{
"version": "1",
"package": [
{
"name": "abseil-cpp",
"layer": "meta-oe",
"version": "20240116.2",
"products": [
{
"product": "abseil-cpp",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "abseil-cpp-native",
"layer": "meta-oe",
"version": "20240116.2",
"products": [
{
"product": "abseil-cpp",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "acl",
"layer": "meta",
"version": "2.3.2",
"products": [
{
"product": "acl",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2009-4411",
"summary": "The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running in recursive (-R) mode, follow symbolic links even when the --physical (aka -P) or -L option is specified, which might allow local users to modify the ACL for arbitrary files or directories via a symlink attack.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4411"
}
]
},
{
"name": "acl-native",
"layer": "meta",
"version": "2.3.2",
"products": [
{
"product": "acl",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2009-4411",
"summary": "The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running in recursive (-R) mode, follow symbolic links even when the --physical (aka -P) or -L option is specified, which might allow local users to modify the ACL for arbitrary files or directories via a symlink attack.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4411"
}
]
},
{
"name": "agl-compositor",
"layer": "meta-agl-core",
"version": "0.0.24+git",
"products": [
{
"product": "agl-compositor",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "agl-compositor-init",
"layer": "meta-agl-core",
"version": "1.0",
"products": [
{
"product": "agl-compositor-init",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "agl-dbc",
"layer": "meta-agl-demo",
"version": "1.0+git",
"products": [
{
"product": "agl-dbc",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "agl-service-audiomixer",
"layer": "meta-agl-demo",
"version": "2.0+git",
"products": [
{
"product": "agl-service-audiomixer",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "agl-service-hvac",
"layer": "meta-agl-demo",
"version": "2.0+git",
"products": [
{
"product": "agl-service-hvac",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "agl-service-radio",
"layer": "meta-agl-demo",
"version": "2.0+git",
"products": [
{
"product": "agl-service-radio",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "agl-users",
"layer": "meta-agl-core",
"version": "1.0",
"products": [
{
"product": "agl-users",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "agl-vss-helper",
"layer": "meta-agl-demo",
"version": "1.0",
"products": [
{
"product": "agl-vss-helper",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "alsa-lib",
"layer": "meta",
"version": "1.2.11",
"products": [
{
"product": "alsa-lib",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2005-0087",
"summary": "The alsa-lib package in Red Hat Linux 4 disables stack protection for the libasound.so library, which makes it easier for attackers to execute arbitrary code if there are other vulnerabilities in the library.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0087"
}
]
},
{
"name": "alsa-state",
"layer": "meta",
"version": "0.2.0",
"products": [
{
"product": "alsa-state",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "alsa-topology-conf",
"layer": "meta",
"version": "1.2.5.1",
"products": [
{
"product": "alsa-topology-conf",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "alsa-ucm-conf",
"layer": "meta",
"version": "1.2.11",
"products": [
{
"product": "alsa-ucm-conf",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "alsa-utils",
"layer": "meta",
"version": "1.2.11",
"products": [
{
"product": "alsa-utils",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "applaunchd",
"layer": "meta-app-framework",
"version": "2.0+git",
"products": [
{
"product": "applaunchd",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "apr-native",
"layer": "meta",
"version": "1.7.4",
"products": [
{
"product": "apr",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "apr-util-native",
"layer": "meta",
"version": "1.6.3",
"products": [
{
"product": "apr-util",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2009-0023",
"summary": "The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .htaccess file used with the Apache HTTP Server, (2) the SVNMasterURI directive in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2 module for the Apache HTTP Server, or (4) an application that uses the libapreq2 library, which triggers a heap-based buffer underflow.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0023"
},
{
"id": "CVE-2009-1955",
"summary": "The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1955"
},
{
"id": "CVE-2009-1956",
"summary": "Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1956"
},
{
"id": "CVE-2009-2412",
"summary": "Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. NOTE: some of these details are obtained from third party information.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2412"
},
{
"id": "CVE-2010-1623",
"summary": "Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors related to the destruction of an APR bucket.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1623"
},
{
"id": "CVE-2011-1928",
"summary": "The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used. NOTE: this issue exists because of an incorrect fix for CVE-2011-0419.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1928"
}
]
},
{
"name": "asciidoc-native",
"layer": "meta",
"version": "10.2.0",
"products": [
{
"product": "asciidoc",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "at-spi2-core-native",
"layer": "meta",
"version": "2.50.1",
"products": [
{
"product": "at-spi2-core",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "attr",
"layer": "meta",
"version": "2.5.1",
"products": [
{
"product": "attr",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "attr-native",
"layer": "meta",
"version": "2.5.1",
"products": [
{
"product": "attr",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "audit",
"layer": "meta-oe",
"version": "4.0.1",
"products": [
{
"product": "audit",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-4148",
"summary": "Heap-based buffer overflow in the Visionsoft Audit on Demand Service (VSAOD) in Visionsoft Audit 12.4.0.0 allows remote attackers to cause a denial of service (persistent daemon crashes) or execute arbitrary code via a long filename in a \"LOG.\" command.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4148"
},
{
"id": "CVE-2007-4149",
"summary": "The Visionsoft Audit on Demand Service (VSAOD) in Visionsoft Audit 12.4.0.0 does not require authentication for (1) the \"LOG.\" command, which allows remote attackers to create or overwrite arbitrary files; (2) the SETTINGSFILE command, which allows remote attackers to overwrite the ini file, and reconfigure VSAOD or cause a denial of service; or (3) the UNINSTALL command, which allows remote attackers to cause a denial of service (daemon shutdown). NOTE: vector 1 can be leveraged for code execution by writing to a Startup folder.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4149"
},
{
"id": "CVE-2007-4150",
"summary": "The Visionsoft Audit on Demand Service (VSAOD) in Visionsoft Audit 12.4.0.0 uses weak cryptography (XOR) when (1) transmitting passwords, which allows remote attackers to obtain sensitive information by sniffing the network; and (2) storing passwords in the configuration file, which allows local users to obtain sensitive information by reading this file.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4150"
},
{
"id": "CVE-2007-4151",
"summary": "The Visionsoft Audit on Demand Service (VSAOD) in Visionsoft Audit 12.4.0.0 allows remote attackers to obtain sensitive information via (1) a LOG.ON command, which reveals the logging pathname in the server response; (2) a VER command, which reveals the version number in the server response; and (3) a connection, which reveals the version number in the banner.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4151"
},
{
"id": "CVE-2007-4152",
"summary": "The Visionsoft Audit on Demand Service (VSAOD) in Visionsoft Audit 12.4.0.0 allows remote attackers to conduct replay attacks by capturing and resending data from the DETAILS and PROCESS sections of a session that schedules an audit.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4152"
},
{
"id": "CVE-2008-1628",
"summary": "Stack-based buffer overflow in the audit_log_user_command function in lib/audit_logging.c in Linux Audit before 1.7 might allow remote attackers to execute arbitrary code via a long command argument. NOTE: some of these details are obtained from third party information.",
"scorev2": "4.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1628"
}
]
},
{
"name": "autoconf",
"layer": "meta",
"version": "2.72e",
"products": [
{
"product": "autoconf",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "autoconf-archive",
"layer": "meta",
"version": "2023.02.20",
"products": [
{
"product": "autoconf-archive",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "autoconf-archive-native",
"layer": "meta",
"version": "2023.02.20",
"products": [
{
"product": "autoconf-archive",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "autoconf-native",
"layer": "meta",
"version": "2.72e",
"products": [
{
"product": "autoconf",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "automake-native",
"layer": "meta",
"version": "1.16.5",
"products": [
{
"product": "automake",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2009-4029",
"summary": "The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4029"
},
{
"id": "CVE-2012-3386",
"summary": "The \"make distcheck\" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3386"
}
]
},
{
"name": "avahi",
"layer": "meta",
"version": "0.8",
"products": [
{
"product": "avahi",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2006-2288",
"summary": "Avahi before 0.6.10 allows local users to cause a denial of service (mDNS/DNS-SD service disconnect) via unspecified mDNS name conflicts.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2288"
},
{
"id": "CVE-2006-2289",
"summary": "Buffer overflow in avahi-core in Avahi before 0.6.10 allows local users to execute arbitrary code via unknown vectors.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2289"
},
{
"id": "CVE-2006-5461",
"summary": "Avahi before 0.6.15 does not verify the sender identity of netlink messages to ensure that they come from the kernel instead of another process, which allows local users to spoof network changes to Avahi.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5461"
},
{
"id": "CVE-2006-6870",
"summary": "The consume_labels function in avahi-core/dns.c in Avahi before 0.6.16 allows remote attackers to cause a denial of service (infinite loop) via a crafted compressed DNS response with a label that points to itself.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6870"
},
{
"id": "CVE-2007-3372",
"summary": "The Avahi daemon in Avahi before 0.6.20 allows attackers to cause a denial of service (exit) via empty TXT data over D-Bus, which triggers an assert error.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3372"
},
{
"id": "CVE-2008-5081",
"summary": "The originates_from_local_legacy_unicast_socket function (avahi-core/server.c) in avahi-daemon in Avahi before 0.6.24 allows remote attackers to cause a denial of service (crash) via a crafted mDNS packet with a source port of 0, which triggers an assertion failure.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5081"
},
{
"id": "CVE-2010-2244",
"summary": "The AvahiDnsPacket function in avahi-core/socket.c in avahi-daemon in Avahi 0.6.16 and 0.6.25 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNS packet with an invalid checksum followed by a DNS packet with a valid checksum, a different vulnerability than CVE-2008-5081.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2244"
},
{
"id": "CVE-2011-1002",
"summary": "avahi-core/socket.c in avahi-daemon in Avahi before 0.6.29 allows remote attackers to cause a denial of service (infinite loop) via an empty mDNS (1) IPv4 or (2) IPv6 UDP packet to port 5353. NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-2244.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1002"
},
{
"id": "CVE-2017-6519",
"summary": "avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) and may cause information leakage by obtaining potentially sensitive information from the responding device via port-5353 UDP packets. NOTE: this may overlap CVE-2015-2809.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6519"
},
{
"id": "CVE-2021-26720",
"summary": "avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon. NOTE: this only affects the packaging for Debian GNU/Linux (used indirectly by SUSE), not the upstream Avahi product.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-26720",
"detail": "not-applicable-platform",
"description": "Issue only affects Debian/SUSE"
},
{
"id": "CVE-2021-3468",
"summary": "A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3468"
},
{
"id": "CVE-2021-3502",
"summary": "A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3502"
},
{
"id": "CVE-2023-1981",
"summary": "A vulnerability was found in the avahi library. This flaw allows an unprivileged user to make a dbus call, causing the avahi daemon to crash.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1981"
},
{
"id": "CVE-2023-38469",
"summary": "A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38469"
},
{
"id": "CVE-2023-38470",
"summary": "A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38470"
},
{
"id": "CVE-2023-38471",
"summary": "A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38471"
},
{
"id": "CVE-2023-38472",
"summary": "A vulnerability was found in Avahi. A reachable assertion exists in the avahi_rdata_parse() function.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38472"
},
{
"id": "CVE-2023-38473",
"summary": "A vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38473"
}
]
},
{
"name": "babeltrace",
"layer": "meta",
"version": "1.5.11",
"products": [
{
"product": "babeltrace",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "babeltrace2",
"layer": "meta",
"version": "2.0.6",
"products": [
{
"product": "babeltrace2",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "base-files",
"layer": "meta",
"version": "3.0.14",
"products": [
{
"product": "base-files",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2018-6557",
"summary": "The MOTD update script in the base-files package in Ubuntu 18.04 LTS before 10.1ubuntu2.2, and Ubuntu 18.10 before 10.1ubuntu6 incorrectly handled temporary files. A local attacker could use this issue to cause a denial of service, or possibly escalate privileges if kernel symlink restrictions were disabled.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6557"
}
]
},
{
"name": "base-passwd",
"layer": "meta",
"version": "3.6.3",
"products": [
{
"product": "base-passwd",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "bash",
"layer": "meta",
"version": "5.2.21",
"products": [
{
"product": "bash",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-0491",
"summary": "The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0491"
},
{
"id": "CVE-1999-1383",
"summary": "(1) bash before 1.14.7, and (2) tcsh 6.05 allow local users to gain privileges via directory names that contain shell metacharacters (` back-tick), which can cause the commands enclosed in the directory name to be executed when the shell expands filenames using the \\w option in the PS1 variable.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1383"
},
{
"id": "CVE-2010-0002",
"summary": "The /etc/profile.d/60alias.sh script in the Mandriva bash package for Bash 2.05b, 3.0, 3.2, 3.2.48, and 4.0 enables the --show-control-chars option in LS_OPTIONS, which allows local users to send escape sequences to terminal emulators, or hide the existence of a file, via a crafted filename.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0002"
},
{
"id": "CVE-2012-3410",
"summary": "Stack-based buffer overflow in lib/sh/eaccess.c in GNU Bash before 4.2 patch 33 might allow local users to bypass intended restricted shell access via a long filename in /dev/fd, which is not properly handled when expanding the /dev/fd prefix.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3410"
},
{
"id": "CVE-2012-6711",
"summary": "A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the \"echo -e\" built-in function, may use this flaw to crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv().",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6711"
},
{
"id": "CVE-2014-6271",
"summary": "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka \"ShellShock.\" NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-6271"
},
{
"id": "CVE-2014-6277",
"summary": "GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-6277"
},
{
"id": "CVE-2014-6278",
"summary": "GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-6278"
},
{
"id": "CVE-2014-7169",
"summary": "GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7169"
},
{
"id": "CVE-2014-7186",
"summary": "The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the \"redir_stack\" issue.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7186"
},
{
"id": "CVE-2014-7187",
"summary": "Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the \"word_lineno\" issue.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7187"
},
{
"id": "CVE-2016-0634",
"summary": "The expansion of '\\h' in the prompt string in bash 4.3 allows remote authenticated users to execute arbitrary code via shell metacharacters placed in 'hostname' of a machine.",
"scorev2": "6.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0634"
},
{
"id": "CVE-2016-7543",
"summary": "Bash before 4.4 allows local users to execute arbitrary commands with root privileges via crafted SHELLOPTS and PS4 environment variables.",
"scorev2": "7.2",
"scorev3": "8.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7543"
},
{
"id": "CVE-2016-9401",
"summary": "popd in bash might allow local users to bypass the restricted shell and cause a use-after-free via a crafted address.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9401"
},
{
"id": "CVE-2017-5932",
