Vulnerabilities (CVE)

Filtered by vendor Fedoraproject Subscribe
Filtered by product Fedora
Total 3323 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-30596 3 Fedoraproject, Moodle, Redhat 3 Fedora, Moodle, Enterprise Linux 2022-06-13 3.5 LOW 5.4 MEDIUM
A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.
CVE-2022-30597 3 Fedoraproject, Moodle, Redhat 3 Fedora, Moodle, Enterprise Linux 2022-06-13 5.0 MEDIUM 5.3 MEDIUM
A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.
CVE-2022-1949 3 Fedoraproject, Port389, Redhat 4 Fedora, 389-ds-base, Directory Server and 1 more 2022-06-13 5.0 MEDIUM 7.5 HIGH
An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.
CVE-2022-24769 4 Fedoraproject, Linux, Linuxfoundation and 1 more 4 Fedora, Linux Kernel, Runc and 1 more 2022-06-13 4.6 MEDIUM 5.9 MEDIUM
Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting.
CVE-2022-1348 2 Fedoraproject, Logrotate Project 2 Fedora, Logrotate 2022-06-12 4.0 MEDIUM 6.5 MEDIUM
A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0.
CVE-2021-42013 4 Apache, Fedoraproject, Netapp and 1 more 5 Http Server, Fedora, Cloud Backup and 2 more 2022-06-09 7.5 HIGH 9.8 CRITICAL
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.
CVE-2022-1942 2 Fedoraproject, Vim 2 Fedora, Vim 2022-06-08 6.8 MEDIUM 7.8 HIGH
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVE-2022-1897 2 Fedoraproject, Vim 2 Fedora, Vim 2022-06-08 6.8 MEDIUM 7.8 HIGH
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
CVE-2022-1927 2 Fedoraproject, Vim 2 Fedora, Vim 2022-06-08 7.5 HIGH 9.8 CRITICAL
Buffer Over-read in GitHub repository vim/vim prior to 8.2.
CVE-2019-20388 6 Debian, Fedoraproject, Netapp and 3 more 31 Debian Linux, Fedora, Baseboard Management Controller H300e and 28 more 2022-06-07 5.0 MEDIUM 7.5 HIGH
xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.
CVE-2018-1285 3 Apache, Fedoraproject, Oracle 5 Log4net, Fedora, Application Testing Suite and 2 more 2022-06-07 7.5 HIGH 9.8 CRITICAL
Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
CVE-2020-6070 2 F2fs-tools Project, Fedoraproject 2 F2fs-tools, Fedora 2022-06-07 6.8 MEDIUM 7.8 HIGH
An exploitable code execution vulnerability exists in the file system checking functionality of fsck.f2fs 1.12.0. A specially crafted f2fs file can cause a logic flaw and out-of-bounds heap operations, resulting in code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2020-6061 4 Canonical, Coturn Project, Debian and 1 more 4 Ubuntu Linux, Coturn, Debian Linux and 1 more 2022-06-07 7.5 HIGH 9.8 CRITICAL
An exploitable heap out-of-bounds read vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to information leaks and other misbehavior. An attacker needs to send an HTTPS request to trigger this vulnerability.
CVE-2020-6062 4 Canonical, Coturn Project, Debian and 1 more 4 Ubuntu Linux, Coturn, Debian Linux and 1 more 2022-06-07 5.0 MEDIUM 7.5 HIGH
An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to server crash and denial of service. An attacker needs to send an HTTP request to trigger this vulnerability.
CVE-2022-29217 2 Fedoraproject, Pyjwt Project 2 Fedora, Pyjwt 2022-06-07 5.0 MEDIUM 7.5 HIGH
PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify `jwt.algorithms.get_default_algorithms()` to get support for all algorithms, or specify a single algorithm. The issue is not that big as `algorithms=jwt.algorithms.get_default_algorithms()` has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.
CVE-2022-23222 4 Debian, Fedoraproject, Linux and 1 more 19 Debian Linux, Fedora, Linux Kernel and 16 more 2022-06-07 7.2 HIGH 7.8 HIGH
kernel/bpf/verifier.c in the Linux kernel through 5.15.14 allows local users to gain privileges because of the availability of pointer arithmetic via certain *_OR_NULL pointer types.
CVE-2021-27219 4 Broadcom, Fedoraproject, Gnome and 1 more 6 Brocade Fabric Operating System Firmware, Fedora, Glib and 3 more 2022-06-06 5.0 MEDIUM 7.5 HIGH
An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.
CVE-2021-28153 2 Fedoraproject, Gnome 2 Fedora, Glib 2022-06-06 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)
CVE-2021-27218 2 Fedoraproject, Gnome 2 Fedora, Glib 2022-06-06 5.0 MEDIUM 7.5 HIGH
An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.
CVE-2021-45943 3 Debian, Fedoraproject, Osgeo 3 Debian Linux, Fedora, Gdal 2022-06-05 4.3 MEDIUM 5.5 MEDIUM
GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile (called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment).