Filtered by vendor Debian
Subscribe
Total
8236 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-47950 | 2 Debian, Openstack | 2 Debian Linux, Swift | 2023-01-30 | N/A | 6.5 MEDIUM |
An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed). | |||||
CVE-2020-14929 | 3 Alpine Project, Debian, Fedoraproject | 3 Alpine, Debian Linux, Fedora | 2023-01-27 | 5.0 MEDIUM | 7.5 HIGH |
Alpine before 2.23 silently proceeds to use an insecure connection after a /tls is sent in certain circumstances involving PREAUTH, which is a less secure behavior than the alternative of closing the connection and letting the user decide what they would like to do. | |||||
CVE-2017-2816 | 2 Debian, Libofx Project | 2 Debian Linux, Libofx | 2023-01-27 | 6.8 MEDIUM | 8.8 HIGH |
An exploitable buffer overflow vulnerability exists in the tag parsing functionality of LibOFX 0.9.11. A specially crafted OFX file can cause a write out of bounds resulting in a buffer overflow on the stack. An attacker can construct a malicious OFX file to trigger this vulnerability. | |||||
CVE-2021-46837 | 3 Asterisk, Debian, Digium | 3 Certified Asterisk, Debian Linux, Asterisk | 2023-01-27 | N/A | 6.5 MEDIUM |
res_pjsip_t38 in Sangoma Asterisk 16.x before 16.16.2, 17.x before 17.9.3, and 18.x before 18.2.2, and Certified Asterisk before 16.8-cert7, allows an attacker to trigger a crash by sending an m=image line and zero port in a response to a T.38 re-invite initiated by Asterisk. This is a re-occurrence of the CVE-2019-15297 symptoms but not for exactly the same reason. The crash occurs because there is an append operation relative to the active topology, but this should instead be a replace operation. | |||||
CVE-2021-43299 | 2 Debian, Teluu | 2 Debian Linux, Pjsip | 2023-01-27 | 7.5 HIGH | 9.8 CRITICAL |
Stack overflow in PJSUA API when calling pjsua_player_create. An attacker-controlled 'filename' argument may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation. | |||||
CVE-2021-43301 | 2 Debian, Teluu | 2 Debian Linux, Pjsip | 2023-01-27 | 7.5 HIGH | 9.8 CRITICAL |
Stack overflow in PJSUA API when calling pjsua_playlist_create. An attacker-controlled 'file_names' argument may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation. | |||||
CVE-2020-13753 | 6 Canonical, Debian, Fedoraproject and 3 more | 6 Ubuntu Linux, Debian Linux, Fedora and 3 more | 2023-01-27 | 7.5 HIGH | 10.0 CRITICAL |
The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.28.3, failed to properly block access to CLONE_NEWUSER and the TIOCSTI ioctl. CLONE_NEWUSER could potentially be used to confuse xdg-desktop-portal, which allows access outside the sandbox. TIOCSTI can be used to directly execute commands outside the sandbox by writing to the controlling terminal's input buffer, similar to CVE-2017-5226. | |||||
CVE-2017-14448 | 2 Debian, Libsdl | 2 Debian Linux, Sdl Image | 2023-01-27 | 6.8 MEDIUM | 8.8 HIGH |
An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. | |||||
CVE-2020-17446 | 2 Debian, Magic | 2 Debian Linux, Asyncpg | 2023-01-27 | 7.5 HIGH | 9.8 CRITICAL |
asyncpg before 0.21.0 allows a malicious PostgreSQL server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, because of access to an uninitialized pointer in the array data decoder. | |||||
CVE-2019-17637 | 2 Debian, Eclipse | 2 Debian Linux, Web Tools Platform | 2023-01-27 | 5.8 MEDIUM | 7.1 HIGH |
In all versions of Eclipse Web Tools Platform through release 3.18 (2020-06), XML and DTD files referring to external entities could be exploited to send the contents of local files to a remote server when edited or validated, even when external entity resolution is disabled in the user preferences. | |||||
CVE-2019-13033 | 3 Cisofy, Debian, Fedoraproject | 3 Lynis, Debian Linux, Fedora | 2023-01-27 | 2.1 LOW | 3.3 LOW |
In CISOfy Lynis 2.x through 2.7.5, the license key can be obtained by looking at the process list when a data upload is being performed. This license can be used to upload data to a central Lynis server. Although no data can be extracted by knowing the license key, it may be possible to upload the data of additional scans. | |||||
CVE-2022-26498 | 2 Debian, Digium | 2 Debian Linux, Asterisk | 2023-01-27 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2. | |||||
CVE-2021-43845 | 2 Debian, Teluu | 2 Debian Linux, Pjsip | 2023-01-27 | 6.4 MEDIUM | 9.1 CRITICAL |
PJSIP is a free and open source multimedia communication library. In version 2.11.1 and prior, if incoming RTCP XR message contain block, the data field is not checked against the received packet size, potentially resulting in an out-of-bound read access. This affects all users that use PJMEDIA and RTCP XR. A malicious actor can send a RTCP XR message with an invalid packet size. | |||||
CVE-2021-30130 | 2 Debian, Phpseclib | 2 Debian Linux, Phpseclib | 2023-01-27 | 5.0 MEDIUM | 7.5 HIGH |
phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification. | |||||
CVE-2022-24763 | 2 Debian, Pjsip | 2 Debian Linux, Pjsip | 2023-01-27 | 5.0 MEDIUM | 7.5 HIGH |
PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12 and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML parsing in their apps. Users are advised to update. There are no known workarounds. | |||||
CVE-2021-43302 | 2 Debian, Teluu | 2 Debian Linux, Pjsip | 2023-01-27 | 6.4 MEDIUM | 9.1 CRITICAL |
Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An attacker-controlled 'filename' argument may cause an out-of-bounds read when the filename is shorter than 4 characters. | |||||
CVE-2021-43300 | 2 Debian, Teluu | 2 Debian Linux, Pjsip | 2023-01-27 | 7.5 HIGH | 9.8 CRITICAL |
Stack overflow in PJSUA API when calling pjsua_recorder_create. An attacker-controlled 'filename' argument may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation. | |||||
CVE-2020-24361 | 2 Debian, Snmptt | 2 Debian Linux, Snmptt | 2023-01-27 | 7.5 HIGH | 9.8 CRITICAL |
SNMPTT before 1.4.2 allows attackers to execute shell code via EXEC, PREXEC, or unknown_trap_exec. | |||||
CVE-2020-15569 | 2 Debian, Milkytracker Project | 2 Debian Linux, Milkytracker | 2023-01-27 | 4.3 MEDIUM | 5.5 MEDIUM |
PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free in the PlayerGeneric destructor. | |||||
CVE-2020-11061 | 2 Bareos, Debian | 2 Bareos, Debian Linux | 2023-01-27 | 6.0 MEDIUM | 7.4 HIGH |
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in Bareos versions 19.2.8, 18.2.9 and 17.2.10. |