"summary": "The path autocompletion feature in Bash 4.4 allows local users to gain privileges via a crafted filename starting with a \" (double quote) character and a command substitution metacharacter.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5932"
},
{
"id": "CVE-2019-18276",
"summary": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18276"
},
{
"id": "CVE-2019-9924",
"summary": "rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9924"
},
{
"id": "CVE-2022-3715",
"summary": "A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3715"
}
]
},
{
"name": "bash-completion",
"layer": "meta",
"version": "2.12.0",
"products": [
{
"product": "bash-completion",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "bc",
"layer": "meta",
"version": "1.07.1",
"products": [
{
"product": "bc",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "bc-native",
"layer": "meta",
"version": "1.07.1",
"products": [
{
"product": "bc",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "binutils",
"layer": "meta",
"version": "2.42",
"products": [
{
"product": "binutils",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2005-4807",
"summary": "Stack-based buffer overflow in the as_bad function in messages.c in the GNU as (gas) assembler in Free Software Foundation GNU Binutils before 20050721 allows attackers to execute arbitrary code via a .c file with crafted inline assembly code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4807"
},
{
"id": "CVE-2005-4808",
"summary": "Buffer overflow in reset_vars in config/tc-crx.c in the GNU as (gas) assembler in Free Software Foundation GNU Binutils before 20050714 allows user-assisted attackers to have an unknown impact via a crafted .s file.",
"scorev2": "7.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4808"
},
{
"id": "CVE-2006-2362",
"summary": "Buffer overflow in getsym in tekhex.c in libbfd in Free Software Foundation GNU Binutils before 20060423, as used by GNU strings, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a file with a crafted Tektronix Hex Format (TekHex) record in which the length character is not a valid hexadecimal character.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2362"
},
{
"id": "CVE-2012-3509",
"summary": "Multiple integer overflows in the (1) _objalloc_alloc function in objalloc.c and (2) objalloc_alloc macro in include/objalloc.h in GNU libiberty, as used by binutils 2.22, allow remote attackers to cause a denial of service (crash) via vectors related to the \"addition of CHUNK_HEADER_SIZE to the length,\" which triggers a heap-based buffer overflow.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3509"
},
{
"id": "CVE-2014-8484",
"summary": "The srec_scan function in bfd/srec.c in libdbfd in GNU binutils before 2.25 allows remote attackers to cause a denial of service (out-of-bounds read) via a small S-record.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8484"
},
{
"id": "CVE-2014-8485",
"summary": "The setup_group function in bfd/elf.c in libbfd in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted section group headers in an ELF file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8485"
},
{
"id": "CVE-2014-8501",
"summary": "The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) and possibly have other unspecified impact via a crafted NumberOfRvaAndSizes field in the AOUT header in a PE executable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8501"
},
{
"id": "CVE-2014-8502",
"summary": "Heap-based buffer overflow in the pe_print_edata function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a truncated export table in a PE file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8502"
},
{
"id": "CVE-2014-8503",
"summary": "Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted ihex file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8503"
},
{
"id": "CVE-2014-8504",
"summary": "Stack-based buffer overflow in the srec_scan function in bfd/srec.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8504"
},
{
"id": "CVE-2014-8737",
"summary": "Multiple directory traversal vulnerabilities in GNU binutils 2.24 and earlier allow local users to delete arbitrary files via a .. (dot dot) or full path name in an archive to (1) strip or (2) objcopy or create arbitrary files via (3) a .. (dot dot) or full path name in an archive to ar.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8737"
},
{
"id": "CVE-2014-8738",
"summary": "The _bfd_slurp_extended_name_table function in bfd/archive.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (invalid write, segmentation fault, and crash) via a crafted extended name table in an archive.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8738"
},
{
"id": "CVE-2014-9939",
"summary": "ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing bad bytes in Intel Hex objects.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9939"
},
{
"id": "CVE-2017-12448",
"summary": "The bfd_cache_close function in bfd/cache.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a heap use after free and possibly achieve code execution via a crafted nested archive file. This issue occurs because incorrect functions are called during an attempt to release memory. The issue can be addressed by better input validation in the bfd_generic_archive_p function in bfd/archive.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12448"
},
{
"id": "CVE-2017-12449",
"summary": "The _bfd_vms_save_sized_string function in vms-misc.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12449"
},
{
"id": "CVE-2017-12450",
"summary": "The alpha_vms_object_p function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap write and possibly achieve code execution via a crafted vms alpha file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12450"
},
{
"id": "CVE-2017-12451",
"summary": "The _bfd_xcoff_read_ar_hdr function in bfd/coff-rs6000.c and bfd/coff64-rs6000.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds stack read via a crafted COFF image file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12451"
},
{
"id": "CVE-2017-12452",
"summary": "The bfd_mach_o_i386_canonicalize_one_reloc function in bfd/mach-o-i386.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted mach-o file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12452"
},
{
"id": "CVE-2017-12453",
"summary": "The _bfd_vms_slurp_eeom function in libbfd.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12453"
},
{
"id": "CVE-2017-12454",
"summary": "The _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an arbitrary memory read via a crafted vms alpha file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12454"
},
{
"id": "CVE-2017-12455",
"summary": "The evax_bfd_print_emh function in vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12455"
},
{
"id": "CVE-2017-12456",
"summary": "The read_symbol_stabs_debugging_info function in rddbg.c in GNU Binutils 2.29 and earlier allows remote attackers to cause an out of bounds heap read via a crafted binary file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12456"
},
{
"id": "CVE-2017-12457",
"summary": "The bfd_make_section_with_flags function in section.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a NULL dereference via a crafted file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12457"
},
{
"id": "CVE-2017-12458",
"summary": "The nlm_swap_auxiliary_headers_in function in bfd/nlmcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted nlm file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12458"
},
{
"id": "CVE-2017-12459",
"summary": "The bfd_mach_o_read_symtab_strtab function in bfd/mach-o.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap write and possibly achieve code execution via a crafted mach-o file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12459"
},
{
"id": "CVE-2017-12799",
"summary": "The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12799"
},
{
"id": "CVE-2017-12967",
"summary": "The getsym function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a malformed tekhex binary.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12967"
},
{
"id": "CVE-2017-13710",
"summary": "The setup_group function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a group section that is too small.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13710"
},
{
"id": "CVE-2017-13716",
"summary": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13716"
},
{
"id": "CVE-2017-13757",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the PLT section size, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to elf_i386_get_synthetic_symtab in elf32-i386.c and elf_x86_64_get_synthetic_symtab in elf64-x86-64.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13757"
},
{
"id": "CVE-2017-14128",
"summary": "The decode_line_info function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (read_1_byte heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14128"
},
{
"id": "CVE-2017-14129",
"summary": "The read_section function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (parse_comp_unit heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14129"
},
{
"id": "CVE-2017-14130",
"summary": "The _bfd_elf_parse_attributes function in elf-attrs.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (_bfd_elf_attr_strdup heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14130"
},
{
"id": "CVE-2017-14333",
"summary": "The process_version_sections function in readelf.c in GNU Binutils 2.29 allows attackers to cause a denial of service (Integer Overflow, and hang because of a time-consuming loop) or possibly have unspecified other impact via a crafted binary file with invalid values of ent.vn_next, during \"readelf -a\" execution.",
"scorev2": "4.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14333"
},
{
"id": "CVE-2017-14529",
"summary": "The pe_print_idata function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles HintName vector entries, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted PE file, related to the bfd_getl16 function.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14529"
},
{
"id": "CVE-2017-14729",
"summary": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, do not ensure a unique PLT entry for a symbol, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14729"
},
{
"id": "CVE-2017-14745",
"summary": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, interpret a -1 value as a sorting count instead of an error flag, which allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14745"
},
{
"id": "CVE-2017-14930",
"summary": "Memory leak in decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14930"
},
{
"id": "CVE-2017-14932",
"summary": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14932"
},
{
"id": "CVE-2017-14933",
"summary": "read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14933"
},
{
"id": "CVE-2017-14934",
"summary": "process_debug_info in dwarf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file that contains a negative size value in a CU structure.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14934"
},
{
"id": "CVE-2017-14938",
"summary": "_bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14938"
},
{
"id": "CVE-2017-14939",
"summary": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles a length calculation, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to read_1_byte.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14939"
},
{
"id": "CVE-2017-14940",
"summary": "scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14940"
},
{
"id": "CVE-2017-14974",
"summary": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandle the failure of a certain canonicalization step, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14974"
},
{
"id": "CVE-2017-15020",
"summary": "dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles pointers, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file, related to parse_die and parse_line_table, as demonstrated by a parse_die heap-based buffer over-read.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15020"
},
{
"id": "CVE-2017-15021",
"summary": "bfd_get_debug_link_info_1 in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to bfd_getl32.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15021"
},
{
"id": "CVE-2017-15022",
"summary": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the DW_AT_name data type, which allows remote attackers to cause a denial of service (bfd_hash_hash NULL pointer dereference, or out-of-bounds access, and application crash) via a crafted ELF file, related to scan_unit_for_symbols and parse_comp_unit.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15022"
},
{
"id": "CVE-2017-15023",
"summary": "read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not properly validate the format count, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15023"
},
{
"id": "CVE-2017-15024",
"summary": "find_abstract_instance_name in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15024"
},
{
"id": "CVE-2017-15025",
"summary": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15025"
},
{
"id": "CVE-2017-15225",
"summary": "_bfd_dwarf2_cleanup_debug_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory leak) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15225"
},
{
"id": "CVE-2017-15938",
"summary": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs in the case of a relocatable object file, which allows remote attackers to cause a denial of service (find_abstract_instance_name invalid memory read, segmentation fault, and application crash).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15938"
},
{
"id": "CVE-2017-15939",
"summary": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line file table, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename. NOTE: this issue is caused by an incomplete fix for CVE-2017-15023.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15939"
},
{
"id": "CVE-2017-15996",
"summary": "elfcomm.c in readelf in GNU Binutils 2.29 allows remote attackers to cause a denial of service (excessive memory allocation) or possibly have unspecified other impact via a crafted ELF file that triggers a \"buffer overflow on fuzzed archive header,\" related to an uninitialized variable, an improper conditional jump, and the get_archive_member_name, process_archive_index_and_symbols, and setup_archive functions.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15996"
},
{
"id": "CVE-2017-16826",
"summary": "The coff_slurp_line_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted PE file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16826"
},
{
"id": "CVE-2017-16827",
"summary": "The aout_get_external_symbols function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (slurp_symtab invalid free and application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16827"
},
{
"id": "CVE-2017-16828",
"summary": "The display_debug_frames function in dwarf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (integer overflow and heap-based buffer over-read, and application crash) or possibly have unspecified other impact via a crafted ELF file, related to print_debug_frame.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16828"
},
{
"id": "CVE-2017-16829",
"summary": "The _bfd_elf_parse_gnu_properties function in elf-properties.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not prevent negative pointers, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16829"
},
{
"id": "CVE-2017-16830",
"summary": "The print_gnu_property_note function in readelf.c in GNU Binutils 2.29.1 does not have integer-overflow protection on 32-bit platforms, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16830"
},
{
"id": "CVE-2017-16831",
"summary": "coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate the symbol count, which allows remote attackers to cause a denial of service (integer overflow and application crash, or excessive memory allocation) or possibly have unspecified other impact via a crafted PE file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16831"
},
{
"id": "CVE-2017-16832",
"summary": "The pe_bfd_read_buildid function in peicode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate size and offset values in the data dictionary, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted PE file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16832"
},
{
"id": "CVE-2017-17080",
"summary": "elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate sizes of core notes, which allows remote attackers to cause a denial of service (bfd_getl32 heap-based buffer over-read and application crash) via a crafted object file, related to elfcore_grok_netbsd_procinfo, elfcore_grok_openbsd_procinfo, and elfcore_grok_nto_status.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17080"
},
{
"id": "CVE-2017-17121",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (memory access violation) or possibly have unspecified other impact via a COFF binary in which a relocation refers to a location after the end of the to-be-relocated section.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17121"
},
{
"id": "CVE-2017-17122",
"summary": "The dump_relocs_in_section function in objdump.c in GNU Binutils 2.29.1 does not check for reloc count integer overflows, which allows remote attackers to cause a denial of service (excessive memory allocation, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PE file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17122"
},
{
"id": "CVE-2017-17123",
"summary": "The coff_slurp_reloc_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted COFF based file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17123"
},
{
"id": "CVE-2017-17124",
"summary": "The _bfd_coff_read_string_table function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not properly validate the size of the external string table, which allows remote attackers to cause a denial of service (excessive memory consumption, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted COFF binary.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17124"
},
{
"id": "CVE-2017-17125",
"summary": "nm.c and objdump.c in GNU Binutils 2.29.1 mishandle certain global symbols, which allows remote attackers to cause a denial of service (_bfd_elf_get_symbol_version_string buffer over-read and application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17125"
