Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Fedoraproject Subscribe
Total 4434 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-8552 2 Fedoraproject, Kubernetes 2 Fedora, Kubernetes 2023-01-27 4.0 MEDIUM 4.3 MEDIUM
The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests.
CVE-2020-8551 2 Fedoraproject, Kubernetes 2 Fedora, Kubernetes 2023-01-27 3.3 LOW 6.5 MEDIUM
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
CVE-2020-11054 2 Fedoraproject, Qutebrowser 2 Fedora, Qutebrowser 2023-01-27 4.3 MEDIUM 3.5 LOW
In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.
CVE-2021-3996 2 Fedoraproject, Kernel 2 Fedora, Util-linux 2023-01-26 N/A 5.5 MEDIUM
A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows a local user on a vulnerable system to unmount other users' filesystems that are either world-writable themselves (like /tmp) or mounted in a world-writable directory. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.
CVE-2022-39320 2 Fedoraproject, Freerdp 2 Fedora, Freerdp 2023-01-25 N/A 4.6 MEDIUM
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP may attempt integer addition on too narrow types leads to allocation of a buffer too small holding the data written. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/usb` redirection switch.
CVE-2022-39316 2 Fedoraproject, Freerdp 2 Fedora, Freerdp 2023-01-25 N/A 5.7 MEDIUM
FreeRDP is a free remote desktop protocol library and clients. In affected versions there is an out of bound read in ZGFX decoder component of FreeRDP. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it likely resulting in a crash. This issue has been addressed in the 2.9.0 release. Users are advised to upgrade.
CVE-2022-41877 2 Fedoraproject, Freerdp 2 Fedora, Freerdp 2023-01-25 N/A 4.6 MEDIUM
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input length validation in `drive` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the drive redirection channel - command line options `/drive`, `+drives` or `+home-drive`.
CVE-2022-39319 2 Fedoraproject, Freerdp 2 Fedora, Freerdp 2023-01-25 N/A 4.6 MEDIUM
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input length validation in the `urbdrc` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/usb` redirection switch.
CVE-2022-39347 2 Fedoraproject, Freerdp 2 Fedora, Freerdp 2023-01-25 N/A 5.7 MEDIUM
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing path canonicalization and base path check for `drive` channel. A malicious server can trick a FreeRDP based client to read files outside the shared directory. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/drive`, `/drives` or `+home-drive` redirection switch.
CVE-2022-39317 2 Fedoraproject, Freerdp 2 Fedora, Freerdp 2023-01-25 N/A 4.6 MEDIUM
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing a range check for input offset index in ZGFX decoder. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it. This issue has been addressed in version 2.9.0. There are no known workarounds for this issue.
CVE-2022-39318 2 Fedoraproject, Freerdp 2 Fedora, Freerdp 2023-01-25 N/A 5.7 MEDIUM
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input validation in `urbdrc` channel. A malicious server can trick a FreeRDP based client to crash with division by zero. This issue has been addressed in version 2.9.0. All users are advised to upgrade. Users unable to upgrade should not use the `/usb` redirection switch.
CVE-2022-24778 2 Fedoraproject, Linuxfoundation 2 Fedora, Imgcrypt 2023-01-24 5.0 MEDIUM 7.5 HIGH
The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted. A patch has been applied to imgcrypt 1.1.4. Workarounds may include usage of different namespaces for each remote user.
CVE-2018-14628 2 Fedoraproject, Samba 2 Fedora, Samba 2023-01-24 N/A 4.3 MEDIUM
An information leak vulnerability was discovered in Samba's LDAP server. Due to missing access control checks, an authenticated but unprivileged attacker could discover the names and preserved attributes of deleted objects in the LDAP store.
CVE-2021-33503 3 Fedoraproject, Oracle, Python 5 Fedora, Enterprise Manager Ops Center, Instantis Enterprisetrack and 2 more 2023-01-24 5.0 MEDIUM 7.5 HIGH
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
CVE-2019-16775 5 Fedoraproject, Npmjs, Opensuse and 2 more 6 Fedora, Npm, Leap and 3 more 2023-01-24 4.0 MEDIUM 6.5 MEDIUM
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
CVE-2022-32547 3 Fedoraproject, Imagemagick, Redhat 3 Fedora, Imagemagick, Enterprise Linux 2023-01-24 6.8 MEDIUM 7.8 HIGH
In ImageMagick, there is load of misaligned address for type 'double', which requires 8 byte alignment and for type 'float', which requires 4 byte alignment at MagickCore/property.c. Whenever crafted or untrusted input is processed by ImageMagick, this causes a negative impact to application availability or other problems related to undefined behavior.
CVE-2020-17353 4 Debian, Fedoraproject, Lilypond and 1 more 5 Debian Linux, Fedora, Lilypond and 2 more 2023-01-23 7.5 HIGH 9.8 CRITICAL
scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous PostScript code.
CVE-2020-24370 3 Debian, Fedoraproject, Lua 3 Debian Linux, Fedora, Lua 2023-01-23 5.0 MEDIUM 5.3 MEDIUM
ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).
CVE-2020-15094 2 Fedoraproject, Sensiolabs 3 Fedora, Httpclient, Symfony 2023-01-23 7.5 HIGH 8.8 HIGH
In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.
CVE-2020-5395 3 Fedoraproject, Fontforge, Opensuse 3 Fedora, Fontforge, Leap 2023-01-23 6.8 MEDIUM 8.8 HIGH
FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in sfd.c.