Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Opensuse Subscribe
Total 3164 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2016-5770 3 Debian, Opensuse, Php 4 Debian Linux, Leap, Opensuse and 1 more 2022-07-20 7.5 HIGH 9.8 CRITICAL
Integer overflow in the SplFileObject::fread function in spl_directory.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer argument, a related issue to CVE-2016-5096.
CVE-2016-5771 3 Debian, Opensuse, Php 4 Debian Linux, Leap, Opensuse and 1 more 2022-07-20 7.5 HIGH 9.8 CRITICAL
spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.
CVE-2016-5772 4 Debian, Opensuse, Php and 1 more 7 Debian Linux, Leap, Opensuse and 4 more 2022-07-20 7.5 HIGH 9.8 CRITICAL
Double free vulnerability in the php_wddx_process_data function in wddx.c in the WDDX extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted XML data that is mishandled in a wddx_deserialize call.
CVE-2015-8866 4 Canonical, Opensuse, Php and 1 more 6 Ubuntu Linux, Leap, Opensuse and 3 more 2022-07-20 6.8 MEDIUM 9.6 CRITICAL
ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.
CVE-2016-4343 2 Opensuse, Php 2 Opensuse, Php 2022-07-20 6.8 MEDIUM 8.8 HIGH
The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.
CVE-2020-11089 2 Freerdp, Opensuse 2 Freerdp, Leap 2022-07-19 6.0 MEDIUM 5.5 MEDIUM
In FreeRDP before 2.1.0, there is an out-of-bound read in irp functions (parallel_process_irp_create, serial_process_irp_create, drive_process_irp_write, printer_process_irp_write, rdpei_recv_pdu, serial_process_irp_write). This has been fixed in 2.1.0.
CVE-2020-11097 4 Canonical, Fedoraproject, Freerdp and 1 more 4 Ubuntu Linux, Fedora, Freerdp and 1 more 2022-07-19 5.5 MEDIUM 5.4 MEDIUM
In FreeRDP before version 2.1.2, an out of bounds read occurs resulting in accessing a memory location that is outside of the boundaries of the static array PRIMARY_DRAWING_ORDER_FIELD_BYTES. This is fixed in version 2.1.2.
CVE-2020-11096 4 Canonical, Fedoraproject, Freerdp and 1 more 4 Ubuntu Linux, Fedora, Freerdp and 1 more 2022-07-19 6.4 MEDIUM 6.5 MEDIUM
In FreeRDP before version 2.1.2, there is a global OOB read in update_read_cache_bitmap_v3_order. As a workaround, one can disable bitmap cache with -bitmap-cache (default). This is fixed in version 2.1.2.
CVE-2020-11095 4 Canonical, Fedoraproject, Freerdp and 1 more 4 Ubuntu Linux, Fedora, Freerdp and 1 more 2022-07-19 5.5 MEDIUM 5.4 MEDIUM
In FreeRDP before version 2.1.2, an out of bound reads occurs resulting in accessing a memory location that is outside of the boundaries of the static array PRIMARY_DRAWING_ORDER_FIELD_BYTES. This is fixed in version 2.1.2.
CVE-2020-11098 4 Canonical, Fedoraproject, Freerdp and 1 more 4 Ubuntu Linux, Fedora, Freerdp and 1 more 2022-07-19 5.8 MEDIUM 6.5 MEDIUM
In FreeRDP before version 2.1.2, there is an out-of-bound read in glyph_cache_put. This affects all FreeRDP clients with `+glyph-cache` option enabled This is fixed in version 2.1.2.
CVE-2020-11088 2 Freerdp, Opensuse 2 Freerdp, Leap 2022-07-19 5.5 MEDIUM 5.4 MEDIUM
In FreeRDP less than or equal to 2.0.0, there is an out-of-bound read in ntlm_read_NegotiateMessage. This has been fixed in 2.1.0.
CVE-2020-11086 2 Freerdp, Opensuse 2 Freerdp, Leap 2022-07-19 5.5 MEDIUM 5.4 MEDIUM
In FreeRDP less than or equal to 2.0.0, there is an out-of-bound read in ntlm_read_ntlm_v2_client_challenge that reads up to 28 bytes out-of-bound to an internal structure. This has been fixed in 2.1.0.
CVE-2020-11087 2 Freerdp, Opensuse 2 Freerdp, Leap 2022-07-19 5.5 MEDIUM 5.4 MEDIUM
In FreeRDP less than or equal to 2.0.0, there is an out-of-bound read in ntlm_read_AuthenticateMessage. This has been fixed in 2.1.0.
CVE-2020-11085 2 Freerdp, Opensuse 2 Freerdp, Leap 2022-07-19 5.0 MEDIUM 3.5 LOW
In FreeRDP before 2.1.0, there is an out-of-bounds read in cliprdr_read_format_list. Clipboard format data read (by client or server) might read data out-of-bounds. This has been fixed in 2.1.0.
CVE-2014-4616 4 Opensuse, Opensuse Project, Python and 1 more 4 Opensuse, Opensuse, Python and 1 more 2022-07-13 4.3 MEDIUM 5.9 MEDIUM
Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.
CVE-2020-2760 6 Canonical, Fedoraproject, Mariadb and 3 more 9 Ubuntu Linux, Fedora, Mariadb and 6 more 2022-07-13 5.5 MEDIUM 5.5 MEDIUM
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
CVE-2020-1938 6 Apache, Blackberry, Debian and 3 more 19 Geode, Tomcat, Good Control and 16 more 2022-07-12 7.5 HIGH 9.8 CRITICAL
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
CVE-2020-11651 5 Canonical, Debian, Opensuse and 2 more 5 Ubuntu Linux, Debian Linux, Leap and 2 more 2022-07-12 7.5 HIGH 9.8 CRITICAL
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
CVE-2015-1283 8 Canonical, Debian, Google and 5 more 13 Ubuntu Linux, Debian Linux, Chrome and 10 more 2022-07-05 6.8 MEDIUM N/A
Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.
CVE-2020-2754 7 Canonical, Debian, Fedoraproject and 4 more 12 Ubuntu Linux, Debian Linux, Fedora and 9 more 2022-07-01 4.3 MEDIUM 3.7 LOW
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).