Total
2470 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2014-0164 | 1 Redhat | 1 Openshift | 2023-02-12 | 2.1 LOW | N/A |
openshift-origin-broker-util, as used in Red Hat OpenShift Enterprise 1.2.7 and 2.0.5, uses world-readable permissions for the mcollective client.cfg configuration file, which allows local users to obtain credentials and other sensitive information by reading the file. | |||||
CVE-2014-0076 | 1 Openssl | 1 Openssl | 2023-02-12 | 1.9 LOW | N/A |
The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack. | |||||
CVE-2014-0041 | 1 Redhat | 1 Openstack | 2023-02-12 | 4.3 MEDIUM | N/A |
OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, sets sslverify to false for certain Yum repositories, which disables SSL protection and allows man-in-the-middle attackers to prevent updates via unspecified vectors. | |||||
CVE-2014-0042 | 1 Redhat | 1 Openstack | 2023-02-12 | 4.3 MEDIUM | N/A |
OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, sets gpgcheck to 0 for certain templates, which disables GPG signature checking on downloaded packages and allows man-in-the-middle attackers to install arbitrary packages via unspecified vectors. | |||||
CVE-2013-4346 | 1 Urbanairship | 1 Python-oauth2 | 2023-02-12 | 4.3 MEDIUM | N/A |
The Server.verify_request function in SimpleGeo python-oauth2 does not check the nonce, which allows remote attackers to perform replay attacks via a signed URL. | |||||
CVE-2012-6093 | 3 Canonical, Opensuse, Qt | 3 Ubuntu Linux, Opensuse, Qt | 2023-02-12 | 4.3 MEDIUM | N/A |
The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate. | |||||
CVE-2012-0861 | 1 Redhat | 1 Enterprise Virtualization Manager | 2023-02-12 | 6.8 MEDIUM | N/A |
The vds_installer in Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, when adding a host, uses the -k curl parameter when downloading deployUtil.py and vds_bootstrap.py, which prevents SSL certificates from being validated and allows remote attackers to execute arbitrary Python code via a man-in-the-middle attack. | |||||
CVE-2016-4457 | 1 Redhat | 1 Cloudforms Management Engine | 2023-02-12 | 5.0 MEDIUM | 7.5 HIGH |
CloudForms Management Engine before 5.8 includes a default SSL/TLS certificate. | |||||
CVE-2015-3276 | 2 Openldap, Redhat | 5 Openldap, Enterprise Linux Desktop, Enterprise Linux Hpc Node and 2 more | 2023-02-12 | 5.0 MEDIUM | N/A |
The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors. | |||||
CVE-2015-1848 | 2 Fedora, Redhat | 5 Pacemaker Configuration System, Enterprise Linux High Availability, Enterprise Linux High Availability Eus and 2 more | 2023-02-12 | 6.8 MEDIUM | N/A |
The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. NOTE: this issue was SPLIT per ADT2 due to different vulnerability types. CVE-2015-3983 is for the issue with not setting the HTTPOnly flag. | |||||
CVE-2012-0039 | 1 Gnome | 1 Glib | 2023-02-12 | 5.0 MEDIUM | N/A |
** DISPUTED ** GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application. | |||||
CVE-2015-4000 | 12 Apple, Canonical, Debian and 9 more | 25 Iphone Os, Mac Os X, Safari and 22 more | 2023-02-09 | 4.3 MEDIUM | 3.7 LOW |
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue. | |||||
CVE-2012-2143 | 4 Debian, Freebsd, Php and 1 more | 4 Debian Linux, Freebsd, Php and 1 more | 2023-01-20 | 4.3 MEDIUM | N/A |
The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password. | |||||
CVE-2016-0800 | 2 Openssl, Pulsesecure | 3 Openssl, Client, Steel Belted Radius | 2022-12-13 | 4.3 MEDIUM | 5.9 MEDIUM |
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack. | |||||
CVE-2015-0285 | 1 Openssl | 1 Openssl | 2022-12-13 | 4.3 MEDIUM | N/A |
The ssl3_client_hello function in s3_clnt.c in OpenSSL 1.0.2 before 1.0.2a does not ensure that the PRNG is seeded before proceeding with a handshake, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and then conducting a brute-force attack. | |||||
CVE-2015-3197 | 2 Openssl, Oracle | 6 Openssl, Exalogic Infrastructure, Oss Support Tools and 3 more | 2022-12-13 | 4.3 MEDIUM | 5.9 MEDIUM |
ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions. | |||||
CVE-2016-2107 | 8 Canonical, Debian, Google and 5 more | 15 Ubuntu Linux, Debian Linux, Android and 12 more | 2022-12-13 | 2.6 LOW | 5.9 MEDIUM |
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169. | |||||
CVE-2008-4227 | 1 Apple | 2 Iphone Os, Ipod Touch | 2022-08-09 | 7.5 HIGH | N/A |
Apple iPhone OS 1.0 through 2.1 and iPhone OS for iPod touch 1.1 through 2.1 changes the encryption level of PPTP VPN connections to a lower level than was previously used, which makes it easier for remote attackers to obtain sensitive information or hijack a connection by decrypting network traffic. | |||||
CVE-2019-3739 | 2 Dell, Oracle | 16 Bsafe Cert-j, Bsafe Crypto-j, Bsafe Ssl-j and 13 more | 2022-06-13 | 4.3 MEDIUM | 6.5 MEDIUM |
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys. | |||||
CVE-2014-3620 | 2 Apple, Haxx | 3 Mac Os X, Curl, Libcurl | 2022-05-11 | 5.0 MEDIUM | N/A |
cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain. |