Vulnerabilities (CVE)

Filtered by vendor Redhat Subscribe
Total 4214 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-3642 2 Quarkus, Redhat 13 Quarkus, Build Of Quarkus, Codeready Studio and 10 more 2021-10-20 3.5 LOW 5.3 MEDIUM
A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.
CVE-2021-3518 5 Debian, Fedoraproject, Netapp and 2 more 13 Debian Linux, Fedora, Active Iq Unified Manager and 10 more 2021-10-20 6.8 MEDIUM 8.8 HIGH
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
CVE-2021-3537 5 Debian, Fedoraproject, Netapp and 2 more 13 Debian Linux, Fedora, Active Iq Unified Manager and 10 more 2021-10-20 4.3 MEDIUM 5.9 MEDIUM
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.
CVE-2021-3517 5 Debian, Fedoraproject, Netapp and 2 more 13 Debian Linux, Fedora, Active Iq Unified Manager and 10 more 2021-10-20 7.5 HIGH 8.6 HIGH
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.
CVE-2021-3426 4 Debian, Fedoraproject, Python and 1 more 5 Debian Linux, Fedora, Python and 2 more 2021-10-20 2.7 LOW 5.7 MEDIUM
There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.
CVE-2016-2183 5 Cisco, Openssl, Oracle and 2 more 8 Content Security Management Appliance, Openssl, Database and 5 more 2021-10-20 5.0 MEDIUM 7.5 HIGH
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
CVE-2019-16775 5 Cli Project, Fedoraproject, Opensuse and 2 more 6 Cli, Fedora, Leap and 3 more 2021-10-20 4.0 MEDIUM 6.5 MEDIUM
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
CVE-2017-5645 4 Apache, Netapp, Oracle and 1 more 60 Log4j, Oncommand Api Services, Oncommand Insight and 57 more 2021-10-20 7.5 HIGH 9.8 CRITICAL
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
CVE-2019-11358 10 Backdropcms, Debian, Drupal and 7 more 102 Backdrop, Debian Linux, Drupal and 99 more 2021-10-20 4.3 MEDIUM 6.1 MEDIUM
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVE-2018-10237 3 Google, Oracle, Redhat 18 Guava, Banking Payments, Communications Ip Service Activator and 15 more 2021-10-20 4.3 MEDIUM 5.9 MEDIUM
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
CVE-2021-20270 3 Fedoraproject, Pygments, Redhat 6 Fedora, Pygments, Enterprise Linux and 3 more 2021-10-20 5.0 MEDIUM 7.5 HIGH
An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.
CVE-2020-25648 3 Fedoraproject, Mozilla, Redhat 3 Fedora, Network Security Services, Enterprise Linux 2021-10-20 5.0 MEDIUM 7.5 HIGH
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58.
CVE-2019-10086 6 Apache, Debian, Fedoraproject and 3 more 52 Commons Beanutils, Nifi, Debian Linux and 49 more 2021-10-20 7.5 HIGH 7.3 HIGH
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
CVE-2020-27824 4 Debian, Fedoraproject, Redhat and 1 more 4 Debian Linux, Fedora, Enterprise Linux and 1 more 2021-10-20 4.3 MEDIUM 5.5 MEDIUM
A flaw was found in OpenJPEG’s encoder in the opj_dwt_calc_explicit_stepsizes() function. This flaw allows an attacker who can supply crafted input to decomposition levels to cause a buffer overflow. The highest threat from this vulnerability is to system availability.
CVE-2018-8088 3 Oracle, Qos, Redhat 14 Goldengate Application Adapters, Goldengate Stream Analytics, Utilities Framework and 11 more 2021-10-20 7.5 HIGH 9.8 CRITICAL
org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data.
CVE-2018-1257 3 Oracle, Pivotal Software, Redhat 30 Agile Product Lifecycle Management, Application Testing Suite, Big Data Discovery and 27 more 2021-10-20 4.0 MEDIUM 6.5 MEDIUM
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
CVE-2020-1714 2 Quarkus, Redhat 7 Quarkus, Decision Manager, Jboss Fuse and 4 more 2021-10-19 6.5 MEDIUM 8.8 HIGH
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
CVE-2020-1746 2 Debian, Redhat 3 Debian Linux, Ansible Engine, Ansible Tower 2021-10-19 1.9 LOW 5.0 MEDIUM
A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.
CVE-2019-10170 1 Redhat 1 Keycloak 2021-10-19 6.5 MEDIUM 7.2 HIGH
A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user.
CVE-2019-10169 1 Redhat 1 Keycloak 2021-10-19 6.5 MEDIUM 7.2 HIGH
A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw allows an authenticated attacker with UMA permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the user running application.