},
{
"id": "CVE-2017-17126",
"summary": "The load_debug_section function in readelf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via an ELF file that lacks section headers.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17126"
},
{
"id": "CVE-2017-6965",
"summary": "readelf in GNU Binutils 2.28 writes to illegal addresses while processing corrupt input files containing symbol-difference relocations, leading to a heap-based buffer overflow.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6965"
},
{
"id": "CVE-2017-6966",
"summary": "readelf in GNU Binutils 2.28 has a use-after-free (specifically read-after-free) error while processing multiple, relocated sections in an MSP430 binary. This is caused by mishandling of an invalid symbol index, and mishandling of state across invocations.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6966"
},
{
"id": "CVE-2017-6969",
"summary": "readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6969"
},
{
"id": "CVE-2017-7209",
"summary": "The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while reading section contents in a corrupt binary, leading to a program crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7209"
},
{
"id": "CVE-2017-7210",
"summary": "objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7210"
},
{
"id": "CVE-2017-7223",
"summary": "GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer overflow (of size 1) while attempting to unget an EOF character from the input stream, potentially leading to a program crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7223"
},
{
"id": "CVE-2017-7224",
"summary": "The find_nearest_line function in objdump in GNU Binutils 2.28 is vulnerable to an invalid write (of size 1) while disassembling a corrupt binary that contains an empty function name, leading to a program crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7224"
},
{
"id": "CVE-2017-7225",
"summary": "The find_nearest_line function in addr2line in GNU Binutils 2.28 does not handle the case where the main file name and the directory name are both empty, triggering a NULL pointer dereference and an invalid write, and leading to a program crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7225"
},
{
"id": "CVE-2017-7226",
"summary": "The pe_ILF_object_p function in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a heap-based buffer over-read of size 4049 because it uses the strlen function instead of strnlen, leading to program crashes in several utilities such as addr2line, size, and strings. It could lead to information disclosure as well.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7226"
},
{
"id": "CVE-2017-7227",
"summary": "GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buffer overflow while processing a bogus input script, leading to a program crash. This relates to lack of '\\0' termination of a name field in ldlex.l.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7227"
},
{
"id": "CVE-2017-7299",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an invalid read (of size 8) because the code to emit relocs (bfd_elf_final_link function in bfd/elflink.c) does not check the format of the input file before trying to read the ELF reloc section header. The vulnerability leads to a GNU linker (ld) program crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7299"
},
{
"id": "CVE-2017-7300",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that is vulnerable to a heap-based buffer over-read (off-by-one) because of an incomplete check for invalid string offsets while loading symbols, leading to a GNU linker (ld) program crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7300"
},
{
"id": "CVE-2017-7301",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that has an off-by-one vulnerability because it does not carefully check the string offset. The vulnerability could lead to a GNU linker (ld) program crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7301"
},
{
"id": "CVE-2017-7302",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a swap_std_reloc_out function in bfd/aoutx.h that is vulnerable to an invalid read (of size 4) because of missing checks for relocs that could not be recognised. This vulnerability causes Binutils utilities like strip to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7302"
},
{
"id": "CVE-2017-7303",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 4) because of missing a check (in the find_link function) for null headers before attempting to match them. This vulnerability causes Binutils utilities like strip to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7303"
},
{
"id": "CVE-2017-7304",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field before attempting to follow it. This vulnerability causes Binutils utilities like strip to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7304"
},
{
"id": "CVE-2017-7614",
"summary": "elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a \"member access within null pointer\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an \"int main() {return 0;}\" program.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7614"
},
{
"id": "CVE-2017-8392",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8392"
},
{
"id": "CVE-2017-8393",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a global buffer over-read error because of an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy and strip, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8393"
},
{
"id": "CVE-2017-8394",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of _bfd_elf_large_com_section. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8394"
},
{
"id": "CVE-2017-8395",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of missing a malloc() return-value check to see if memory had actually been allocated in the _bfd_generic_get_section_contents function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8395"
},
{
"id": "CVE-2017-8396",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8396"
},
{
"id": "CVE-2017-8397",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 and an invalid write of size 1 during processing of a corrupt binary containing reloc(s) with negative addresses. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8397"
},
{
"id": "CVE-2017-8398",
"summary": "dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary. This vulnerability causes programs that conduct an analysis of binary programs, such as objdump and readelf, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8398"
},
{
"id": "CVE-2017-8421",
"summary": "The function coff_set_alignment_hook in coffcode.h in Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a memory leak vulnerability which can cause memory exhaustion in objdump via a crafted PE file. Additional validation in dump_relocs_in_section in objdump.c can resolve this.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8421"
},
{
"id": "CVE-2017-9038",
"summary": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to the byte_get_little_endian function in elfcomm.c, the get_unwind_section_word function in readelf.c, and ARM unwind information that contains invalid word offsets.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9038"
},
{
"id": "CVE-2017-9039",
"summary": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file with many program headers, related to the get_program_headers function in readelf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9039"
},
{
"id": "CVE-2017-9040",
"summary": "GNU Binutils 2017-04-03 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash), related to the process_mips_specific function in readelf.c, via a crafted ELF file that triggers a large memory-allocation attempt.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9040"
},
{
"id": "CVE-2017-9041",
"summary": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to MIPS GOT mishandling in the process_mips_specific function in readelf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9041"
},
{
"id": "CVE-2017-9042",
"summary": "readelf.c in GNU Binutils 2017-04-12 has a \"cannot be represented in type long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9042"
},
{
"id": "CVE-2017-9043",
"summary": "readelf.c in GNU Binutils 2017-04-12 has a \"shift exponent too large for type unsigned long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9043"
},
{
"id": "CVE-2017-9044",
"summary": "The print_symbol_for_build_attribute function in readelf.c in GNU Binutils 2017-04-12 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9044"
},
{
"id": "CVE-2017-9742",
"summary": "The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9742"
},
{
"id": "CVE-2017-9743",
"summary": "The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9743"
},
{
"id": "CVE-2017-9744",
"summary": "The sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9744"
},
{
"id": "CVE-2017-9745",
"summary": "The _bfd_vms_slurp_etir function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9745"
},
{
"id": "CVE-2017-9746",
"summary": "The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of rae insns printing for this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9746"
},
{
"id": "CVE-2017-9747",
"summary": "The ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9747"
},
{
"id": "CVE-2017-9748",
"summary": "The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9748"
},
{
"id": "CVE-2017-9749",
"summary": "The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9749"
},
{
"id": "CVE-2017-9750",
"summary": "opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain scale arrays, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9750"
},
{
"id": "CVE-2017-9751",
"summary": "opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE macro, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9751"
},
{
"id": "CVE-2017-9752",
"summary": "bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file in the _bfd_vms_get_value and _bfd_vms_slurp_etir functions during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9752"
},
{
"id": "CVE-2017-9753",
"summary": "The versados_mkobject function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not initialize a certain data structure, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9753"
},
{
"id": "CVE-2017-9754",
"summary": "The process_otr function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not validate a certain offset, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9754"
},
{
"id": "CVE-2017-9755",
"summary": "opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of registers for bnd mode, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9755"
},
{
"id": "CVE-2017-9756",
"summary": "The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9756"
},
{
"id": "CVE-2017-9954",
"summary": "The getvalue function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted tekhex file, as demonstrated by mishandling within the nm program.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9954"
},
{
"id": "CVE-2017-9955",
"summary": "The get_build_id function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file in which a certain size field is larger than a corresponding data field, as demonstrated by mishandling within the objdump program.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9955"
},
{
"id": "CVE-2018-1000876",
"summary": "binutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow trigger heap overflow. Successful exploitation allows execution of arbitrary code.. This attack appear to be exploitable via Local. This vulnerability appears to have been fixed in after commit 3a551c7a1b80fca579461774860574eabfd7f18f.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000876"
},
{
"id": "CVE-2018-10372",
"summary": "process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted binary file, as demonstrated by readelf.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10372"
},
{
"id": "CVE-2018-10373",
"summary": "concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by nm-new.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10373"
},
{
"id": "CVE-2018-10534",
"summary": "The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, processes a negative Data Directory size with an unbounded loop that increases the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so that the address exceeds its own memory region, resulting in an out-of-bounds memory write, as demonstrated by objcopy copying private info with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10534"
},
{
"id": "CVE-2018-10535",
"summary": "The ignore_section_sym function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, does not validate the output_section pointer in the case of a symtab entry with a \"SECTION\" type that has a \"0\" value, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file, as demonstrated by objcopy.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10535"
},
{
"id": "CVE-2018-12641",
"summary": "An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type, do_type, do_arg, demangle_args, and demangle_nested_args. This can occur during execution of nm-new.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12641"
},
{
"id": "CVE-2018-12697",
"summary": "A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12697"
},
{
"id": "CVE-2018-12698",
"summary": "demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the \"Create an array for saving the template argument values\" XNEWVEC call. This can occur during execution of objdump.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12698"
},
{
"id": "CVE-2018-12699",
"summary": "finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12699"
},
{
"id": "CVE-2018-12934",
"summary": "remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM). This can occur during execution of cxxfilt.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12934"
},
{
"id": "CVE-2018-13033",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file, as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc in libbfd.c. This can occur during execution of nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13033"
},
{
"id": "CVE-2018-17358",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in _bfd_stab_section_find_nearest_line in syms.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17358"
},
{
"id": "CVE-2018-17359",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in bfd_zalloc in opncls.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17359"
},
{
"id": "CVE-2018-17360",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. a heap-based buffer over-read in bfd_getl32 in libbfd.c allows an attacker to cause a denial of service through a crafted PE file. This vulnerability can be triggered by the executable objdump.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17360"
},
{
"id": "CVE-2018-17794",
"summary": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in work_stuff_copy_to_from when called from iterate_demangle_function.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17794"
},
{
"id": "CVE-2018-17985",
"summary": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption problem caused by the cplus_demangle_type function making recursive calls to itself in certain scenarios involving many 'P' characters.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17985"
},
{
"id": "CVE-2018-18309",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory address dereference was discovered in read_reloc in reloc.c. The vulnerability causes a segmentation fault and application crash, which leads to denial of service, as demonstrated by objdump, because of missing _bfd_clear_contents bounds checking.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18309"
},
{
"id": "CVE-2018-18483",
"summary": "The get_count function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31, allows remote attackers to cause a denial of service (malloc called with the result of an integer-overflowing calculation) or possibly have unspecified other impact via a crafted string, as demonstrated by c++filt.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18483"
},
{
"id": "CVE-2018-18484",
"summary": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: cplus_demangle_type, d_bare_function_type, d_function_type.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18484"
},
{
"id": "CVE-2018-18605",
"summary": "A heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, because _bfd_add_merge_section mishandles section merges when size is not a multiple of entsize. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18605"
},
{
"id": "CVE-2018-18606",
"summary": "An issue was discovered in the merge_strings function in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18606"
},
{
"id": "CVE-2018-18607",
"summary": "An issue was discovered in elf_link_input_bfd in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18607"
},
{
"id": "CVE-2018-18700",
"summary": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions d_name(), d_encoding(), and d_local_name() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18700"
},
{
"id": "CVE-2018-18701",
"summary": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions next_is_type_qual() and cplus_demangle_type() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18701"
},
{
"id": "CVE-2018-19931",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h because the number of program headers is not restricted.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19931"
},
{
"id": "CVE-2018-19932",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA macro in elf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19932"
},
{
"id": "CVE-2018-20002",
"summary": "The _bfd_generic_read_minisymbols function in syms.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, has a memory leak via a crafted ELF file, leading to a denial of service (memory consumption), as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20002"
},
{
"id": "CVE-2018-20623",
"summary": "In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20623"
},
{
"id": "CVE-2018-20651",
