Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Fedoraproject Subscribe
Total 4434 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-32677 2 Fastapi Project, Fedoraproject 2 Fastapi, Fedora 2021-06-24 5.8 MEDIUM 8.1 HIGH
FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery (CSRF) attack. In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. application/geo+json). A request with a content type of text/plain containing JSON data would be accepted and the JSON data would be extracted. Requests with content type text/plain are exempt from CORS preflights, for being considered Simple requests. The browser will execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application. This is fixed in FastAPI 0.65.2. The request data is now parsed as JSON only if the content-type header is application/json or another JSON compatible media type like application/geo+json. It's best to upgrade to the latest FastAPI, but if updating is not possible then a middleware or a dependency that checks the content-type header and aborts the request if it is not application/json or another JSON compatible content type can act as a mitigating workaround.
CVE-2019-19050 5 Broadcom, Canonical, Fedoraproject and 2 more 22 Fabric Operating System, Ubuntu Linux, Fedora and 19 more 2021-06-22 7.8 HIGH 7.5 HIGH
A memory leak in the crypto_reportstat() function in crypto/crypto_user_stat.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_reportstat_alg() failures, aka CID-c03b04dcdba1.
CVE-2020-13645 5 Broadcom, Canonical, Fedoraproject and 2 more 6 Fabric Operating System, Ubuntu Linux, Fedora and 3 more 2021-06-22 6.4 MEDIUM 6.5 MEDIUM
In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.
CVE-2021-3504 3 Debian, Fedoraproject, Redhat 4 Debian Linux, Fedora, Enterprise Linux and 1 more 2021-06-21 5.8 MEDIUM 5.4 MEDIUM
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to crash. The highest threat from this vulnerability is to system availability.
CVE-2021-32917 3 Debian, Fedoraproject, Prosody 3 Debian Linux, Fedora, Prosody 2021-06-17 4.3 MEDIUM 5.3 MEDIUM
An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.
CVE-2021-30473 2 Aomedia, Fedoraproject 2 Aomedia, Fedora 2021-06-17 7.5 HIGH 9.8 CRITICAL
aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap.
CVE-2021-30475 2 Aomedia, Fedoraproject 2 Aomedia, Fedora 2021-06-17 7.5 HIGH 9.8 CRITICAL
aom_dsp/noise_model.c in libaom in AOMedia before 2021-03-24 has a buffer overflow.
CVE-2021-33896 2 Dino, Fedoraproject 2 Dino, Fedora 2021-06-17 5.0 MEDIUM 5.3 MEDIUM
Dino before 0.1.2 and 0.2.x before 0.2.1 allows Directory Traversal (only for creation of new files) via URI-encoded path separators.
CVE-2014-0190 4 Canonical, Fedoraproject, Opensuse and 1 more 4 Ubuntu Linux, Fedora, Opensuse and 1 more 2021-06-16 4.3 MEDIUM N/A
The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.
CVE-2015-1860 3 Digia, Fedoraproject, Qt 3 Qt, Fedora, Qt 2021-06-16 6.8 MEDIUM N/A
Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.
CVE-2015-1859 3 Digia, Fedoraproject, Qt 3 Qt, Fedora, Qt 2021-06-16 6.8 MEDIUM N/A
Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.
CVE-2015-1858 3 Digia, Fedoraproject, Qt 3 Qt, Fedora, Qt 2021-06-16 6.8 MEDIUM N/A
Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.
CVE-2018-20060 2 Fedoraproject, Python 2 Fedora, Urllib3 2021-06-15 5.0 MEDIUM 9.8 CRITICAL
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
CVE-2019-19073 3 Fedoraproject, Linux, Opensuse 3 Fedora, Linux Kernel, Leap 2021-06-14 2.1 LOW 4.0 MEDIUM
Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function, aka CID-853acf7caf10.
CVE-2019-19066 6 Canonical, Debian, Fedoraproject and 3 more 6 Ubuntu Linux, Debian Linux, Fedora and 3 more 2021-06-14 4.7 MEDIUM 4.7 MEDIUM
A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures, aka CID-0e62395da2bd.
CVE-2020-7919 4 Debian, Fedoraproject, Golang and 1 more 4 Debian Linux, Fedora, Go and 1 more 2021-06-14 7.8 HIGH 7.5 HIGH
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.
CVE-2020-13435 2 Fedoraproject, Sqlite 2 Fedora, Sqlite 2021-06-14 2.1 LOW 5.5 MEDIUM
SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.
CVE-2015-5258 2 Fedoraproject, Vmware 2 Fedora, Spring Social 2021-06-09 6.8 MEDIUM 8.8 HIGH
Cross-site request forgery (CSRF) vulnerability in springframework-social before 1.1.3.
CVE-2021-20229 3 Fedoraproject, Postgresql, Redhat 4 Fedora, Postgresql, Enterprise Linux and 1 more 2021-06-09 4.0 MEDIUM 4.3 MEDIUM
A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.
CVE-2021-30469 3 Fedoraproject, Podofo Project, Redhat 3 Fedora, Podofo, Enterprise Linux 2021-06-08 4.3 MEDIUM 5.5 MEDIUM
A flaw was found in PoDoFo 0.9.7. An use-after-free in PoDoFo::PdfVecObjects::Clear() function can cause a denial of service via a crafted PDF file.