Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Debian Subscribe
Total 8236 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-0427 4 Debian, Google, Opensuse and 1 more 4 Debian Linux, Android, Leap and 1 more 2022-10-25 2.1 LOW 5.5 MEDIUM
In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171
CVE-2021-38161 2 Apache, Debian 2 Traffic Server, Debian Linux 2022-10-25 6.8 MEDIUM 8.1 HIGH
Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle attacks. This issue affects Apache Traffic Server 8.0.0 to 8.0.8.
CVE-2021-21285 3 Debian, Docker, Netapp 3 Debian Linux, Docker, E-series Santricity Os Controller 2022-10-25 4.3 MEDIUM 6.5 MEDIUM
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.
CVE-2021-3410 3 Debian, Fedoraproject, Libcaca Project 3 Debian Linux, Fedora, Libcaca 2022-10-24 4.6 MEDIUM 7.8 HIGH
A flaw was found in libcaca v0.99.beta19. A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context.
CVE-2021-24122 3 Apache, Debian, Oracle 3 Tomcat, Debian Linux, Agile Plm 2022-10-24 4.3 MEDIUM 5.9 MEDIUM
When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.
CVE-2022-31090 2 Debian, Guzzlephp 2 Debian Linux, Guzzle 2022-10-24 4.0 MEDIUM 7.7 HIGH
Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.
CVE-2021-3498 3 Debian, Gstreamer Project, Redhat 3 Debian Linux, Gstreamer, Enterprise Linux 2022-10-24 6.8 MEDIUM 7.8 HIGH
GStreamer before 1.18.4 might cause heap corruption when parsing certain malformed Matroska files.
CVE-2021-3482 4 Debian, Exiv2, Fedoraproject and 1 more 4 Debian Linux, Exiv2, Fedora and 1 more 2022-10-24 6.4 MEDIUM 6.5 MEDIUM
A flaw was found in Exiv2 in versions before and including 0.27.4-RC1. Improper input validation of the rawData.size property in Jp2Image::readMetadata() in jp2image.cpp can lead to a heap-based buffer overflow via a crafted JPG image containing malicious EXIF data.
CVE-2021-21348 4 Debian, Fedoraproject, Oracle and 1 more 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more 2022-10-21 7.8 HIGH 7.5 HIGH
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CVE-2021-21345 4 Debian, Fedoraproject, Oracle and 1 more 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more 2022-10-21 6.5 MEDIUM 9.9 CRITICAL
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CVE-2021-21375 2 Debian, Teluu 2 Debian Linux, Pjsip 2022-10-21 4.3 MEDIUM 6.5 MEDIUM
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP version 2.10 and earlier, after an initial INVITE has been sent, when two 183 responses are received, with the first one causing negotiation failure, a crash will occur. This results in a denial of service.
CVE-2021-20313 2 Debian, Imagemagick 2 Debian Linux, Imagemagick 2022-10-21 5.0 MEDIUM 7.5 HIGH
A flaw was found in ImageMagick in versions before 7.0.11. A potential cipher leak when the calculate signatures in TransformSignature is possible. The highest threat from this vulnerability is to data confidentiality.
CVE-2020-25713 3 Debian, Fedoraproject, Librdf 3 Debian Linux, Fedora, Raptor Rdf Syntax Library 2022-10-21 4.0 MEDIUM 6.5 MEDIUM
A malformed input file can lead to a segfault due to an out of bounds array access in raptor_xml_writer_start_element_common.
CVE-2020-25654 2 Clusterlabs, Debian 2 Pacemaker, Debian Linux 2022-10-21 9.0 HIGH 7.2 HIGH
An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.
CVE-2020-25719 5 Canonical, Debian, Fedoraproject and 2 more 17 Ubuntu Linux, Debian Linux, Fedora and 14 more 2022-10-21 9.0 HIGH 7.2 HIGH
A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-based authentication. The Samba AD DC, could become confused about the user a ticket represents if it did not strictly require a Kerberos PAC and always use the SIDs found within. The result could include total domain compromise.
CVE-2022-38784 3 Debian, Fedoraproject, Freedesktop 3 Debian Linux, Fedora, Poppler 2022-10-20 N/A 7.8 HIGH
Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf.
CVE-2017-10274 4 Debian, Netapp, Oracle and 1 more 28 Debian Linux, Active Iq Unified Manager, Cloud Backup and 25 more 2022-10-19 4.0 MEDIUM 6.8 MEDIUM
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Smart Card IO). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data as well as unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 6.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).
CVE-2020-0569 5 Canonical, Debian, Intel and 2 more 26 Ubuntu Linux, Debian Linux, 7265 and 23 more 2022-10-19 2.7 LOW 5.7 MEDIUM
Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2019-15961 4 Canonical, Cisco, Clamav and 1 more 4 Ubuntu Linux, Email Security Appliance Firmware, Clamav and 1 more 2022-10-19 7.1 HIGH 6.5 MEDIUM
A vulnerability in the email parsing module Clam AntiVirus (ClamAV) Software versions 0.102.0, 0.101.4 and prior could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to inefficient MIME parsing routines that result in extremely long scan times of specially formatted email files. An attacker could exploit this vulnerability by sending a crafted email file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to scan the crafted email file indefinitely, resulting in a denial of service condition.
CVE-2020-26247 2 Debian, Nokogiri 2 Debian Linux, Nokogiri 2022-10-19 4.0 MEDIUM 4.3 MEDIUM
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.