"summary": "A NULL pointer dereference was discovered in elf_link_add_object_symbols in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31.1. This occurs for a crafted ET_DYN with no program headers. A specially crafted ELF file allows remote attackers to cause a denial of service, as demonstrated by ld.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20651"
},
{
"id": "CVE-2018-20657",
"summary": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20657"
},
{
"id": "CVE-2018-20671",
"summary": "load_specific_debug_section in objdump.c in GNU Binutils through 2.31.1 contains an integer overflow vulnerability that can trigger a heap-based buffer overflow via a crafted section size.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20671"
},
{
"id": "CVE-2018-20673",
"summary": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20673"
},
{
"id": "CVE-2018-20712",
"summary": "A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20712"
},
{
"id": "CVE-2018-6323",
"summary": "The elf_object_p function in elfcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, has an unsigned integer overflow because bfd_size_type multiplication is not used. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6323"
},
{
"id": "CVE-2018-6543",
"summary": "In GNU Binutils 2.30, there's an integer overflow in the function load_specific_debug_section() in objdump.c, which results in `malloc()` with 0 size. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6543"
},
{
"id": "CVE-2018-6759",
"summary": "The bfd_get_debug_link_info_1 function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, has an unchecked strnlen operation. Remote attackers could leverage this vulnerability to cause a denial of service (segmentation fault) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6759"
},
{
"id": "CVE-2018-6872",
"summary": "The elf_parse_notes function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (out-of-bounds read and segmentation violation) via a note with a large alignment.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6872"
},
{
"id": "CVE-2018-7208",
"summary": "In the coff_pointerize_aux function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, an index is not validated, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted file, as demonstrated by objcopy of a COFF object.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7208"
},
{
"id": "CVE-2018-7568",
"summary": "The parse_die function in dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (integer overflow and application crash) via an ELF file with corrupt dwarf1 debug information, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7568"
},
{
"id": "CVE-2018-7569",
"summary": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (integer underflow or overflow, and application crash) via an ELF file with a corrupt DWARF FORM block, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7569"
},
{
"id": "CVE-2018-7570",
"summary": "The assign_file_positions_for_non_load_sections function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an ELF file with a RELRO segment that lacks a matching LOAD segment, as demonstrated by objcopy.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7570"
},
{
"id": "CVE-2018-7642",
"summary": "The swap_std_reloc_in function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (aout_32_swap_std_reloc_out NULL pointer dereference and application crash) via a crafted ELF file, as demonstrated by objcopy.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7642"
},
{
"id": "CVE-2018-7643",
"summary": "The display_debug_ranges function in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, as demonstrated by objdump.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7643"
},
{
"id": "CVE-2018-8945",
"summary": "The bfd_section_from_shdr function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (segmentation fault) via a large attribute section.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8945"
},
{
"id": "CVE-2018-9138",
"summary": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_nested_args, demangle_args, do_arg, and do_type.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9138"
},
{
"id": "CVE-2018-9996",
"summary": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9996"
},
{
"id": "CVE-2019-1010204",
"summary": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010204"
},
{
"id": "CVE-2019-12972",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. There is a heap-based buffer over-read in _bfd_doprnt in bfd.c because elf_object_p in elfcode.h mishandles an e_shstrndx section of type SHT_GROUP by omitting a trailing '\\0' character.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12972"
},
{
"id": "CVE-2019-14250",
"summary": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14250"
},
{
"id": "CVE-2019-14444",
"summary": "apply_relocations in readelf.c in GNU Binutils 2.32 contains an integer overflow that allows attackers to trigger a write access violation (in byte_put_little_endian function in elfcomm.c) via an ELF file, as demonstrated by readelf.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14444"
},
{
"id": "CVE-2019-17450",
"summary": "find_abstract_instance in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17450"
},
{
"id": "CVE-2019-17451",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an integer overflow leading to a SEGV in _bfd_dwarf2_find_nearest_line in dwarf2.c, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17451"
},
{
"id": "CVE-2019-9070",
"summary": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a heap-based buffer over-read in d_expression_1 in cp-demangle.c after many recursive calls.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9070"
},
{
"id": "CVE-2019-9071",
"summary": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a stack consumption issue in d_count_templates_scopes in cp-demangle.c after many recursive calls.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9071"
},
{
"id": "CVE-2019-9072",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in setup_group in elf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9072"
},
{
"id": "CVE-2019-9073",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in _bfd_elf_slurp_version_tables in elf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9073"
},
{
"id": "CVE-2019-9074",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an out-of-bounds read leading to a SEGV in bfd_getl32 in libbfd.c, when called from pex64_get_runtime_function in pei-x86_64.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9074"
},
{
"id": "CVE-2019-9075",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9075"
},
{
"id": "CVE-2019-9076",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in elf_read_notes in elf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9076"
},
{
"id": "CVE-2019-9077",
"summary": "An issue was discovered in GNU Binutils 2.32. It is a heap-based buffer overflow in process_mips_specific in readelf.c via a malformed MIPS option section.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9077"
},
{
"id": "CVE-2020-16590",
"summary": "A double free vulnerability exists in the Binary File Descriptor (BFD) (aka libbrd) in GNU Binutils 2.35 in the process_symbol_table, as demonstrated in readelf, via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16590"
},
{
"id": "CVE-2020-16591",
"summary": "A Denial of Service vulnerability exists in the Binary File Descriptor (BFD) in GNU Binutils 2.35 due to an invalid read in process_symbol_table, as demonstrated in readeif.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16591"
},
{
"id": "CVE-2020-16592",
"summary": "A use after free issue exists in the Binary File Descriptor (BFD) library (aka libbfd) in GNU Binutils 2.34 in bfd_hash_lookup, as demonstrated in nm-new, that can cause a denial of service via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16592"
},
{
"id": "CVE-2020-16593",
"summary": "A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in scan_unit_for_symbols, as demonstrated in addr2line, that can cause a denial of service via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16593"
},
{
"id": "CVE-2020-16599",
"summary": "A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in _bfd_elf_get_symbol_version_string, as demonstrated in nm-new, that can cause a denial of service via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16599"
},
{
"id": "CVE-2020-19724",
"summary": "A memory consumption issue in get_data function in binutils/nm.c in GNU nm before 2.34 allows attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19724"
},
{
"id": "CVE-2020-19726",
"summary": "An issue was discovered in binutils libbfd.c 2.36 relating to the auxiliary symbol data allows attackers to read or write to system memory or cause a denial of service.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19726"
},
{
"id": "CVE-2020-21490",
"summary": "An issue was discovered in GNU Binutils 2.34. It is a memory leak when process microblaze-dis.c. This one will consume memory on each insn disassembled.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-21490"
},
{
"id": "CVE-2020-35342",
"summary": "GNU Binutils before 2.34 has an uninitialized-heap vulnerability in function tic4x_print_cond (file opcodes/tic4x-dis.c) which could allow attackers to make an information leak.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35342"
},
{
"id": "CVE-2020-35448",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35.1. A heap-based buffer over-read can occur in bfd_getl_signed_32 in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section in elf.c.",
"scorev2": "4.3",
"scorev3": "3.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35448"
},
{
"id": "CVE-2020-35493",
"summary": "A flaw exists in binutils in bfd/pef.c. An attacker who is able to submit a crafted PEF file to be parsed by objdump could cause a heap buffer overflow -> out-of-bounds read that could lead to an impact to application availability. This flaw affects binutils versions prior to 2.34.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35493"
},
{
"id": "CVE-2020-35494",
"summary": "There's a flaw in binutils /opcodes/tic4x-dis.c. An attacker who is able to submit a crafted input file to be processed by binutils could cause usage of uninitialized memory. The highest threat is to application availability with a lower threat to data confidentiality. This flaw affects binutils versions prior to 2.34.",
"scorev2": "5.8",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35494"
},
{
"id": "CVE-2020-35495",
"summary": "There's a flaw in binutils /bfd/pef.c. An attacker who is able to submit a crafted input file to be processed by the objdump program could cause a null pointer dereference. The greatest threat from this flaw is to application availability. This flaw affects binutils versions prior to 2.34.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35495"
},
{
"id": "CVE-2020-35496",
"summary": "There's a flaw in bfd_pef_scan_start_address() of bfd/pef.c in binutils which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability. This flaw affects binutils versions prior to 2.34.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35496"
},
{
"id": "CVE-2020-35507",
"summary": "There's a flaw in bfd_pef_parse_function_stubs of bfd/pef.c in binutils in versions prior to 2.34 which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35507"
},
{
"id": "CVE-2021-20197",
"summary": "There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink.",
"scorev2": "3.3",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20197"
},
{
"id": "CVE-2021-20284",
"summary": "A flaw was found in GNU Binutils 2.35.1, where there is a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c due to the number of symbols not calculated correctly. The highest threat from this vulnerability is to system availability.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20284"
},
{
"id": "CVE-2021-20294",
"summary": "A flaw was found in binutils readelf 2.35 program. An attacker who is able to convince a victim using readelf to read a crafted file could trigger a stack buffer overflow, out-of-bounds write of arbitrary data supplied by the attacker. The highest impact of this flaw is to confidentiality, integrity, and availability.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20294"
},
{
"id": "CVE-2021-32256",
"summary": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-32256"
},
{
"id": "CVE-2021-3530",
"summary": "A flaw was discovered in GNU libiberty within demangle_path() in rust-demangle.c, as distributed in GNU Binutils version 2.36. A crafted symbol can cause stack memory to be exhausted leading to a crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3530"
},
{
"id": "CVE-2021-3549",
"summary": "An out of bounds flaw was found in GNU binutils objdump utility version 2.36. An attacker could use this flaw and pass a large section to avr_elf32_load_records_from_section() probably resulting in a crash or in some cases memory corruption. The highest threat from this vulnerability is to integrity as well as system availability.",
"scorev2": "5.8",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3549"
},
{
"id": "CVE-2021-37322",
"summary": "GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37322"
},
{
"id": "CVE-2021-45078",
"summary": "stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45078"
},
{
"id": "CVE-2021-46174",
"summary": "Heap-based Buffer Overflow in function bfd_getl32 in Binutils objdump 3.37.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46174"
},
{
"id": "CVE-2022-35205",
"summary": "An issue was discovered in Binutils readelf 2.38.50, reachable assertion failure in function display_debug_names allows attackers to cause a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-35205"
},
{
"id": "CVE-2022-35206",
"summary": "Null pointer dereference vulnerability in Binutils readelf 2.38.50 via function read_and_display_attr_value in file dwarf.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-35206"
},
{
"id": "CVE-2022-38533",
"summary": "In GNU Binutils before 2.40, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new via a crafted file.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-38533"
},
{
"id": "CVE-2022-4285",
"summary": "An illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4285"
},
{
"id": "CVE-2022-44840",
"summary": "Heap buffer overflow vulnerability in binutils readelf before 2.40 via function find_section_in_set in file readelf.c.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-44840"
},
{
"id": "CVE-2022-45703",
"summary": "Heap buffer overflow vulnerability in binutils readelf before 2.40 via function display_debug_section in file readelf.c.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45703"
},
{
"id": "CVE-2022-47007",
"summary": "An issue was discovered function stab_demangle_v3_arg in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47007"
},
{
"id": "CVE-2022-47008",
"summary": "An issue was discovered function make_tempdir, and make_tempname in bucomm.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47008"
},
{
"id": "CVE-2022-47010",
"summary": "An issue was discovered function pr_function_type in prdbg.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47010"
},
{
"id": "CVE-2022-47011",
"summary": "An issue was discovered function parse_stab_struct_fields in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47011"
},
{
"id": "CVE-2022-47673",
"summary": "An issue was discovered in Binutils addr2line before 2.39.3, function parse_module contains multiple out of bound reads which may cause a denial of service or other unspecified impacts.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47673"
},
{
"id": "CVE-2022-47695",
"summary": "An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function bfd_mach_o_get_synthetic_symtab in match-o.c.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47695"
},
{
"id": "CVE-2022-47696",
"summary": "An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function compare_symbols.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47696"
},
{
"id": "CVE-2022-48063",
"summary": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function load_separate_debug_files at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48063"
},
{
"id": "CVE-2022-48064",
"summary": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064"
},
{
"id": "CVE-2022-48065",
"summary": "GNU Binutils before 2.40 was discovered to contain a memory leak vulnerability var the function find_abstract_instance in dwarf2.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48065"
},
{
"id": "CVE-2023-1579",
"summary": "Heap based buffer overflow in binutils-gdb/bfd/libbfd.c in bfd_getl64.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1579"
},
{
"id": "CVE-2023-1972",
"summary": "A potential heap based buffer overflow was found in _bfd_elf_slurp_version_tables() in bfd/elf.c. This may lead to loss of availability.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1972"
},
{
"id": "CVE-2023-25584",
"summary": "An out-of-bounds read flaw was found in the parse_module function in bfd/vms-alpha.c in Binutils.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25584",
"detail": "cpe-incorrect",
"description": "Applies only for version 2.40 and earlier"
},
{
"id": "CVE-2023-25585",
"summary": "A flaw was found in Binutils. The use of an uninitialized field in the struct module *module may lead to application crash and local denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25585"
},
{
"id": "CVE-2023-25586",
"summary": "A flaw was found in Binutils. A logic fail in the bfd_init_section_decompress_status function may lead to the use of an uninitialized variable that can cause a crash and local denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25586"
},
{
"id": "CVE-2023-25588",
"summary": "A flaw was found in Binutils. The field `the_bfd` of `asymbol`struct is uninitialized in the `bfd_mach_o_get_synthetic_symtab` function, which may lead to an application crash and local denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25588"
}
]
},
{
"name": "binutils-cross-aarch64",
"layer": "meta",
"version": "2.42",
"products": [
{
"product": "binutils",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2005-4807",
