Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-11494 | 3 Dovecot, Fedoraproject, Opensuse | 3 Dovecot, Fedora, Leap | 2023-03-01 | 5.0 MEDIUM | 7.5 HIGH |
| In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command. | |||||
| CVE-2022-46393 | 2 Arm, Fedoraproject | 2 Mbed Tls, Fedora | 2023-03-01 | N/A | 9.8 CRITICAL |
| An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. There is a potential heap-based buffer overflow and heap-based buffer over-read in DTLS if MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX. | |||||
| CVE-2022-46392 | 2 Arm, Fedoraproject | 2 Mbed Tls, Fedora | 2023-03-01 | N/A | 5.3 MEDIUM |
| An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking a secure enclave) can recover an RSA private key after observing the victim performing a single private-key operation, if the window size (MBEDTLS_MPI_WINDOW_SIZE) used for the exponentiation is 3 or smaller. | |||||
| CVE-2023-24998 | 1 Apache | 1 Commons Fileupload | 2023-03-01 | N/A | 7.5 HIGH |
| Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. | |||||
| CVE-2022-41915 | 2 Debian, Netty | 2 Debian Linux, Netty | 2023-03-01 | N/A | 6.5 MEDIUM |
| Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values. | |||||
| CVE-2019-11474 | 5 Canonical, Debian, Fedoraproject and 2 more | 6 Ubuntu Linux, Debian Linux, Fedora and 3 more | 2023-03-01 | 4.3 MEDIUM | 6.5 MEDIUM |
| coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a denial of service (floating-point exception and application crash) by crafting an XWD image file, a different vulnerability than CVE-2019-11008 and CVE-2019-11009. | |||||
| CVE-2022-42716 | 1 Arm | 3 Bifrost Gpu Kernel Driver, Midguard Gpu Kernel Driver, Valhall Gpu Kernel Driver | 2023-03-01 | N/A | 8.8 HIGH |
| An issue was discovered in the Arm Mali GPU Kernel Driver. There is a use-after-free. A non-privileged user can make improper GPU processing operations to gain access to already freed memory. This affects Valhall r29p0 through r40P0. | |||||
| CVE-2022-41881 | 2 Debian, Netty | 2 Debian Linux, Netty | 2023-03-01 | N/A | 7.5 HIGH |
| Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. | |||||
| CVE-2022-3485 | 1 Ifm | 4 Moneo Qha200, Moneo Qha200 Firmware, Moneo Qha210 and 1 more | 2023-03-01 | N/A | 9.8 CRITICAL |
| In IFM Moneo Appliance with version up to 1.9.3 an unauthenticated remote attacker can reset the administrator password by only supplying the serial number and thus gain full control of the device. | |||||
| CVE-2022-35260 | 3 Apple, Haxx, Netapp | 11 Macos, Curl, Clustered Data Ontap and 8 more | 2023-03-01 | N/A | 6.5 MEDIUM |
| curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service. | |||||
| CVE-2019-11065 | 2 Fedoraproject, Gradle | 2 Fedora, Gradle | 2023-03-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site. | |||||
| CVE-2022-35256 | 4 Debian, Llhttp, Nodejs and 1 more | 4 Debian Linux, Llhttp, Node.js and 1 more | 2023-03-01 | N/A | 6.5 MEDIUM |
| The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. | |||||
| CVE-2022-35255 | 3 Debian, Nodejs, Siemens | 3 Debian Linux, Node.js, Sinec Ins | 2023-03-01 | N/A | 9.1 CRITICAL |
| A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material. | |||||
| CVE-2019-11026 | 2 Fedoraproject, Freedesktop | 2 Fedora, Poppler | 2023-03-01 | 4.3 MEDIUM | 6.5 MEDIUM |
| FontInfoScanner::scanFonts in FontInfo.cc in Poppler 0.75.0 has infinite recursion, leading to a call to the error function in Error.cc. | |||||
| CVE-2019-11008 | 4 Canonical, Debian, Graphicsmagick and 1 more | 5 Ubuntu Linux, Debian Linux, Graphicsmagick and 2 more | 2023-03-01 | 6.8 MEDIUM | 8.8 HIGH |
| In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buffer overflow in the function WriteXWDImage of coders/xwd.c, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. | |||||
| CVE-2016-15026 | 1 Dd-plist Project | 1 Dd-plist | 2023-03-01 | N/A | 7.8 HIGH |
| A vulnerability was found in 3breadt dd-plist 1.17 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. An attack has to be approached locally. Upgrading to version 1.18 is able to address this issue. The name of the patch is 8c954e8d9f6f6863729e50105a8abf3f87fff74c. It is recommended to upgrade the affected component. VDB-221486 is the identifier assigned to this vulnerability. | |||||
| CVE-2019-11007 | 4 Canonical, Debian, Graphicsmagick and 1 more | 5 Ubuntu Linux, Debian Linux, Graphicsmagick and 2 more | 2023-03-01 | 5.8 MEDIUM | 8.1 HIGH |
| In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buffer over-read in the ReadMNGImage function of coders/png.c, which allows attackers to cause a denial of service or information disclosure via an image colormap. | |||||
| CVE-2019-10906 | 5 Canonical, Fedoraproject, Opensuse and 2 more | 5 Ubuntu Linux, Fedora, Leap and 2 more | 2023-03-01 | 5.0 MEDIUM | 8.6 HIGH |
| In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape. | |||||
| CVE-2019-10887 | 1 Salicru | 1 Slc-20-cube3\(5\) | 2023-03-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected HTML injection vulnerability on Salicru SLC-20-cube3(5) devices running firmware version cs121-SNMP v4.54.82.130611 allows remote attackers to inject arbitrary HTML elements via a /DataLog.csv?log= or /AlarmLog.csv?log= or /waitlog.cgi?name= or /chart.shtml?data= or /createlog.cgi?name= request. | |||||
| CVE-2019-1002100 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift Container Platform | 2023-03-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. `kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server. | |||||