Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Debian Subscribe
Filtered by product Debian Linux
Total 8096 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-39286 3 Debian, Fedoraproject, Jupyter 3 Debian Linux, Fedora, Jupyter Core 2023-03-21 N/A 8.8 HIGH
Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.
CVE-2022-24793 2 Debian, Pjsip 2 Debian Linux, Pjsip 2023-03-20 4.3 MEDIUM 7.5 HIGH
PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that use PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. This vulnerability is related to CVE-2023-27585. The difference is that this issue is in parsing the query record `parse_rr()`, while the issue in CVE-2023-27585 is in `parse_query()`. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver instead.
CVE-2022-27782 2 Debian, Haxx 2 Debian Linux, Curl 2023-03-20 5.0 MEDIUM 7.5 HIGH
libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.
CVE-2023-0361 3 Debian, Gnu, Redhat 3 Debian Linux, Gnutls, Enterprise Linux 2023-03-18 N/A 7.5 HIGH
A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.
CVE-2018-18506 5 Canonical, Debian, Mozilla and 2 more 12 Ubuntu Linux, Debian Linux, Firefox and 9 more 2023-03-17 4.3 MEDIUM 5.9 MEDIUM
When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior is disallowed by default when a proxy is manually configured, but when enabled could allow for attacks on services and tools that bind to the localhost for networked behavior if they are accessed through browsing. This vulnerability affects Firefox < 65.
CVE-2022-47629 2 Debian, Libksba Project 2 Debian Linux, Libksba 2023-03-16 N/A 9.8 CRITICAL
Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser.
CVE-2023-24580 2 Debian, Djangoproject 2 Debian Linux, Django 2023-03-16 N/A 7.5 HIGH
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.
CVE-2023-23920 2 Debian, Nodejs 2 Debian Linux, Node.js 2023-03-16 N/A 4.2 MEDIUM
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.
CVE-2021-3593 4 Debian, Fedoraproject, Libslirp Project and 1 more 4 Debian Linux, Fedora, Libslirp and 1 more 2023-03-14 2.1 LOW 3.8 LOW
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.
CVE-2021-3592 4 Debian, Fedoraproject, Libslirp Project and 1 more 4 Debian Linux, Fedora, Libslirp and 1 more 2023-03-14 2.1 LOW 3.8 LOW
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.
CVE-2021-3595 4 Debian, Fedoraproject, Libslirp Project and 1 more 4 Debian Linux, Fedora, Libslirp and 1 more 2023-03-14 2.1 LOW 3.8 LOW
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.
CVE-2020-29130 3 Debian, Fedoraproject, Libslirp Project 3 Debian Linux, Fedora, Libslirp 2023-03-14 4.0 MEDIUM 4.3 MEDIUM
slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2021-3594 4 Debian, Fedoraproject, Libslirp Project and 1 more 4 Debian Linux, Fedora, Libslirp and 1 more 2023-03-14 2.1 LOW 3.8 LOW
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.
CVE-2022-27777 2 Debian, Rubyonrails 2 Debian Linux, Actionpack 2023-03-14 4.3 MEDIUM 6.1 MEDIUM
A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to inject content if able to control input into specific attributes.
CVE-2022-21831 2 Debian, Rubyonrails 2 Debian Linux, Active Storage 2023-03-14 6.8 MEDIUM 9.8 CRITICAL
A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments.
CVE-2022-22577 2 Debian, Rubyonrails 2 Debian Linux, Actionpack 2023-03-14 4.3 MEDIUM 6.1 MEDIUM
An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses.
CVE-2022-23633 2 Debian, Rubyonrails 2 Debian Linux, Rails 2023-03-14 4.3 MEDIUM 5.9 MEDIUM
Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.
CVE-2022-23837 2 Contribsys, Debian 2 Sidekiq, Debian Linux 2023-03-12 5.0 MEDIUM 7.5 HIGH
In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
CVE-2021-30151 2 Contribsys, Debian 2 Sidekiq, Debian Linux 2023-03-12 4.3 MEDIUM 6.1 MEDIUM
Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used.
CVE-2020-25676 2 Debian, Imagemagick 2 Debian Linux, Imagemagick 2023-03-11 4.3 MEDIUM 5.5 MEDIUM
In CatromWeights(), MeshInterpolate(), InterpolatePixelChannel(), InterpolatePixelChannels(), and InterpolatePixelInfo(), which are all functions in /MagickCore/pixel.c, there were multiple unconstrained pixel offset calculations which were being used with the floor() function. These calculations produced undefined behavior in the form of out-of-range and integer overflows, as identified by UndefinedBehaviorSanitizer. These instances of undefined behavior could be triggered by an attacker who is able to supply a crafted input file to be processed by ImageMagick. These issues could impact application availability or potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0.