"summary": "Stack-based buffer overflow in the as_bad function in messages.c in the GNU as (gas) assembler in Free Software Foundation GNU Binutils before 20050721 allows attackers to execute arbitrary code via a .c file with crafted inline assembly code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4807"
},
{
"id": "CVE-2005-4808",
"summary": "Buffer overflow in reset_vars in config/tc-crx.c in the GNU as (gas) assembler in Free Software Foundation GNU Binutils before 20050714 allows user-assisted attackers to have an unknown impact via a crafted .s file.",
"scorev2": "7.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4808"
},
{
"id": "CVE-2006-2362",
"summary": "Buffer overflow in getsym in tekhex.c in libbfd in Free Software Foundation GNU Binutils before 20060423, as used by GNU strings, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a file with a crafted Tektronix Hex Format (TekHex) record in which the length character is not a valid hexadecimal character.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2362"
},
{
"id": "CVE-2012-3509",
"summary": "Multiple integer overflows in the (1) _objalloc_alloc function in objalloc.c and (2) objalloc_alloc macro in include/objalloc.h in GNU libiberty, as used by binutils 2.22, allow remote attackers to cause a denial of service (crash) via vectors related to the \"addition of CHUNK_HEADER_SIZE to the length,\" which triggers a heap-based buffer overflow.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3509"
},
{
"id": "CVE-2014-8484",
"summary": "The srec_scan function in bfd/srec.c in libdbfd in GNU binutils before 2.25 allows remote attackers to cause a denial of service (out-of-bounds read) via a small S-record.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8484"
},
{
"id": "CVE-2014-8485",
"summary": "The setup_group function in bfd/elf.c in libbfd in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted section group headers in an ELF file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8485"
},
{
"id": "CVE-2014-8501",
"summary": "The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) and possibly have other unspecified impact via a crafted NumberOfRvaAndSizes field in the AOUT header in a PE executable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8501"
},
{
"id": "CVE-2014-8502",
"summary": "Heap-based buffer overflow in the pe_print_edata function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a truncated export table in a PE file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8502"
},
{
"id": "CVE-2014-8503",
"summary": "Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted ihex file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8503"
},
{
"id": "CVE-2014-8504",
"summary": "Stack-based buffer overflow in the srec_scan function in bfd/srec.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8504"
},
{
"id": "CVE-2014-8737",
"summary": "Multiple directory traversal vulnerabilities in GNU binutils 2.24 and earlier allow local users to delete arbitrary files via a .. (dot dot) or full path name in an archive to (1) strip or (2) objcopy or create arbitrary files via (3) a .. (dot dot) or full path name in an archive to ar.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8737"
},
{
"id": "CVE-2014-8738",
"summary": "The _bfd_slurp_extended_name_table function in bfd/archive.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (invalid write, segmentation fault, and crash) via a crafted extended name table in an archive.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8738"
},
{
"id": "CVE-2014-9939",
"summary": "ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing bad bytes in Intel Hex objects.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9939"
},
{
"id": "CVE-2017-12448",
"summary": "The bfd_cache_close function in bfd/cache.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a heap use after free and possibly achieve code execution via a crafted nested archive file. This issue occurs because incorrect functions are called during an attempt to release memory. The issue can be addressed by better input validation in the bfd_generic_archive_p function in bfd/archive.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12448"
},
{
"id": "CVE-2017-12449",
"summary": "The _bfd_vms_save_sized_string function in vms-misc.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12449"
},
{
"id": "CVE-2017-12450",
"summary": "The alpha_vms_object_p function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap write and possibly achieve code execution via a crafted vms alpha file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12450"
},
{
"id": "CVE-2017-12451",
"summary": "The _bfd_xcoff_read_ar_hdr function in bfd/coff-rs6000.c and bfd/coff64-rs6000.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds stack read via a crafted COFF image file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12451"
},
{
"id": "CVE-2017-12452",
"summary": "The bfd_mach_o_i386_canonicalize_one_reloc function in bfd/mach-o-i386.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted mach-o file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12452"
},
{
"id": "CVE-2017-12453",
"summary": "The _bfd_vms_slurp_eeom function in libbfd.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12453"
},
{
"id": "CVE-2017-12454",
"summary": "The _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an arbitrary memory read via a crafted vms alpha file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12454"
},
{
"id": "CVE-2017-12455",
"summary": "The evax_bfd_print_emh function in vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12455"
},
{
"id": "CVE-2017-12456",
"summary": "The read_symbol_stabs_debugging_info function in rddbg.c in GNU Binutils 2.29 and earlier allows remote attackers to cause an out of bounds heap read via a crafted binary file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12456"
},
{
"id": "CVE-2017-12457",
"summary": "The bfd_make_section_with_flags function in section.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a NULL dereference via a crafted file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12457"
},
{
"id": "CVE-2017-12458",
"summary": "The nlm_swap_auxiliary_headers_in function in bfd/nlmcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted nlm file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12458"
},
{
"id": "CVE-2017-12459",
"summary": "The bfd_mach_o_read_symtab_strtab function in bfd/mach-o.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap write and possibly achieve code execution via a crafted mach-o file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12459"
},
{
"id": "CVE-2017-12799",
"summary": "The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12799"
},
{
"id": "CVE-2017-12967",
"summary": "The getsym function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a malformed tekhex binary.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12967"
},
{
"id": "CVE-2017-13710",
"summary": "The setup_group function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a group section that is too small.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13710"
},
{
"id": "CVE-2017-13716",
"summary": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13716"
},
{
"id": "CVE-2017-13757",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the PLT section size, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to elf_i386_get_synthetic_symtab in elf32-i386.c and elf_x86_64_get_synthetic_symtab in elf64-x86-64.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13757"
},
{
"id": "CVE-2017-14128",
"summary": "The decode_line_info function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (read_1_byte heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14128"
},
{
"id": "CVE-2017-14129",
"summary": "The read_section function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (parse_comp_unit heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14129"
},
{
"id": "CVE-2017-14130",
"summary": "The _bfd_elf_parse_attributes function in elf-attrs.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (_bfd_elf_attr_strdup heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14130"
},
{
"id": "CVE-2017-14333",
"summary": "The process_version_sections function in readelf.c in GNU Binutils 2.29 allows attackers to cause a denial of service (Integer Overflow, and hang because of a time-consuming loop) or possibly have unspecified other impact via a crafted binary file with invalid values of ent.vn_next, during \"readelf -a\" execution.",
"scorev2": "4.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14333"
},
{
"id": "CVE-2017-14529",
"summary": "The pe_print_idata function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles HintName vector entries, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted PE file, related to the bfd_getl16 function.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14529"
},
{
"id": "CVE-2017-14729",
"summary": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, do not ensure a unique PLT entry for a symbol, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14729"
},
{
"id": "CVE-2017-14745",
"summary": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, interpret a -1 value as a sorting count instead of an error flag, which allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14745"
},
{
"id": "CVE-2017-14930",
"summary": "Memory leak in decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14930"
},
{
"id": "CVE-2017-14932",
"summary": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14932"
},
{
"id": "CVE-2017-14933",
"summary": "read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14933"
},
{
"id": "CVE-2017-14934",
"summary": "process_debug_info in dwarf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file that contains a negative size value in a CU structure.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14934"
},
{
"id": "CVE-2017-14938",
"summary": "_bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14938"
},
{
"id": "CVE-2017-14939",
"summary": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles a length calculation, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to read_1_byte.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14939"
},
{
"id": "CVE-2017-14940",
"summary": "scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14940"
},
{
"id": "CVE-2017-14974",
"summary": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandle the failure of a certain canonicalization step, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14974"
},
{
"id": "CVE-2017-15020",
"summary": "dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles pointers, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file, related to parse_die and parse_line_table, as demonstrated by a parse_die heap-based buffer over-read.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15020"
},
{
"id": "CVE-2017-15021",
"summary": "bfd_get_debug_link_info_1 in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to bfd_getl32.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15021"
},
{
"id": "CVE-2017-15022",
"summary": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the DW_AT_name data type, which allows remote attackers to cause a denial of service (bfd_hash_hash NULL pointer dereference, or out-of-bounds access, and application crash) via a crafted ELF file, related to scan_unit_for_symbols and parse_comp_unit.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15022"
},
{
"id": "CVE-2017-15023",
"summary": "read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not properly validate the format count, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15023"
},
{
"id": "CVE-2017-15024",
"summary": "find_abstract_instance_name in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15024"
},
{
"id": "CVE-2017-15025",
"summary": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15025"
},
{
"id": "CVE-2017-15225",
"summary": "_bfd_dwarf2_cleanup_debug_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory leak) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15225"
},
{
"id": "CVE-2017-15938",
"summary": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs in the case of a relocatable object file, which allows remote attackers to cause a denial of service (find_abstract_instance_name invalid memory read, segmentation fault, and application crash).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15938"
},
{
"id": "CVE-2017-15939",
"summary": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line file table, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename. NOTE: this issue is caused by an incomplete fix for CVE-2017-15023.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15939"
},
{
"id": "CVE-2017-15996",
"summary": "elfcomm.c in readelf in GNU Binutils 2.29 allows remote attackers to cause a denial of service (excessive memory allocation) or possibly have unspecified other impact via a crafted ELF file that triggers a \"buffer overflow on fuzzed archive header,\" related to an uninitialized variable, an improper conditional jump, and the get_archive_member_name, process_archive_index_and_symbols, and setup_archive functions.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15996"
},
{
"id": "CVE-2017-16826",
"summary": "The coff_slurp_line_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted PE file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16826"
},
{
"id": "CVE-2017-16827",
"summary": "The aout_get_external_symbols function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (slurp_symtab invalid free and application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16827"
},
{
"id": "CVE-2017-16828",
"summary": "The display_debug_frames function in dwarf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (integer overflow and heap-based buffer over-read, and application crash) or possibly have unspecified other impact via a crafted ELF file, related to print_debug_frame.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16828"
},
{
"id": "CVE-2017-16829",
"summary": "The _bfd_elf_parse_gnu_properties function in elf-properties.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not prevent negative pointers, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16829"
},
{
"id": "CVE-2017-16830",
"summary": "The print_gnu_property_note function in readelf.c in GNU Binutils 2.29.1 does not have integer-overflow protection on 32-bit platforms, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16830"
},
{
"id": "CVE-2017-16831",
"summary": "coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate the symbol count, which allows remote attackers to cause a denial of service (integer overflow and application crash, or excessive memory allocation) or possibly have unspecified other impact via a crafted PE file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16831"
},
{
"id": "CVE-2017-16832",
"summary": "The pe_bfd_read_buildid function in peicode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate size and offset values in the data dictionary, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted PE file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16832"
},
{
"id": "CVE-2017-17080",
"summary": "elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate sizes of core notes, which allows remote attackers to cause a denial of service (bfd_getl32 heap-based buffer over-read and application crash) via a crafted object file, related to elfcore_grok_netbsd_procinfo, elfcore_grok_openbsd_procinfo, and elfcore_grok_nto_status.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17080"
},
{
"id": "CVE-2017-17121",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (memory access violation) or possibly have unspecified other impact via a COFF binary in which a relocation refers to a location after the end of the to-be-relocated section.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17121"
},
{
"id": "CVE-2017-17122",
"summary": "The dump_relocs_in_section function in objdump.c in GNU Binutils 2.29.1 does not check for reloc count integer overflows, which allows remote attackers to cause a denial of service (excessive memory allocation, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PE file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17122"
},
{
"id": "CVE-2017-17123",
"summary": "The coff_slurp_reloc_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted COFF based file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17123"
},
{
"id": "CVE-2017-17124",
"summary": "The _bfd_coff_read_string_table function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not properly validate the size of the external string table, which allows remote attackers to cause a denial of service (excessive memory consumption, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted COFF binary.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17124"
},
{
"id": "CVE-2017-17125",
"summary": "nm.c and objdump.c in GNU Binutils 2.29.1 mishandle certain global symbols, which allows remote attackers to cause a denial of service (_bfd_elf_get_symbol_version_string buffer over-read and application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17125"
},
{
"id": "CVE-2017-17126",
"summary": "The load_debug_section function in readelf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via an ELF file that lacks section headers.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17126"
},
{
"id": "CVE-2017-6965",
"summary": "readelf in GNU Binutils 2.28 writes to illegal addresses while processing corrupt input files containing symbol-difference relocations, leading to a heap-based buffer overflow.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6965"
},
{
"id": "CVE-2017-6966",
"summary": "readelf in GNU Binutils 2.28 has a use-after-free (specifically read-after-free) error while processing multiple, relocated sections in an MSP430 binary. This is caused by mishandling of an invalid symbol index, and mishandling of state across invocations.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6966"
},
{
"id": "CVE-2017-6969",
"summary": "readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6969"
},
{
"id": "CVE-2017-7209",
