username. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/110290](<https://exchange.xforce.ibmcloud.com/vulnerabilities/110290>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2019-13050](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050>) \n** DESCRIPTION: **GNU Privacy Guard (GnuPG) is vulnerable to a denial of service, caused by a certificate spamming attack when referring to a host on the SKS keyserver network in the keyserver configuration. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166417](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166417>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2015-5276](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5276>) \n** DESCRIPTION: **GNU Compiler Collection (GCC) could provide weaker than expected security, caused by the failure to properly handle short reads from blocking sources by the std::random_device class in libstdc++. A remote attacker could exploit thsi vulnerability to predict random values. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/108548](<https://exchange.xforce.ibmcloud.com/vulne
Bash vulnerability
