Vulnerabilities (CVE)

CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-23384 2021-05-17 N/A N/A
The package koa-remove-trailing-slashes before 2.0.2 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as https://example.com//attacker.example/). The vulnerable code is in index.js::removeTrailingSlashes(), as the web server uses relative URLs instead of absolute URLs.
CVE-2020-21813 2021-05-17 N/A N/A
A heap based buffer overflow issue exists in GNU LibreDWG 0.10.2641 via output_TEXT ../../programs/dwg2SVG.c:114.
CVE-2021-31186 1 Microsoft 8 Windows 10, Windows 7, Windows 8.1 and 5 more 2021-05-17 4.3 MEDIUM 6.5 MEDIUM
Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
CVE-2021-31933 1 Chamilo 1 Chamilo 2021-05-17 6.5 MEDIUM 7.2 HIGH
A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to upload a file containing arbitrary PHP code into specific directories via main/inc/lib/fileUpload.lib.php directory traversal to achieve PHP code execution.
CVE-2021-22876 2 Fedoraproject, Haxx 2 Fedora, Libcurl 2021-05-17 5.0 MEDIUM 5.3 MEDIUM
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.
CVE-2021-21156 2 Fedoraproject, Google 2 Fedora, Chrome 2021-05-17 6.8 MEDIUM 8.8 HIGH
Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.182 allowed a remote attacker to potentially exploit heap corruption via a crafted script.
CVE-2021-28092 1 Is-svg Project 1 Is-svg 2021-05-17 5.0 MEDIUM 7.5 HIGH
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
CVE-2021-29266 1 Linux 1 Linux Kernel 2021-05-17 7.2 HIGH 7.8 HIGH
An issue was discovered in the Linux kernel before 5.11.9. drivers/vhost/vdpa.c has a use-after-free because v->config_ctx has an invalid value upon re-opening a character device, aka CID-f6bbf0010ba0.
CVE-2020-13954 3 Apache, Netapp, Oracle 4 Cxf, Snap Creator Framework, Vasa Provider For Clustered Data Ontap and 1 more 2021-05-17 4.3 MEDIUM 6.1 MEDIUM
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.
CVE-2021-29571 1 Google 1 Tensorflow 2021-05-17 4.6 MEDIUM 7.8 HIGH
TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPoolGradWithArgmax` can cause reads outside of bounds of heap allocated data if attacker supplies specially crafted inputs. The implementation(https://github.com/tensorflow/tensorflow/blob/31bd5026304677faa8a0b77602c6154171b9aec1/tensorflow/core/kernels/image/draw_bounding_box_op.cc#L116-L130) assumes that the last element of `boxes` input is 4, as required by [the op](https://www.tensorflow.org/api_docs/python/tf/raw_ops/DrawBoundingBoxesV2). Since this is not checked attackers passing values less than 4 can write outside of bounds of heap allocated objects and cause memory corruption. If the last dimension in `boxes` is less than 4, accesses similar to `tboxes(b, bb, 3)` will access data outside of bounds. Further during code execution there are also writes to these indices. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
CVE-2021-26422 1 Microsoft 2 Lync Server, Skype For Business Server 2021-05-17 6.5 MEDIUM 7.2 HIGH
Skype for Business and Lync Remote Code Execution Vulnerability
CVE-2021-23901 2 Apache, Netapp 2 Nutch, Snap Creator Framework 2021-05-17 6.4 MEDIUM 9.1 CRITICAL
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Nutch 1.18.
CVE-2021-23926 2 Apache, Netapp 4 Xmlbeans, Oncommand Unified Manager Core Package, Snap Creator Framework and 1 more 2021-05-17 6.4 MEDIUM 9.1 CRITICAL
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.
CVE-2021-21466 1 Sap 2 Business Warehouse, Bw\/4hana 2021-05-17 6.5 MEDIUM 8.8 HIGH
SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service.
CVE-2021-21148 3 Debian, Fedoraproject, Google 3 Debian Linux, Fedora, Chrome 2021-05-17 6.8 MEDIUM 8.8 HIGH
Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2020-28499 1 Merge Project 1 Merge 2021-05-17 7.5 HIGH 9.8 CRITICAL
All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .
CVE-2007-4476 3 Canonical, Debian, Gnu 3 Ubuntu Linux, Debian Linux, Tar 2021-05-17 7.5 HIGH N/A
Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a "crashing stack."
CVE-2014-9390 6 Apple, Eclipse, Git-scm and 3 more 8 Mac Os X, Xcode, Egit and 5 more 2021-05-17 7.5 HIGH 9.8 CRITICAL
Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.
CVE-2021-20312 1 Imagemagick 1 Imagemagick 2021-05-17 7.8 HIGH 7.5 HIGH
A flaw was found in ImageMagick in versions 7.0.11, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this vulnerability is to system availability.
CVE-2021-20313 1 Imagemagick 1 Imagemagick 2021-05-17 5.0 MEDIUM 7.5 HIGH
A flaw was found in ImageMagick in versions before 7.0.11. A potential cipher leak when the calculate signatures in TransformSignature is possible. The highest threat from this vulnerability is to data confidentiality.