"summary": "The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while reading section contents in a corrupt binary, leading to a program crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7209"
},
{
"id": "CVE-2017-7210",
"summary": "objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7210"
},
{
"id": "CVE-2017-7223",
"summary": "GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer overflow (of size 1) while attempting to unget an EOF character from the input stream, potentially leading to a program crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7223"
},
{
"id": "CVE-2017-7224",
"summary": "The find_nearest_line function in objdump in GNU Binutils 2.28 is vulnerable to an invalid write (of size 1) while disassembling a corrupt binary that contains an empty function name, leading to a program crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7224"
},
{
"id": "CVE-2017-7225",
"summary": "The find_nearest_line function in addr2line in GNU Binutils 2.28 does not handle the case where the main file name and the directory name are both empty, triggering a NULL pointer dereference and an invalid write, and leading to a program crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7225"
},
{
"id": "CVE-2017-7226",
"summary": "The pe_ILF_object_p function in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a heap-based buffer over-read of size 4049 because it uses the strlen function instead of strnlen, leading to program crashes in several utilities such as addr2line, size, and strings. It could lead to information disclosure as well.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7226"
},
{
"id": "CVE-2017-7227",
"summary": "GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buffer overflow while processing a bogus input script, leading to a program crash. This relates to lack of '\\0' termination of a name field in ldlex.l.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7227"
},
{
"id": "CVE-2017-7299",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an invalid read (of size 8) because the code to emit relocs (bfd_elf_final_link function in bfd/elflink.c) does not check the format of the input file before trying to read the ELF reloc section header. The vulnerability leads to a GNU linker (ld) program crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7299"
},
{
"id": "CVE-2017-7300",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that is vulnerable to a heap-based buffer over-read (off-by-one) because of an incomplete check for invalid string offsets while loading symbols, leading to a GNU linker (ld) program crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7300"
},
{
"id": "CVE-2017-7301",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that has an off-by-one vulnerability because it does not carefully check the string offset. The vulnerability could lead to a GNU linker (ld) program crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7301"
},
{
"id": "CVE-2017-7302",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a swap_std_reloc_out function in bfd/aoutx.h that is vulnerable to an invalid read (of size 4) because of missing checks for relocs that could not be recognised. This vulnerability causes Binutils utilities like strip to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7302"
},
{
"id": "CVE-2017-7303",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 4) because of missing a check (in the find_link function) for null headers before attempting to match them. This vulnerability causes Binutils utilities like strip to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7303"
},
{
"id": "CVE-2017-7304",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field before attempting to follow it. This vulnerability causes Binutils utilities like strip to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7304"
},
{
"id": "CVE-2017-7614",
"summary": "elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a \"member access within null pointer\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an \"int main() {return 0;}\" program.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7614"
},
{
"id": "CVE-2017-8392",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8392"
},
{
"id": "CVE-2017-8393",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a global buffer over-read error because of an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy and strip, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8393"
},
{
"id": "CVE-2017-8394",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of _bfd_elf_large_com_section. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8394"
},
{
"id": "CVE-2017-8395",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of missing a malloc() return-value check to see if memory had actually been allocated in the _bfd_generic_get_section_contents function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8395"
},
{
"id": "CVE-2017-8396",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8396"
},
{
"id": "CVE-2017-8397",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 and an invalid write of size 1 during processing of a corrupt binary containing reloc(s) with negative addresses. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8397"
},
{
"id": "CVE-2017-8398",
"summary": "dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary. This vulnerability causes programs that conduct an analysis of binary programs, such as objdump and readelf, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8398"
},
{
"id": "CVE-2017-8421",
"summary": "The function coff_set_alignment_hook in coffcode.h in Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a memory leak vulnerability which can cause memory exhaustion in objdump via a crafted PE file. Additional validation in dump_relocs_in_section in objdump.c can resolve this.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8421"
},
{
"id": "CVE-2017-9038",
"summary": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to the byte_get_little_endian function in elfcomm.c, the get_unwind_section_word function in readelf.c, and ARM unwind information that contains invalid word offsets.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9038"
},
{
"id": "CVE-2017-9039",
"summary": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file with many program headers, related to the get_program_headers function in readelf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9039"
},
{
"id": "CVE-2017-9040",
"summary": "GNU Binutils 2017-04-03 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash), related to the process_mips_specific function in readelf.c, via a crafted ELF file that triggers a large memory-allocation attempt.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9040"
},
{
"id": "CVE-2017-9041",
"summary": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to MIPS GOT mishandling in the process_mips_specific function in readelf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9041"
},
{
"id": "CVE-2017-9042",
"summary": "readelf.c in GNU Binutils 2017-04-12 has a \"cannot be represented in type long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9042"
},
{
"id": "CVE-2017-9043",
"summary": "readelf.c in GNU Binutils 2017-04-12 has a \"shift exponent too large for type unsigned long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9043"
},
{
"id": "CVE-2017-9044",
"summary": "The print_symbol_for_build_attribute function in readelf.c in GNU Binutils 2017-04-12 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9044"
},
{
"id": "CVE-2017-9742",
"summary": "The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9742"
},
{
"id": "CVE-2017-9743",
"summary": "The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9743"
},
{
"id": "CVE-2017-9744",
"summary": "The sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9744"
},
{
"id": "CVE-2017-9745",
"summary": "The _bfd_vms_slurp_etir function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9745"
},
{
"id": "CVE-2017-9746",
"summary": "The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of rae insns printing for this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9746"
},
{
"id": "CVE-2017-9747",
"summary": "The ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9747"
},
{
"id": "CVE-2017-9748",
"summary": "The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9748"
},
{
"id": "CVE-2017-9749",
"summary": "The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9749"
},
{
"id": "CVE-2017-9750",
"summary": "opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain scale arrays, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9750"
},
{
"id": "CVE-2017-9751",
"summary": "opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE macro, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9751"
},
{
"id": "CVE-2017-9752",
"summary": "bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file in the _bfd_vms_get_value and _bfd_vms_slurp_etir functions during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9752"
},
{
"id": "CVE-2017-9753",
"summary": "The versados_mkobject function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not initialize a certain data structure, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9753"
},
{
"id": "CVE-2017-9754",
"summary": "The process_otr function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not validate a certain offset, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9754"
},
{
"id": "CVE-2017-9755",
"summary": "opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of registers for bnd mode, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9755"
},
{
"id": "CVE-2017-9756",
"summary": "The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9756"
},
{
"id": "CVE-2017-9954",
"summary": "The getvalue function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted tekhex file, as demonstrated by mishandling within the nm program.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9954"
},
{
"id": "CVE-2017-9955",
"summary": "The get_build_id function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file in which a certain size field is larger than a corresponding data field, as demonstrated by mishandling within the objdump program.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9955"
},
{
"id": "CVE-2018-1000876",
"summary": "binutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow trigger heap overflow. Successful exploitation allows execution of arbitrary code.. This attack appear to be exploitable via Local. This vulnerability appears to have been fixed in after commit 3a551c7a1b80fca579461774860574eabfd7f18f.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000876"
},
{
"id": "CVE-2018-10372",
"summary": "process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted binary file, as demonstrated by readelf.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10372"
},
{
"id": "CVE-2018-10373",
"summary": "concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by nm-new.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10373"
},
{
"id": "CVE-2018-10534",
"summary": "The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, processes a negative Data Directory size with an unbounded loop that increases the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so that the address exceeds its own memory region, resulting in an out-of-bounds memory write, as demonstrated by objcopy copying private info with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10534"
},
{
"id": "CVE-2018-10535",
"summary": "The ignore_section_sym function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, does not validate the output_section pointer in the case of a symtab entry with a \"SECTION\" type that has a \"0\" value, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file, as demonstrated by objcopy.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10535"
},
{
"id": "CVE-2018-12641",
"summary": "An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type, do_type, do_arg, demangle_args, and demangle_nested_args. This can occur during execution of nm-new.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12641"
},
{
"id": "CVE-2018-12697",
"summary": "A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12697"
},
{
"id": "CVE-2018-12698",
"summary": "demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the \"Create an array for saving the template argument values\" XNEWVEC call. This can occur during execution of objdump.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12698"
},
{
"id": "CVE-2018-12699",
"summary": "finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12699"
},
{
"id": "CVE-2018-12934",
"summary": "remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM). This can occur during execution of cxxfilt.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12934"
},
{
"id": "CVE-2018-13033",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file, as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc in libbfd.c. This can occur during execution of nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13033"
},
{
"id": "CVE-2018-17358",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in _bfd_stab_section_find_nearest_line in syms.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17358"
},
{
"id": "CVE-2018-17359",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in bfd_zalloc in opncls.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17359"
},
{
"id": "CVE-2018-17360",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. a heap-based buffer over-read in bfd_getl32 in libbfd.c allows an attacker to cause a denial of service through a crafted PE file. This vulnerability can be triggered by the executable objdump.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17360"
},
{
"id": "CVE-2018-17794",
"summary": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in work_stuff_copy_to_from when called from iterate_demangle_function.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17794"
},
{
"id": "CVE-2018-17985",
"summary": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption problem caused by the cplus_demangle_type function making recursive calls to itself in certain scenarios involving many 'P' characters.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17985"
},
{
"id": "CVE-2018-18309",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory address dereference was discovered in read_reloc in reloc.c. The vulnerability causes a segmentation fault and application crash, which leads to denial of service, as demonstrated by objdump, because of missing _bfd_clear_contents bounds checking.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18309"
},
{
"id": "CVE-2018-18483",
"summary": "The get_count function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31, allows remote attackers to cause a denial of service (malloc called with the result of an integer-overflowing calculation) or possibly have unspecified other impact via a crafted string, as demonstrated by c++filt.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18483"
},
{
"id": "CVE-2018-18484",
"summary": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: cplus_demangle_type, d_bare_function_type, d_function_type.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18484"
},
{
"id": "CVE-2018-18605",
"summary": "A heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, because _bfd_add_merge_section mishandles section merges when size is not a multiple of entsize. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18605"
},
{
"id": "CVE-2018-18606",
"summary": "An issue was discovered in the merge_strings function in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18606"
},
{
"id": "CVE-2018-18607",
"summary": "An issue was discovered in elf_link_input_bfd in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18607"
},
{
"id": "CVE-2018-18700",
"summary": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions d_name(), d_encoding(), and d_local_name() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18700"
},
{
"id": "CVE-2018-18701",
"summary": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions next_is_type_qual() and cplus_demangle_type() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18701"
},
{
"id": "CVE-2018-19931",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h because the number of program headers is not restricted.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19931"
},
{
"id": "CVE-2018-19932",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA macro in elf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19932"
},
{
"id": "CVE-2018-20002",
"summary": "The _bfd_generic_read_minisymbols function in syms.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, has a memory leak via a crafted ELF file, leading to a denial of service (memory consumption), as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20002"
},
{
"id": "CVE-2018-20623",
"summary": "In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20623"
},
{
"id": "CVE-2018-20651",
"summary": "A NULL pointer dereference was discovered in elf_link_add_object_symbols in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31.1. This occurs for a crafted ET_DYN with no program headers. A specially crafted ELF file allows remote attackers to cause a denial of service, as demonstrated by ld.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20651"
},
{
"id": "CVE-2018-20657",
"summary": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20657"
},
{
"id": "CVE-2018-20671",
"summary": "load_specific_debug_section in objdump.c in GNU Binutils through 2.31.1 contains an integer overflow vulnerability that can trigger a heap-based buffer overflow via a crafted section size.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20671"
},
{
"id": "CVE-2018-20673",
"summary": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20673"
},
{
"id": "CVE-2018-20712",
"summary": "A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20712"
},
{
"id": "CVE-2018-6323",
"summary": "The elf_object_p function in elfcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, has an unsigned integer overflow because bfd_size_type multiplication is not used. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6323"
},
{
"id": "CVE-2018-6543",
