Filtered by vendor Fedoraproject
Subscribe
Total
4434 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-21419 | 2 Eventlet, Fedoraproject | 2 Eventlet, Fedora | 2021-05-27 | 5.0 MEDIUM | 5.3 MEDIUM |
Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reasonable limits. As a workaround, restricting memory usage via OS limits would help against overall machine exhaustion, but there is no workaround to protect Eventlet process. | |||||
CVE-2020-7238 | 4 Debian, Fedoraproject, Netty and 1 more | 6 Debian Linux, Fedora, Netty and 3 more | 2021-05-27 | 5.0 MEDIUM | 7.5 HIGH |
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869. | |||||
CVE-2020-27840 | 3 Debian, Fedoraproject, Samba | 3 Debian Linux, Fedora, Samba | 2021-05-26 | 5.0 MEDIUM | 7.5 HIGH |
A flaw was found in samba. Spaces used in a string around a domain name (DN), while supposed to be ignored, can cause invalid DN strings with spaces to instead write a zero-byte into out-of-bounds memory, resulting in a crash. The highest threat from this vulnerability is to system availability. | |||||
CVE-2021-32918 | 4 Debian, Fedoraproject, Lua and 1 more | 4 Debian Linux, Fedora, Lua and 1 more | 2021-05-26 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3. | |||||
CVE-2021-32919 | 3 Debian, Fedoraproject, Prosody | 3 Debian Linux, Fedora, Prosody | 2021-05-26 | 4.3 MEDIUM | 7.5 HIGH |
An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server (when this option is enabled). | |||||
CVE-2021-31800 | 2 Fedoraproject, Secureauth | 2 Fedora, Impacket | 2021-05-26 | 7.5 HIGH | 9.8 CRITICAL |
Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key. | |||||
CVE-2021-29510 | 2 Fedoraproject, Pydantic Project | 2 Fedora, Pydantic | 2021-05-25 | 5.0 MEDIUM | 7.5 HIGH |
Pydantic is a data validation and settings management using Python type hinting. In affected versions passing either `'infinity'`, `'inf'` or `float('inf')` (or their negatives) to `datetime` or `date` fields causes validation to run forever with 100% CPU usage (on one CPU). Pydantic has been patched with fixes available in the following versions: v1.8.2, v1.7.4, v1.6.2. All these versions are available on pypi(https://pypi.org/project/pydantic/#history), and will be available on conda-forge(https://anaconda.org/conda-forge/pydantic) soon. See the changelog(https://pydantic-docs.helpmanual.io/) for details. If you absolutely can't upgrade, you can work around this risk using a validator(https://pydantic-docs.helpmanual.io/usage/validators/) to catch these values. This is not an ideal solution (in particular you'll need a slightly different function for datetimes), instead of a hack like this you should upgrade pydantic. If you are not using v1.8.x, v1.7.x or v1.6.x and are unable to upgrade to a fixed version of pydantic, please create an issue at https://github.com/samuelcolvin/pydantic/issues requesting a back-port, and we will endeavour to release a patch for earlier versions of pydantic. | |||||
CVE-2021-3402 | 2 Fedoraproject, Virustotal | 2 Fedora, Yara | 2021-05-24 | 6.4 MEDIUM | 9.1 CRITICAL |
An integer overflow and several buffer overflow reads in libyara/modules/macho/macho.c in YARA v4.0.3 and earlier could allow an attacker to either cause denial of service or information disclosure via a malicious Mach-O file. Affects all versions before libyara 4.0.4 | |||||
CVE-2020-35701 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2021-05-21 | 6.5 MEDIUM | 8.8 HIGH |
An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution. | |||||
CVE-2018-11797 | 3 Apache, Fedoraproject, Oracle | 3 Pdfbox, Fedora, Retail Xstore Point Of Service | 2021-05-21 | 4.3 MEDIUM | 5.5 MEDIUM |
In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree. | |||||
CVE-2021-3472 | 4 Debian, Fedoraproject, Redhat and 1 more | 4 Debian Linux, Fedora, Enterprise Linux and 1 more | 2021-05-19 | 7.2 HIGH | 7.8 HIGH |
A flaw was found in xorg-x11-server in versions before 1.20.11. An integer underflow can occur in xserver which can lead to a local privilege escalation. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |||||
CVE-2018-10811 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2021-05-18 | 5.0 MEDIUM | 7.5 HIGH |
strongSwan 5.6.0 and older allows Remote Denial of Service because of Missing Initialization of a Variable. | |||||
CVE-2021-21156 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2021-05-17 | 6.8 MEDIUM | 8.8 HIGH |
Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.182 allowed a remote attacker to potentially exploit heap corruption via a crafted script. | |||||
CVE-2021-21148 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2021-05-17 | 6.8 MEDIUM | 8.8 HIGH |
Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
CVE-2021-20232 | 3 Fedoraproject, Gnu, Redhat | 3 Fedora, Gnutls, Enterprise Linux | 2021-05-17 | 7.5 HIGH | 9.8 CRITICAL |
A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences. | |||||
CVE-2018-10196 | 3 Canonical, Fedoraproject, Graphviz | 3 Ubuntu Linux, Fedora, Graphviz | 2021-05-13 | 4.3 MEDIUM | 5.5 MEDIUM |
NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library in Graphviz 2.40.1 allows remote attackers to cause a denial of service (application crash) via a crafted file. | |||||
CVE-2020-15216 | 2 Fedoraproject, Goxmldsig Project | 2 Fedora, Goxmldsig | 2021-05-05 | 4.3 MEDIUM | 6.5 MEDIUM |
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision f6188febf0c29d7ffe26a0436212b19cb9615e64 or version 1.1.0 | |||||
CVE-2020-8037 | 4 Apple, Debian, Fedoraproject and 1 more | 5 Mac Os X, Macos, Debian Linux and 2 more | 2021-05-05 | 5.0 MEDIUM | 7.5 HIGH |
The ppp decapsulator in tcpdump 4.9.3 can be convinced to allocate a large amount of memory. | |||||
CVE-2020-25693 | 2 Cimg, Fedoraproject | 2 Cimg, Fedora | 2021-05-05 | 5.8 MEDIUM | 8.1 HIGH |
A flaw was found in CImg in versions prior to 2.9.3. Integer overflows leading to heap buffer overflows in load_pnm() can be triggered by a specially crafted input file processed by CImg, which can lead to an impact to application availability or data integrity. | |||||
CVE-2021-20205 | 2 Fedoraproject, Libjpeg-turbo | 2 Fedora, Libjpeg-turbo | 2021-05-04 | 4.3 MEDIUM | 6.5 MEDIUM |
Libjpeg-turbo versions 2.0.91 and 2.0.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted GIF image. |