Total
320 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-14274 | 2 Mcpp Project, Opensuse | 3 Mcpp, Backports Sle, Leap | 2022-12-13 | 4.3 MEDIUM | 5.5 MEDIUM |
MCPP 2.7.2 has a heap-based buffer overflow in the do_msg() function in support.c. | |||||
CVE-2020-11653 | 4 Debian, Opensuse, Varnish-cache and 1 more | 5 Debian Linux, Backports Sle, Leap and 2 more | 2022-11-29 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss. | |||||
CVE-2020-15229 | 2 Opensuse, Sylabs | 3 Backports Sle, Leap, Singularity | 2022-11-16 | 5.8 MEDIUM | 9.3 CRITICAL |
Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within `unsquashfs`, it is possible to overwrite/create any files on the host filesystem during the extraction with a crafted squashfs filesystem. The extraction occurs automatically for unprivileged (either installation or with `allow setuid = no`) run of Singularity when a user attempt to run an image which is a local SIF image or a single file containing a squashfs filesystem and is coming from remote sources `library://` or `shub://`. Image build is also impacted in a more serious way as it can be used by a root user, allowing an attacker to overwrite/create files leading to a system compromise, so far bootstrap methods `library`, `shub` and `localimage` are triggering the squashfs extraction. This issue is addressed in Singularity 3.6.4. All users are advised to upgrade to 3.6.4 especially if they use Singularity mainly for building image as root user. There is no solid workaround except to temporary avoid to use unprivileged mode with single file images in favor of sandbox images instead. Regarding image build, temporary avoid to build from `library` and `shub` sources and as much as possible use `--fakeroot` or a VM for that. | |||||
CVE-2020-24972 | 3 Fedoraproject, Kleopatra Project, Opensuse | 4 Fedora, Kleopatra, Backports Sle and 1 more | 2022-11-16 | 6.5 MEDIUM | 8.8 HIGH |
The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG allows remote attackers to execute arbitrary code because openpgp4fpr: URLs are supported without safe handling of command-line options. The Qt platformpluginpath command-line option can be used to load an arbitrary DLL. | |||||
CVE-2019-11556 | 2 Opensuse, Redhat | 3 Backports Sle, Leap, Pagure | 2022-11-16 | 4.3 MEDIUM | 6.1 MEDIUM |
Pagure before 5.6 allows XSS via the templates/blame.html blame view. | |||||
CVE-2020-13614 | 3 Axel Project, Fedoraproject, Opensuse | 4 Axel, Fedora, Backports Sle and 1 more | 2022-11-14 | 4.3 MEDIUM | 5.9 MEDIUM |
An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification. | |||||
CVE-2020-12672 | 3 Debian, Graphicsmagick, Opensuse | 4 Debian Linux, Graphicsmagick, Backports Sle and 1 more | 2022-11-14 | 5.0 MEDIUM | 7.5 HIGH |
GraphicsMagick through 1.3.35 has a heap-based buffer overflow in ReadMNGImage in coders/png.c. | |||||
CVE-2019-3693 | 2 Opensuse, Suse | 4 Backports Sle, Leap, Linux Enterprise Server and 1 more | 2022-11-09 | 7.2 HIGH | 7.8 HIGH |
A symlink following vulnerability in the packaging of mailman in SUSE Linux Enterprise Server 11, SUSE Linux Enterprise Server 12; openSUSE Leap 15.1 allowed local attackers to escalate their privileges from user wwwrun to root. Additionally arbitrary files could be changed to group mailman. This issue affects: SUSE Linux Enterprise Server 11 mailman versions prior to 2.1.15-9.6.15.1. SUSE Linux Enterprise Server 12 mailman versions prior to 2.1.17-3.11.1. openSUSE Leap 15.1 mailman version 2.1.29-lp151.2.14 and prior versions. | |||||
CVE-2019-10206 | 3 Debian, Opensuse, Redhat | 4 Debian Linux, Backports Sle, Leap and 1 more | 2022-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them. | |||||
CVE-2019-17545 | 5 Debian, Fedoraproject, Opensuse and 2 more | 6 Debian Linux, Fedora, Backports Sle and 3 more | 2022-10-27 | 7.5 HIGH | 9.8 CRITICAL |
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded. | |||||
CVE-2019-13703 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2022-10-14 | 4.3 MEDIUM | 4.3 MEDIUM |
Insufficient policy enforcement in the Omnibox in Google Chrome on Android prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
CVE-2019-13701 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2022-10-14 | 4.3 MEDIUM | 4.3 MEDIUM |
Incorrect implementation in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
CVE-2019-13700 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2022-10-14 | 6.8 MEDIUM | 8.8 HIGH |
Out of bounds memory access in the gamepad API in Google Chrome prior to 78.0.3904.70 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | |||||
CVE-2019-13699 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2022-10-14 | 6.8 MEDIUM | 8.8 HIGH |
Use after free in media in Google Chrome prior to 78.0.3904.70 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | |||||
CVE-2019-13708 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2022-10-14 | 4.3 MEDIUM | 4.3 MEDIUM |
Inappropriate implementation in navigation in Google Chrome on iOS prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
CVE-2019-13709 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2022-10-14 | 4.3 MEDIUM | 6.5 MEDIUM |
Insufficient policy enforcement in downloads in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass download restrictions via a crafted HTML page. | |||||
CVE-2019-13706 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2022-10-14 | 6.8 MEDIUM | 7.8 HIGH |
Out of bounds memory access in PDFium in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | |||||
CVE-2019-13704 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2022-10-14 | 4.3 MEDIUM | 4.3 MEDIUM |
Insufficient policy enforcement in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||||
CVE-2019-13714 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2022-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
Insufficient validation of untrusted input in Color Enhancer extension in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to inject CSS into an HTML page via a crafted URL. | |||||
CVE-2019-13715 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2022-10-14 | 4.3 MEDIUM | 4.3 MEDIUM |
Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. |