Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Debian Subscribe
Total 8236 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-1720 4 Apple, Debian, Fedoraproject and 1 more 4 Macos, Debian Linux, Fedora and 1 more 2022-12-08 6.8 MEDIUM 7.8 HIGH
Buffer Over-read in function grab_file_name in GitHub repository vim/vim prior to 8.2.4956. This vulnerability is capable of crashing the software, memory modification, and possible remote execution.
CVE-2022-3324 3 Debian, Fedoraproject, Vim 3 Debian Linux, Fedora, Vim 2022-12-08 N/A 7.8 HIGH
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598.
CVE-2022-2304 3 Debian, Fedoraproject, Vim 3 Debian Linux, Fedora, Vim 2022-12-08 6.8 MEDIUM 7.8 HIGH
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
CVE-2022-2598 2 Debian, Vim 2 Debian Linux, Vim 2022-12-08 N/A 5.5 MEDIUM
Undefined Behavior for Input to API in GitHub repository vim/vim prior to 9.0.0100.
CVE-2022-3099 3 Debian, Fedoraproject, Vim 3 Debian Linux, Fedora, Vim 2022-12-08 N/A 7.8 HIGH
Use After Free in GitHub repository vim/vim prior to 9.0.0360.
CVE-2022-41325 2 Debian, Videolan 2 Debian Linux, Vlc Media Player 2022-12-08 N/A 7.8 HIGH
An integer overflow in the VNC module in VideoLAN VLC Media Player through 3.0.17.4 allows attackers, by tricking a user into opening a crafted playlist or connecting to a rogue VNC server, to crash VLC or execute code under some conditions.
CVE-2021-4189 4 Debian, Netapp, Python and 1 more 5 Debian Linux, Ontap Select Deploy Administration Utility, Python and 2 more 2022-12-07 N/A 5.3 MEDIUM
A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
CVE-2022-41704 2 Apache, Debian 2 Batik, Debian Linux 2022-12-07 N/A 7.5 HIGH
A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
CVE-2022-42890 2 Apache, Debian 2 Batik, Debian Linux 2022-12-07 N/A 7.5 HIGH
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
CVE-2021-4037 2 Debian, Linux 2 Debian Linux, Linux Kernel 2022-12-07 N/A 7.8 HIGH
A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. This vulnerability is similar to the previous CVE-2018-13405 and adds the missed fix for the XFS.
CVE-2021-25219 6 Debian, Fedoraproject, Isc and 3 more 23 Debian Linux, Fedora, Bind and 20 more 2022-12-07 5.0 MEDIUM 5.3 MEDIUM
In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing.
CVE-2022-33746 3 Debian, Fedoraproject, Xen 3 Debian Linux, Fedora, Xen 2022-12-07 N/A 6.5 MEDIUM
P2M pool freeing may take excessively long The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was so far missing.
CVE-2021-43305 2 Debian, Yandex 2 Debian Linux, Clickhouse 2022-12-07 6.5 MEDIUM 8.8 HIGH
Heap buffer overflow in Clickhouse's LZ4 compression codec when parsing a malicious query. There is no verification that the copy operations in the LZ4::decompressImpl loop and especially the arbitrary copy operation wildCopy<copy_amount>(op, ip, copy_end), don’t exceed the destination buffer’s limits. This issue is very similar to CVE-2021-43304, but the vulnerable copy operation is in a different wildCopy call.
CVE-2021-42388 2 Debian, Yandex 2 Debian Linux, Clickhouse 2022-12-07 5.5 MEDIUM 8.1 HIGH
Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query. As part of the LZ4::decompressImpl() loop, a 16-bit unsigned user-supplied value ('offset') is read from the compressed data. The offset is later used in the length of a copy operation, without checking the lower bounds of the source of the copy operation.
CVE-2022-33980 3 Apache, Debian, Netapp 3 Commons Configuration, Debian Linux, Snapcenter 2022-12-07 7.5 HIGH 9.8 CRITICAL
Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.
CVE-2021-43304 2 Debian, Yandex 2 Debian Linux, Clickhouse 2022-12-07 6.5 MEDIUM 8.8 HIGH
Heap buffer overflow in Clickhouse's LZ4 compression codec when parsing a malicious query. There is no verification that the copy operations in the LZ4::decompressImpl loop and especially the arbitrary copy operation wildCopy<copy_amount>(op, ip, copy_end), don’t exceed the destination buffer’s limits.
CVE-2020-25595 4 Debian, Fedoraproject, Opensuse and 1 more 4 Debian Linux, Fedora, Leap and 1 more 2022-12-07 6.1 MEDIUM 7.8 HIGH
An issue was discovered in Xen through 4.14.x. The PCI passthrough code improperly uses register data. Code paths in Xen's MSI handling have been identified that act on unsanitized values read back from device hardware registers. While devices strictly compliant with PCI specifications shouldn't be able to affect these registers, experience shows that it's very common for devices to have out-of-spec "backdoor" operations that can affect the result of these reads. A not fully trusted guest may be able to crash Xen, leading to a Denial of Service (DoS) for the entire system. Privilege escalation and information leaks cannot be excluded. All versions of Xen supporting PCI passthrough are affected. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only guests with passed through PCI devices may be able to leverage the vulnerability. Only systems passing through devices with out-of-spec ("backdoor") functionality can cause issues. Experience shows that such out-of-spec functionality is common; unless you have reason to believe that your device does not have such functionality, it's better to assume that it does.
CVE-2020-25685 4 Arista, Debian, Fedoraproject and 1 more 4 Eos, Debian Linux, Fedora and 1 more 2022-12-07 4.3 MEDIUM 3.7 LOW
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
CVE-2022-3088 2 Debian, Moxa 129 Debian Linux, Aig-301-ap-azu-lx, Aig-301-ap-azu-lx Firmware and 126 more 2022-12-07 N/A 7.8 HIGH
UC-8100A-ME-T System Image: Versions v1.0 to v1.6, UC-2100 System Image: Versions v1.0 to v1.12, UC-2100-W System Image: Versions v1.0 to v 1.12,&nbsp;UC-3100 System Image: Versions v1.0 to v1.6,&nbsp;UC-5100 System Image: Versions v1.0 to v1.4, UC-8100 System Image: Versions v3.0 to v3.5, UC-8100-ME-T System Image: Versions v3.0 and v3.1, UC-8200 System Image: v1.0 to v1.5, AIG-300 System Image: v1.0 to v1.4, UC-8410A with Debian 9 System Image: Versions v4.0.2 and v4.1.2, UC-8580 with Debian 9 System Image: Versions v2.0 and v2.1, UC-8540 with Debian 9 System Image: Versions v2.0 and v2.1, and DA-662C-16-LX (GLB) System Image: Versions v1.0.2 to v1.1.2 of Moxa's ARM-based computers have an execution with unnecessary privileges vulnerability, which could allow an attacker with user-level privileges to gain root privileges.
CVE-2022-32084 3 Debian, Fedoraproject, Mariadb 3 Debian Linux, Fedora, Mariadb 2022-12-07 5.0 MEDIUM 7.5 HIGH
MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component sub_select.