"summary": "In GNU Binutils 2.30, there's an integer overflow in the function load_specific_debug_section() in objdump.c, which results in `malloc()` with 0 size. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6543"
},
{
"id": "CVE-2018-6759",
"summary": "The bfd_get_debug_link_info_1 function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, has an unchecked strnlen operation. Remote attackers could leverage this vulnerability to cause a denial of service (segmentation fault) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6759"
},
{
"id": "CVE-2018-6872",
"summary": "The elf_parse_notes function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (out-of-bounds read and segmentation violation) via a note with a large alignment.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6872"
},
{
"id": "CVE-2018-7208",
"summary": "In the coff_pointerize_aux function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, an index is not validated, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted file, as demonstrated by objcopy of a COFF object.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7208"
},
{
"id": "CVE-2018-7568",
"summary": "The parse_die function in dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (integer overflow and application crash) via an ELF file with corrupt dwarf1 debug information, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7568"
},
{
"id": "CVE-2018-7569",
"summary": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (integer underflow or overflow, and application crash) via an ELF file with a corrupt DWARF FORM block, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7569"
},
{
"id": "CVE-2018-7570",
"summary": "The assign_file_positions_for_non_load_sections function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an ELF file with a RELRO segment that lacks a matching LOAD segment, as demonstrated by objcopy.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7570"
},
{
"id": "CVE-2018-7642",
"summary": "The swap_std_reloc_in function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (aout_32_swap_std_reloc_out NULL pointer dereference and application crash) via a crafted ELF file, as demonstrated by objcopy.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7642"
},
{
"id": "CVE-2018-7643",
"summary": "The display_debug_ranges function in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, as demonstrated by objdump.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7643"
},
{
"id": "CVE-2018-8945",
"summary": "The bfd_section_from_shdr function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (segmentation fault) via a large attribute section.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8945"
},
{
"id": "CVE-2018-9138",
"summary": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_nested_args, demangle_args, do_arg, and do_type.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9138"
},
{
"id": "CVE-2018-9996",
"summary": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9996"
},
{
"id": "CVE-2019-1010204",
"summary": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010204"
},
{
"id": "CVE-2019-12972",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. There is a heap-based buffer over-read in _bfd_doprnt in bfd.c because elf_object_p in elfcode.h mishandles an e_shstrndx section of type SHT_GROUP by omitting a trailing '\\0' character.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12972"
},
{
"id": "CVE-2019-14250",
"summary": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14250"
},
{
"id": "CVE-2019-14444",
"summary": "apply_relocations in readelf.c in GNU Binutils 2.32 contains an integer overflow that allows attackers to trigger a write access violation (in byte_put_little_endian function in elfcomm.c) via an ELF file, as demonstrated by readelf.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14444"
},
{
"id": "CVE-2019-17450",
"summary": "find_abstract_instance in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17450"
},
{
"id": "CVE-2019-17451",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an integer overflow leading to a SEGV in _bfd_dwarf2_find_nearest_line in dwarf2.c, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17451"
},
{
"id": "CVE-2019-9070",
"summary": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a heap-based buffer over-read in d_expression_1 in cp-demangle.c after many recursive calls.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9070"
},
{
"id": "CVE-2019-9071",
"summary": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a stack consumption issue in d_count_templates_scopes in cp-demangle.c after many recursive calls.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9071"
},
{
"id": "CVE-2019-9072",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in setup_group in elf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9072"
},
{
"id": "CVE-2019-9073",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in _bfd_elf_slurp_version_tables in elf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9073"
},
{
"id": "CVE-2019-9074",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an out-of-bounds read leading to a SEGV in bfd_getl32 in libbfd.c, when called from pex64_get_runtime_function in pei-x86_64.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9074"
},
{
"id": "CVE-2019-9075",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9075"
},
{
"id": "CVE-2019-9076",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in elf_read_notes in elf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9076"
},
{
"id": "CVE-2019-9077",
"summary": "An issue was discovered in GNU Binutils 2.32. It is a heap-based buffer overflow in process_mips_specific in readelf.c via a malformed MIPS option section.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9077"
},
{
"id": "CVE-2020-16590",
"summary": "A double free vulnerability exists in the Binary File Descriptor (BFD) (aka libbrd) in GNU Binutils 2.35 in the process_symbol_table, as demonstrated in readelf, via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16590"
},
{
"id": "CVE-2020-16591",
"summary": "A Denial of Service vulnerability exists in the Binary File Descriptor (BFD) in GNU Binutils 2.35 due to an invalid read in process_symbol_table, as demonstrated in readeif.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16591"
},
{
"id": "CVE-2020-16592",
"summary": "A use after free issue exists in the Binary File Descriptor (BFD) library (aka libbfd) in GNU Binutils 2.34 in bfd_hash_lookup, as demonstrated in nm-new, that can cause a denial of service via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16592"
},
{
"id": "CVE-2020-16593",
"summary": "A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in scan_unit_for_symbols, as demonstrated in addr2line, that can cause a denial of service via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16593"
},
{
"id": "CVE-2020-16599",
"summary": "A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in _bfd_elf_get_symbol_version_string, as demonstrated in nm-new, that can cause a denial of service via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16599"
},
{
"id": "CVE-2020-19724",
"summary": "A memory consumption issue in get_data function in binutils/nm.c in GNU nm before 2.34 allows attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19724"
},
{
"id": "CVE-2020-19726",
"summary": "An issue was discovered in binutils libbfd.c 2.36 relating to the auxiliary symbol data allows attackers to read or write to system memory or cause a denial of service.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19726"
},
{
"id": "CVE-2020-21490",
"summary": "An issue was discovered in GNU Binutils 2.34. It is a memory leak when process microblaze-dis.c. This one will consume memory on each insn disassembled.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-21490"
},
{
"id": "CVE-2020-35342",
"summary": "GNU Binutils before 2.34 has an uninitialized-heap vulnerability in function tic4x_print_cond (file opcodes/tic4x-dis.c) which could allow attackers to make an information leak.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35342"
},
{
"id": "CVE-2020-35448",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35.1. A heap-based buffer over-read can occur in bfd_getl_signed_32 in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section in elf.c.",
"scorev2": "4.3",
"scorev3": "3.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35448"
},
{
"id": "CVE-2020-35493",
"summary": "A flaw exists in binutils in bfd/pef.c. An attacker who is able to submit a crafted PEF file to be parsed by objdump could cause a heap buffer overflow -> out-of-bounds read that could lead to an impact to application availability. This flaw affects binutils versions prior to 2.34.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35493"
},
{
"id": "CVE-2020-35494",
"summary": "There's a flaw in binutils /opcodes/tic4x-dis.c. An attacker who is able to submit a crafted input file to be processed by binutils could cause usage of uninitialized memory. The highest threat is to application availability with a lower threat to data confidentiality. This flaw affects binutils versions prior to 2.34.",
"scorev2": "5.8",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35494"
},
{
"id": "CVE-2020-35495",
"summary": "There's a flaw in binutils /bfd/pef.c. An attacker who is able to submit a crafted input file to be processed by the objdump program could cause a null pointer dereference. The greatest threat from this flaw is to application availability. This flaw affects binutils versions prior to 2.34.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35495"
},
{
"id": "CVE-2020-35496",
"summary": "There's a flaw in bfd_pef_scan_start_address() of bfd/pef.c in binutils which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability. This flaw affects binutils versions prior to 2.34.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35496"
},
{
"id": "CVE-2020-35507",
"summary": "There's a flaw in bfd_pef_parse_function_stubs of bfd/pef.c in binutils in versions prior to 2.34 which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35507"
},
{
"id": "CVE-2021-20197",
"summary": "There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink.",
"scorev2": "3.3",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20197"
},
{
"id": "CVE-2021-20284",
"summary": "A flaw was found in GNU Binutils 2.35.1, where there is a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c due to the number of symbols not calculated correctly. The highest threat from this vulnerability is to system availability.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20284"
},
{
"id": "CVE-2021-20294",
"summary": "A flaw was found in binutils readelf 2.35 program. An attacker who is able to convince a victim using readelf to read a crafted file could trigger a stack buffer overflow, out-of-bounds write of arbitrary data supplied by the attacker. The highest impact of this flaw is to confidentiality, integrity, and availability.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20294"
},
{
"id": "CVE-2021-32256",
"summary": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-32256"
},
{
"id": "CVE-2021-3530",
"summary": "A flaw was discovered in GNU libiberty within demangle_path() in rust-demangle.c, as distributed in GNU Binutils version 2.36. A crafted symbol can cause stack memory to be exhausted leading to a crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3530"
},
{
"id": "CVE-2021-3549",
"summary": "An out of bounds flaw was found in GNU binutils objdump utility version 2.36. An attacker could use this flaw and pass a large section to avr_elf32_load_records_from_section() probably resulting in a crash or in some cases memory corruption. The highest threat from this vulnerability is to integrity as well as system availability.",
"scorev2": "5.8",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3549"
},
{
"id": "CVE-2021-37322",
"summary": "GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37322"
},
{
"id": "CVE-2021-45078",
"summary": "stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45078"
},
{
"id": "CVE-2021-46174",
"summary": "Heap-based Buffer Overflow in function bfd_getl32 in Binutils objdump 3.37.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46174"
},
{
"id": "CVE-2022-35205",
"summary": "An issue was discovered in Binutils readelf 2.38.50, reachable assertion failure in function display_debug_names allows attackers to cause a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-35205"
},
{
"id": "CVE-2022-35206",
"summary": "Null pointer dereference vulnerability in Binutils readelf 2.38.50 via function read_and_display_attr_value in file dwarf.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-35206"
},
{
"id": "CVE-2022-38533",
"summary": "In GNU Binutils before 2.40, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new via a crafted file.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-38533"
},
{
"id": "CVE-2022-4285",
"summary": "An illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4285"
},
{
"id": "CVE-2022-44840",
"summary": "Heap buffer overflow vulnerability in binutils readelf before 2.40 via function find_section_in_set in file readelf.c.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-44840"
},
{
"id": "CVE-2022-45703",
"summary": "Heap buffer overflow vulnerability in binutils readelf before 2.40 via function display_debug_section in file readelf.c.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45703"
},
{
"id": "CVE-2022-47007",
"summary": "An issue was discovered function stab_demangle_v3_arg in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47007"
},
{
"id": "CVE-2022-47008",
"summary": "An issue was discovered function make_tempdir, and make_tempname in bucomm.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47008"
},
{
"id": "CVE-2022-47010",
"summary": "An issue was discovered function pr_function_type in prdbg.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47010"
},
{
"id": "CVE-2022-47011",
"summary": "An issue was discovered function parse_stab_struct_fields in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47011"
},
{
"id": "CVE-2022-47673",
"summary": "An issue was discovered in Binutils addr2line before 2.39.3, function parse_module contains multiple out of bound reads which may cause a denial of service or other unspecified impacts.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47673"
},
{
"id": "CVE-2022-47695",
"summary": "An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function bfd_mach_o_get_synthetic_symtab in match-o.c.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47695"
},
{
"id": "CVE-2022-47696",
"summary": "An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function compare_symbols.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47696"
},
{
"id": "CVE-2022-48063",
"summary": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function load_separate_debug_files at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48063"
},
{
"id": "CVE-2022-48064",
"summary": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064"
},
{
"id": "CVE-2022-48065",
"summary": "GNU Binutils before 2.40 was discovered to contain a memory leak vulnerability var the function find_abstract_instance in dwarf2.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48065"
},
{
"id": "CVE-2023-1579",
"summary": "Heap based buffer overflow in binutils-gdb/bfd/libbfd.c in bfd_getl64.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1579"
},
{
"id": "CVE-2023-1972",
"summary": "A potential heap based buffer overflow was found in _bfd_elf_slurp_version_tables() in bfd/elf.c. This may lead to loss of availability.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1972"
},
{
"id": "CVE-2023-25584",
"summary": "An out-of-bounds read flaw was found in the parse_module function in bfd/vms-alpha.c in Binutils.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25584",
"detail": "cpe-incorrect",
"description": "Applies only for version 2.40 and earlier"
},
{
"id": "CVE-2023-25585",
"summary": "A flaw was found in Binutils. The use of an uninitialized field in the struct module *module may lead to application crash and local denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25585"
},
{
"id": "CVE-2023-25586",
"summary": "A flaw was found in Binutils. A logic fail in the bfd_init_section_decompress_status function may lead to the use of an uninitialized variable that can cause a crash and local denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25586"
},
{
"id": "CVE-2023-25588",
"summary": "A flaw was found in Binutils. The field `the_bfd` of `asymbol`struct is uninitialized in the `bfd_mach_o_get_synthetic_symtab` function, which may lead to an application crash and local denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25588"
}
]
},
{
"name": "binutils-cross-canadian-aarch64",
"layer": "meta",
"version": "2.42",
"products": [
{
"product": "binutils",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2005-4807",
"summary": "Stack-based buffer overflow in the as_bad function in messages.c in the GNU as (gas) assembler in Free Software Foundation GNU Binutils before 20050721 allows attackers to execute arbitrary code via a .c file with crafted inline assembly code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4807"
},
{
"id": "CVE-2005-4808",
"summary": "Buffer overflow in reset_vars in config/tc-crx.c in the GNU as (gas) assembler in Free Software Foundation GNU Binutils before 20050714 allows user-assisted attackers to have an unknown impact via a crafted .s file.",
"scorev2": "7.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4808"
},
{
"id": "CVE-2006-2362",
"summary": "Buffer overflow in getsym in tekhex.c in libbfd in Free Software Foundation GNU Binutils before 20060423, as used by GNU strings, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a file with a crafted Tektronix Hex Format (TekHex) record in which the length character is not a valid hexadecimal character.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2362"
},
{
"id": "CVE-2012-3509",
