Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Total 210374 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-1871 3 Apple, Debian, Fedoraproject 6 Ipad Os, Iphone Os, Mac Os X and 3 more 2022-04-26 7.5 HIGH 9.8 CRITICAL
A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, iOS 14.4 and iPadOS 14.4. A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..
CVE-2022-28345 1 Signal 1 Signal 2022-04-26 5.0 MEDIUM 7.5 HIGH
The Signal app before 5.34 for iOS allows URI spoofing via RTLO injection. It incorrectly renders RTLO encoded URLs beginning with a non-breaking space, when there is a hash character in the URL. This technique allows a remote unauthenticated attacker to send legitimate looking links, appearing to be any website URL, by abusing the non-http/non-https automatic rendering of URLs. An attacker can spoof, for example, example.com, and masquerade any URL with a malicious destination. An attacker requires a subdomain such as gepj, txt, fdp, or xcod, which would appear backwards as jpeg, txt, pdf, and docx respectively.
CVE-2020-5867 2 F5, Netapp 2 Nginx Controller, Cloud Backup 2022-04-26 6.8 MEDIUM 8.1 HIGH
In versions prior to 3.3.0, the NGINX Controller Agent installer script 'install.sh' uses HTTP instead of HTTPS to check and install packages
CVE-2020-5865 2 F5, Netapp 2 Nginx Controller, Cloud Backup 2022-04-26 5.8 MEDIUM 4.8 MEDIUM
In versions prior to 3.3.0, the NGINX Controller is configured to communicate with its Postgres database server over unencrypted channels, making the communicated data vulnerable to interception via man-in-the-middle (MiTM) attacks.
CVE-2021-43290 1 Thoughtworks 1 Gocd 2022-04-26 7.5 HIGH 9.8 CRITICAL
An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into a directory of a GoCD server. They can control the filename but the directory is placed inside of a directory that they can't control.
CVE-2021-20266 2 Fedoraproject, Rpm 2 Fedora, Rpm 2022-04-26 4.0 MEDIUM 4.9 MEDIUM
A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.
CVE-2021-28505 1 Arista 18 Ccs-710p-12, Ccs-710p-16p, Ccs-720xp-24y6 and 15 more 2022-04-26 5.0 MEDIUM 7.5 HIGH
On affected Arista EOS platforms, if a VXLAN match rule exists in an IPv4 access-list that is applied to the ingress of an L2 or an L3 port/SVI, the VXLAN rule and subsequent ACL rules in that access list will ignore the specified IP protocol.
CVE-2020-15867 1 Gogs 1 Gogs 2022-04-26 6.5 MEDIUM 7.2 HIGH
The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalation if access to this hook feature is granted to a user who does not have administrative privileges. NOTE: because this is mentioned in the documentation but not in the UI, it could be considered a "Product UI does not Warn User of Unsafe Actions" issue.
CVE-2020-1472 8 Canonical, Debian, Fedoraproject and 5 more 11 Ubuntu Linux, Debian Linux, Fedora and 8 more 2022-04-26 9.3 HIGH 10.0 CRITICAL
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'.
CVE-2020-11976 1 Apache 2 Fortress, Wicket 2022-04-26 5.0 MEDIUM 7.5 HIGH
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5
CVE-2020-16166 7 Canonical, Debian, Fedoraproject and 4 more 16 Ubuntu Linux, Debian Linux, Fedora and 13 more 2022-04-26 4.3 MEDIUM 3.7 LOW
The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to drivers/char/random.c and kernel/time/timer.c.
CVE-2020-9480 2 Apache, Oracle 2 Spark, Business Intelligence 2022-04-26 9.3 HIGH 9.8 CRITICAL
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
CVE-2020-12771 6 Canonical, Debian, Linux and 3 more 37 Ubuntu Linux, Debian Linux, Linux Kernel and 34 more 2022-04-26 4.9 MEDIUM 5.5 MEDIUM
An issue was discovered in the Linux kernel through 5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c has a deadlock if a coalescing operation fails.
CVE-2020-12691 2 Canonical, Openstack 2 Ubuntu Linux, Keystone 2022-04-26 6.5 MEDIUM 8.8 HIGH
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.
CVE-2021-20090 1 Buffalo 4 Wsr-2533dhp3-bk, Wsr-2533dhp3-bk Firmware, Wsr-2533dhpl2-bk and 1 more 2022-04-26 7.5 HIGH 9.8 CRITICAL
A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.
CVE-2020-11868 5 Debian, Netapp, Ntp and 2 more 24 Debian Linux, All Flash Fabric-attached Storage 8300, All Flash Fabric-attached Storage 8300 Firmware and 21 more 2022-04-26 5.0 MEDIUM 7.5 HIGH
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address, because transmissions are rescheduled even when a packet lacks a valid origin timestamp.
CVE-2020-11612 5 Debian, Fedoraproject, Netapp and 2 more 13 Debian Linux, Fedora, Oncommand Api Services and 10 more 2022-04-26 5.0 MEDIUM 7.5 HIGH
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
CVE-2020-1934 6 Apache, Canonical, Debian and 3 more 11 Http Server, Ubuntu Linux, Debian Linux and 8 more 2022-04-26 5.0 MEDIUM 5.3 MEDIUM
In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.
CVE-2019-19535 4 Debian, Linux, Opensuse and 1 more 4 Debian Linux, Linux Kernel, Leap and 1 more 2022-04-26 2.1 LOW 4.6 MEDIUM
In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka CID-30a8beeb3042.
CVE-2021-43289 1 Thoughtworks 1 Gocd 2022-04-26 5.0 MEDIUM 7.5 HIGH
An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into an arbitrary directory of a GoCD server, but does not control the filename.