Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Debian Subscribe
Filtered by product Debian Linux
Total 8096 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-24917 3 Debian, Fedoraproject, Zabbix 3 Debian Linux, Fedora, Frontend 2023-02-22 2.1 LOW 4.4 MEDIUM
An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks.
CVE-2022-0865 4 Debian, Fedoraproject, Libtiff and 1 more 4 Debian Linux, Fedora, Libtiff and 1 more 2023-02-22 4.3 MEDIUM 6.5 MEDIUM
Reachable Assertion in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 5e180045.
CVE-2022-24801 4 Debian, Fedoraproject, Oracle and 1 more 4 Debian Linux, Fedora, Zfs Storage Appliance Kit and 1 more 2023-02-22 6.8 MEDIUM 8.1 HIGH
Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.
CVE-2022-46877 2 Debian, Mozilla 2 Debian Linux, Firefox 2023-02-20 N/A 4.3 MEDIUM
By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 108.
CVE-2022-46871 2 Debian, Mozilla 2 Debian Linux, Firefox 2023-02-20 N/A 8.8 HIGH
An out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited. This vulnerability affects Firefox < 108.
CVE-2020-22669 2 Debian, Owasp 2 Debian Linux, Owasp Modsecurity Core Rule Set 2023-02-16 N/A 9.8 CRITICAL
Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications.
CVE-2022-25648 3 Debian, Fedoraproject, Git 4 Debian Linux, Extra Packages For Enterprise Linux, Fedora and 1 more 2023-02-16 7.5 HIGH 9.8 CRITICAL
The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
CVE-2022-24785 5 Debian, Fedoraproject, Momentjs and 2 more 5 Debian Linux, Fedora, Moment and 2 more 2023-02-16 5.0 MEDIUM 7.5 HIGH
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
CVE-2021-35368 3 Debian, Fedoraproject, Owasp 3 Debian Linux, Fedora, Owasp Modsecurity Core Rule Set 2023-02-16 7.5 HIGH 9.8 CRITICAL
OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a trailing pathname.
CVE-2020-8184 3 Canonical, Debian, Rack Project 3 Ubuntu Linux, Debian Linux, Rack 2023-02-16 5.0 MEDIUM 7.5 HIGH
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
CVE-2019-13223 2 Debian, Stb Vorbis Project 2 Debian Linux, Stb Vorbis 2023-02-16 4.3 MEDIUM 5.5 MEDIUM
A reachable assertion in the lookup1_values function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file.
CVE-2019-13219 2 Debian, Stb Vorbis Project 2 Debian Linux, Stb Vorbis 2023-02-16 4.3 MEDIUM 5.5 MEDIUM
A NULL pointer dereference in the get_window function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file.
CVE-2019-13220 2 Debian, Stb Vorbis Project 2 Debian Linux, Stb Vorbis 2023-02-16 5.8 MEDIUM 7.1 HIGH
Use of uninitialized stack variables in the start_decoder function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or disclose sensitive information by opening a crafted Ogg Vorbis file.
CVE-2019-13221 2 Debian, Stb Vorbis Project 2 Debian Linux, Stb Vorbis 2023-02-16 6.8 MEDIUM 7.8 HIGH
A stack buffer overflow in the compute_codewords function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or execute arbitrary code by opening a crafted Ogg Vorbis file.
CVE-2019-13222 2 Debian, Stb Vorbis Project 2 Debian Linux, Stb Vorbis 2023-02-16 5.8 MEDIUM 7.1 HIGH
An out-of-bounds read of a global buffer in the draw_line function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or disclose sensitive information by opening a crafted Ogg Vorbis file.
CVE-2019-13218 2 Debian, Stb Vorbis Project 2 Debian Linux, Stb Vorbis 2023-02-16 4.3 MEDIUM 5.5 MEDIUM
Division by zero in the predict_point function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file.
CVE-2022-39958 3 Debian, Fedoraproject, Owasp 3 Debian Linux, Fedora, Owasp Modsecurity Core Rule Set 2023-02-16 N/A 7.5 HIGH
The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.
CVE-2022-39955 3 Debian, Fedoraproject, Owasp 3 Debian Linux, Fedora, Owasp Modsecurity Core Rule Set 2023-02-16 N/A 9.8 CRITICAL
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.
CVE-2022-39957 3 Debian, Fedoraproject, Owasp 3 Debian Linux, Fedora, Owasp Modsecurity Core Rule Set 2023-02-16 N/A 7.5 HIGH
The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.
CVE-2022-39956 3 Debian, Fedoraproject, Owasp 3 Debian Linux, Fedora, Owasp Modsecurity Core Rule Set 2023-02-16 N/A 9.8 CRITICAL
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).