Vulnerabilities (CVE)

Filtered by vendor Debian Subscribe
Filtered by product Debian Linux
Total 6549 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-13565 7 Apple, Canonical, Debian and 4 more 9 Mac Os X, Ubuntu Linux, Debian Linux and 6 more 2022-06-13 5.0 MEDIUM 7.5 HIGH
An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL authentication and session encryption, and relying on the SASL security layers in slapd access controls, it is possible to obtain access that would otherwise be denied via a simple bind for any identity covered in those ACLs. After the first SASL bind is completed, the sasl_ssf value is retained for all new non-SASL connections. Depending on the ACL configuration, this can affect different types of operations (searches, modifications, etc.). In other words, a successful authorization step completed by one user affects the authorization requirement for a different user.
CVE-2019-10086 6 Apache, Debian, Fedoraproject and 3 more 60 Commons Beanutils, Nifi, Debian Linux and 57 more 2022-06-13 7.5 HIGH 7.3 HIGH
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
CVE-2020-26664 2 Debian, Videolan 2 Debian Linux, Vlc Media Player 2022-06-10 6.8 MEDIUM 7.8 HIGH
A vulnerability in EbmlTypeDispatcher::send in VideoLAN VLC media player 3.0.11 allows attackers to trigger a heap-based buffer overflow via a crafted .mkv file.
CVE-2022-24801 2 Debian, Twistedmatrix 2 Debian Linux, Twisted 2022-06-10 6.8 MEDIUM 8.1 HIGH
Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.
CVE-2022-1328 2 Debian, Mutt 2 Debian Linux, Mutt 2022-06-10 5.0 MEDIUM 5.3 MEDIUM
Buffer Overflow in uudecoder in Mutt affecting all versions starting from 0.94.13 before 2.2.3 allows read past end of input line
CVE-2022-28346 2 Debian, Djangoproject 2 Debian Linux, Django 2022-06-09 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
CVE-2022-26491 2 Debian, Pidgin 2 Debian Linux, Pidgin 2022-06-09 4.3 MEDIUM 5.9 MEDIUM
An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968.
CVE-2021-26720 2 Avahi, Debian 2 Avahi, Debian Linux 2022-06-07 4.6 MEDIUM 7.8 HIGH
avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon. NOTE: this only affects the packaging for Debian GNU/Linux (used indirectly by SUSE), not the upstream Avahi product.
CVE-2019-20916 4 Debian, Opensuse, Oracle and 1 more 5 Debian Linux, Leap, Communications Cloud Native Core Network Function Cloud Native Environment and 2 more 2022-06-07 5.0 MEDIUM 7.5 HIGH
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
CVE-2019-5010 4 Debian, Opensuse, Python and 1 more 7 Debian Linux, Leap, Python and 4 more 2022-06-07 5.0 MEDIUM 7.5 HIGH
An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.
CVE-2019-20388 6 Debian, Fedoraproject, Netapp and 3 more 31 Debian Linux, Fedora, Baseboard Management Controller H300e and 28 more 2022-06-07 5.0 MEDIUM 7.5 HIGH
xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.
CVE-2019-17571 6 Apache, Canonical, Debian and 3 more 17 Bookkeeper, Log4j, Ubuntu Linux and 14 more 2022-06-07 7.5 HIGH 9.8 CRITICAL
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
CVE-2022-1664 1 Debian 2 Debian Linux, Dpkg 2022-06-07 7.5 HIGH 9.8 CRITICAL
Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.
CVE-2017-2887 2 Debian, Libsdl 2 Debian Linux, Sdl Image 2022-06-07 6.8 MEDIUM 8.8 HIGH
An exploitable buffer overflow vulnerability exists in the XCF property handling functionality of SDL_image 2.0.1. A specially crafted xcf file can cause a stack-based buffer overflow resulting in potential code execution. An attacker can provide a specially crafted XCF file to trigger this vulnerability.
CVE-2017-2888 3 Canonical, Debian, Libsdl 3 Ubuntu Linux, Debian Linux, Simple Directmedia Layer 2022-06-07 6.8 MEDIUM 8.8 HIGH
An exploitable integer overflow vulnerability exists when creating a new RGB Surface in SDL 2.0.5. A specially crafted file can cause an integer overflow resulting in too little memory being allocated which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability.
CVE-2017-2870 2 Debian, Gnome 2 Debian Linux, Gdk-pixbuf 2022-06-07 6.8 MEDIUM 7.8 HIGH
An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.
CVE-2017-2862 2 Debian, Gnome 2 Debian Linux, Gdk-pixbuf 2022-06-07 6.8 MEDIUM 7.8 HIGH
An exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability.
CVE-2017-2835 2 Debian, Freerdp 2 Debian Linux, Freerdp 2022-06-07 6.8 MEDIUM 8.1 HIGH
An exploitable code execution vulnerability exists in the RDP receive functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle to trigger this vulnerability.
CVE-2017-2885 3 Debian, Gnome, Redhat 8 Debian Linux, Libsoup, Enterprise Linux Desktop and 5 more 2022-06-07 7.5 HIGH 9.8 CRITICAL
An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP request can cause a stack overflow resulting in remote code execution. An attacker can send a special HTTP request to the vulnerable server to trigger this vulnerability.
CVE-2017-2834 2 Debian, Freerdp 2 Debian Linux, Freerdp 2022-06-07 6.8 MEDIUM 7.0 HIGH
An exploitable code execution vulnerability exists in the authentication functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle attack to trigger this vulnerability.