Total
133 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-15605 | 6 Debian, Fedoraproject, Nodejs and 3 more | 13 Debian Linux, Fedora, Node.js and 10 more | 2024-03-07 | 7.5 HIGH | 9.8 CRITICAL |
| HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed | |||||
| CVE-2019-15604 | 5 Debian, Nodejs, Opensuse and 2 more | 10 Debian Linux, Node.js, Leap and 7 more | 2024-03-07 | 5.0 MEDIUM | 7.5 HIGH |
| Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate | |||||
| CVE-2023-39417 | 3 Debian, Postgresql, Redhat | 4 Debian Linux, Postgresql, Enterprise Linux and 1 more | 2024-02-16 | N/A | 8.8 HIGH |
| IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser. | |||||
| CVE-2023-5870 | 2 Postgresql, Redhat | 16 Postgresql, Codeready Linux Builder Eus, Codeready Linux Builder Eus For Power Little Endian Eus and 13 more | 2024-01-25 | N/A | 4.4 MEDIUM |
| A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack. | |||||
| CVE-2023-5869 | 2 Postgresql, Redhat | 21 Postgresql, Codeready Linux Builder Eus, Codeready Linux Builder Eus For Power Little Endian Eus and 18 more | 2024-01-25 | N/A | 8.8 HIGH |
| A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory. | |||||
| CVE-2023-5868 | 2 Postgresql, Redhat | 16 Postgresql, Codeready Linux Builder Eus, Codeready Linux Builder Eus For Power Little Endian Eus and 13 more | 2024-01-25 | N/A | 4.3 MEDIUM |
| A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory. | |||||
| CVE-2021-41819 | 6 Debian, Fedoraproject, Opensuse and 3 more | 9 Debian Linux, Fedora, Factory and 6 more | 2024-01-24 | 5.0 MEDIUM | 7.5 HIGH |
| CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby. | |||||
| CVE-2021-41817 | 6 Debian, Fedoraproject, Opensuse and 3 more | 9 Debian Linux, Fedora, Factory and 6 more | 2024-01-24 | 5.0 MEDIUM | 7.5 HIGH |
| Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. | |||||
| CVE-2019-17570 | 5 Apache, Canonical, Debian and 2 more | 6 Xml-rpc, Ubuntu Linux, Debian Linux and 3 more | 2024-01-22 | 7.5 HIGH | 9.8 CRITICAL |
| An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed. | |||||
| CVE-2022-4904 | 3 C-ares Project, Fedoraproject, Redhat | 4 C-ares, Fedora, Enterprise Linux and 1 more | 2024-01-05 | N/A | 8.6 HIGH |
| A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. | |||||
| CVE-2021-4104 | 4 Apache, Fedoraproject, Oracle and 1 more | 46 Log4j, Fedora, Advanced Supply Chain Planning and 43 more | 2023-12-22 | 6.0 MEDIUM | 7.5 HIGH |
| JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. | |||||
| CVE-2022-4900 | 2 Php, Redhat | 3 Php, Linux, Software Collections | 2023-12-10 | N/A | 5.5 MEDIUM |
| A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow. | |||||
| CVE-2023-2455 | 3 Fedoraproject, Postgresql, Redhat | 4 Fedora, Postgresql, Enterprise Linux and 1 more | 2023-12-10 | N/A | 5.4 MEDIUM |
| Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. | |||||
| CVE-2023-2454 | 3 Fedoraproject, Postgresql, Redhat | 4 Fedora, Postgresql, Enterprise Linux and 1 more | 2023-12-10 | N/A | 7.2 HIGH |
| schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code. | |||||
| CVE-2023-0056 | 3 Fedoraproject, Haproxy, Redhat | 10 Extra Packages For Enterprise Linux, Fedora, Haproxy and 7 more | 2023-12-10 | N/A | 6.5 MEDIUM |
| An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. | |||||
| CVE-2021-4189 | 4 Debian, Netapp, Python and 1 more | 5 Debian Linux, Ontap Select Deploy Administration Utility, Python and 2 more | 2023-12-10 | N/A | 5.3 MEDIUM |
| A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible. | |||||
| CVE-2020-10735 | 3 Fedoraproject, Python, Redhat | 5 Fedora, Python, Enterprise Linux and 2 more | 2023-12-10 | N/A | 7.5 HIGH |
| A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability. | |||||
| CVE-2021-3656 | 3 Fedoraproject, Linux, Redhat | 26 Fedora, Linux Kernel, 3scale Api Management and 23 more | 2023-12-10 | 7.2 HIGH | 8.8 HIGH |
| A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "virt_ext" field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. | |||||
| CVE-2022-0711 | 3 Debian, Haproxy, Redhat | 5 Debian Linux, Haproxy, Enterprise Linux and 2 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from this vulnerability is availability. | |||||
| CVE-2021-3677 | 3 Fedoraproject, Postgresql, Redhat | 7 Fedora, Postgresql, Enterprise Linux and 4 more | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| A flaw was found in postgresql. A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include max_worker_processes=0, the known versions of this attack are infeasible. However, undiscovered variants of the attack may be independent of that setting. | |||||