"summary": "Multiple integer overflows in the (1) _objalloc_alloc function in objalloc.c and (2) objalloc_alloc macro in include/objalloc.h in GNU libiberty, as used by binutils 2.22, allow remote attackers to cause a denial of service (crash) via vectors related to the \"addition of CHUNK_HEADER_SIZE to the length,\" which triggers a heap-based buffer overflow.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3509"
},
{
"id": "CVE-2014-8484",
"summary": "The srec_scan function in bfd/srec.c in libdbfd in GNU binutils before 2.25 allows remote attackers to cause a denial of service (out-of-bounds read) via a small S-record.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8484"
},
{
"id": "CVE-2014-8485",
"summary": "The setup_group function in bfd/elf.c in libbfd in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted section group headers in an ELF file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8485"
},
{
"id": "CVE-2014-8501",
"summary": "The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) and possibly have other unspecified impact via a crafted NumberOfRvaAndSizes field in the AOUT header in a PE executable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8501"
},
{
"id": "CVE-2014-8502",
"summary": "Heap-based buffer overflow in the pe_print_edata function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a truncated export table in a PE file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8502"
},
{
"id": "CVE-2014-8503",
"summary": "Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted ihex file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8503"
},
{
"id": "CVE-2014-8504",
"summary": "Stack-based buffer overflow in the srec_scan function in bfd/srec.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8504"
},
{
"id": "CVE-2014-8737",
"summary": "Multiple directory traversal vulnerabilities in GNU binutils 2.24 and earlier allow local users to delete arbitrary files via a .. (dot dot) or full path name in an archive to (1) strip or (2) objcopy or create arbitrary files via (3) a .. (dot dot) or full path name in an archive to ar.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8737"
},
{
"id": "CVE-2014-8738",
"summary": "The _bfd_slurp_extended_name_table function in bfd/archive.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (invalid write, segmentation fault, and crash) via a crafted extended name table in an archive.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8738"
},
{
"id": "CVE-2014-9939",
"summary": "ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing bad bytes in Intel Hex objects.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9939"
},
{
"id": "CVE-2017-12448",
"summary": "The bfd_cache_close function in bfd/cache.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a heap use after free and possibly achieve code execution via a crafted nested archive file. This issue occurs because incorrect functions are called during an attempt to release memory. The issue can be addressed by better input validation in the bfd_generic_archive_p function in bfd/archive.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12448"
},
{
"id": "CVE-2017-12449",
"summary": "The _bfd_vms_save_sized_string function in vms-misc.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12449"
},
{
"id": "CVE-2017-12450",
"summary": "The alpha_vms_object_p function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap write and possibly achieve code execution via a crafted vms alpha file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12450"
},
{
"id": "CVE-2017-12451",
"summary": "The _bfd_xcoff_read_ar_hdr function in bfd/coff-rs6000.c and bfd/coff64-rs6000.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds stack read via a crafted COFF image file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12451"
},
{
"id": "CVE-2017-12452",
"summary": "The bfd_mach_o_i386_canonicalize_one_reloc function in bfd/mach-o-i386.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted mach-o file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12452"
},
{
"id": "CVE-2017-12453",
"summary": "The _bfd_vms_slurp_eeom function in libbfd.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12453"
},
{
"id": "CVE-2017-12454",
"summary": "The _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an arbitrary memory read via a crafted vms alpha file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12454"
},
{
"id": "CVE-2017-12455",
"summary": "The evax_bfd_print_emh function in vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12455"
},
{
"id": "CVE-2017-12456",
"summary": "The read_symbol_stabs_debugging_info function in rddbg.c in GNU Binutils 2.29 and earlier allows remote attackers to cause an out of bounds heap read via a crafted binary file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12456"
},
{
"id": "CVE-2017-12457",
"summary": "The bfd_make_section_with_flags function in section.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a NULL dereference via a crafted file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12457"
},
{
"id": "CVE-2017-12458",
"summary": "The nlm_swap_auxiliary_headers_in function in bfd/nlmcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted nlm file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12458"
},
{
"id": "CVE-2017-12459",
"summary": "The bfd_mach_o_read_symtab_strtab function in bfd/mach-o.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap write and possibly achieve code execution via a crafted mach-o file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12459"
},
{
"id": "CVE-2017-12799",
"summary": "The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12799"
},
{
"id": "CVE-2017-12967",
"summary": "The getsym function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a malformed tekhex binary.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12967"
},
{
"id": "CVE-2017-13710",
"summary": "The setup_group function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a group section that is too small.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13710"
},
{
"id": "CVE-2017-13716",
"summary": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13716"
},
{
"id": "CVE-2017-13757",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the PLT section size, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to elf_i386_get_synthetic_symtab in elf32-i386.c and elf_x86_64_get_synthetic_symtab in elf64-x86-64.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13757"
},
{
"id": "CVE-2017-14128",
"summary": "The decode_line_info function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (read_1_byte heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14128"
},
{
"id": "CVE-2017-14129",
"summary": "The read_section function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (parse_comp_unit heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14129"
},
{
"id": "CVE-2017-14130",
"summary": "The _bfd_elf_parse_attributes function in elf-attrs.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (_bfd_elf_attr_strdup heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14130"
},
{
"id": "CVE-2017-14333",
"summary": "The process_version_sections function in readelf.c in GNU Binutils 2.29 allows attackers to cause a denial of service (Integer Overflow, and hang because of a time-consuming loop) or possibly have unspecified other impact via a crafted binary file with invalid values of ent.vn_next, during \"readelf -a\" execution.",
"scorev2": "4.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14333"
},
{
"id": "CVE-2017-14529",
"summary": "The pe_print_idata function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles HintName vector entries, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted PE file, related to the bfd_getl16 function.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14529"
},
{
"id": "CVE-2017-14729",
"summary": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, do not ensure a unique PLT entry for a symbol, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14729"
},
{
"id": "CVE-2017-14745",
"summary": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, interpret a -1 value as a sorting count instead of an error flag, which allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14745"
},
{
"id": "CVE-2017-14930",
"summary": "Memory leak in decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14930"
},
{
"id": "CVE-2017-14932",
"summary": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14932"
},
{
"id": "CVE-2017-14933",
"summary": "read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14933"
},
{
"id": "CVE-2017-14934",
"summary": "process_debug_info in dwarf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file that contains a negative size value in a CU structure.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14934"
},
{
"id": "CVE-2017-14938",
"summary": "_bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14938"
},
{
"id": "CVE-2017-14939",
"summary": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles a length calculation, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to read_1_byte.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14939"
},
{
"id": "CVE-2017-14940",
"summary": "scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14940"
},
{
"id": "CVE-2017-14974",
"summary": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandle the failure of a certain canonicalization step, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14974"
},
{
"id": "CVE-2017-15020",
"summary": "dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles pointers, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file, related to parse_die and parse_line_table, as demonstrated by a parse_die heap-based buffer over-read.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15020"
},
{
"id": "CVE-2017-15021",
"summary": "bfd_get_debug_link_info_1 in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to bfd_getl32.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15021"
},
{
"id": "CVE-2017-15022",
"summary": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the DW_AT_name data type, which allows remote attackers to cause a denial of service (bfd_hash_hash NULL pointer dereference, or out-of-bounds access, and application crash) via a crafted ELF file, related to scan_unit_for_symbols and parse_comp_unit.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15022"
},
{
"id": "CVE-2017-15023",
"summary": "read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not properly validate the format count, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15023"
},
{
"id": "CVE-2017-15024",
"summary": "find_abstract_instance_name in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15024"
},
{
"id": "CVE-2017-15025",
"summary": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15025"
},
{
"id": "CVE-2017-15225",
"summary": "_bfd_dwarf2_cleanup_debug_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory leak) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15225"
},
{
"id": "CVE-2017-15938",
"summary": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs in the case of a relocatable object file, which allows remote attackers to cause a denial of service (find_abstract_instance_name invalid memory read, segmentation fault, and application crash).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15938"
},
{
"id": "CVE-2017-15939",
"summary": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line file table, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename. NOTE: this issue is caused by an incomplete fix for CVE-2017-15023.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15939"
},
{
"id": "CVE-2017-15996",
"summary": "elfcomm.c in readelf in GNU Binutils 2.29 allows remote attackers to cause a denial of service (excessive memory allocation) or possibly have unspecified other impact via a crafted ELF file that triggers a \"buffer overflow on fuzzed archive header,\" related to an uninitialized variable, an improper conditional jump, and the get_archive_member_name, process_archive_index_and_symbols, and setup_archive functions.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15996"
},
{
"id": "CVE-2017-16826",
"summary": "The coff_slurp_line_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted PE file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16826"
},
{
"id": "CVE-2017-16827",
"summary": "The aout_get_external_symbols function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (slurp_symtab invalid free and application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16827"
},
{
"id": "CVE-2017-16828",
"summary": "The display_debug_frames function in dwarf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (integer overflow and heap-based buffer over-read, and application crash) or possibly have unspecified other impact via a crafted ELF file, related to print_debug_frame.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16828"
},
{
"id": "CVE-2017-16829",
"summary": "The _bfd_elf_parse_gnu_properties function in elf-properties.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not prevent negative pointers, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16829"
},
{
"id": "CVE-2017-16830",
"summary": "The print_gnu_property_note function in readelf.c in GNU Binutils 2.29.1 does not have integer-overflow protection on 32-bit platforms, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16830"
},
{
"id": "CVE-2017-16831",
"summary": "coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate the symbol count, which allows remote attackers to cause a denial of service (integer overflow and application crash, or excessive memory allocation) or possibly have unspecified other impact via a crafted PE file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16831"
},
{
"id": "CVE-2017-16832",
"summary": "The pe_bfd_read_buildid function in peicode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate size and offset values in the data dictionary, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted PE file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16832"
},
{
"id": "CVE-2017-17080",
"summary": "elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate sizes of core notes, which allows remote attackers to cause a denial of service (bfd_getl32 heap-based buffer over-read and application crash) via a crafted object file, related to elfcore_grok_netbsd_procinfo, elfcore_grok_openbsd_procinfo, and elfcore_grok_nto_status.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17080"
},
{
"id": "CVE-2017-17121",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (memory access violation) or possibly have unspecified other impact via a COFF binary in which a relocation refers to a location after the end of the to-be-relocated section.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17121"
},
{
"id": "CVE-2017-17122",
"summary": "The dump_relocs_in_section function in objdump.c in GNU Binutils 2.29.1 does not check for reloc count integer overflows, which allows remote attackers to cause a denial of service (excessive memory allocation, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PE file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17122"
},
{
"id": "CVE-2017-17123",
"summary": "The coff_slurp_reloc_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted COFF based file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17123"
},
{
"id": "CVE-2017-17124",
"summary": "The _bfd_coff_read_string_table function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not properly validate the size of the external string table, which allows remote attackers to cause a denial of service (excessive memory consumption, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted COFF binary.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17124"
},
{
"id": "CVE-2017-17125",
"summary": "nm.c and objdump.c in GNU Binutils 2.29.1 mishandle certain global symbols, which allows remote attackers to cause a denial of service (_bfd_elf_get_symbol_version_string buffer over-read and application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17125"
},
{
"id": "CVE-2017-17126",
"summary": "The load_debug_section function in readelf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via an ELF file that lacks section headers.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17126"
},
{
"id": "CVE-2017-6965",
"summary": "readelf in GNU Binutils 2.28 writes to illegal addresses while processing corrupt input files containing symbol-difference relocations, leading to a heap-based buffer overflow.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6965"
},
{
"id": "CVE-2017-6966",
"summary": "readelf in GNU Binutils 2.28 has a use-after-free (specifically read-after-free) error while processing multiple, relocated sections in an MSP430 binary. This is caused by mishandling of an invalid symbol index, and mishandling of state across invocations.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6966"
},
{
"id": "CVE-2017-6969",
"summary": "readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6969"
},
{
"id": "CVE-2017-7209",
"summary": "The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while reading section contents in a corrupt binary, leading to a program crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7209"
},
{
"id": "CVE-2017-7210",
"summary": "objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7210"
},
{
"id": "CVE-2017-7223",
"summary": "GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer overflow (of size 1) while attempting to unget an EOF character from the input stream, potentially leading to a program crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7223"
},
{
"id": "CVE-2017-7224",
"summary": "The find_nearest_line function in objdump in GNU Binutils 2.28 is vulnerable to an invalid write (of size 1) while disassembling a corrupt binary that contains an empty function name, leading to a program crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7224"
},
{
"id": "CVE-2017-7225",
"summary": "The find_nearest_line function in addr2line in GNU Binutils 2.28 does not handle the case where the main file name and the directory name are both empty, triggering a NULL pointer dereference and an invalid write, and leading to a program crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7225"
},
{
"id": "CVE-2017-7226",
"summary": "The pe_ILF_object_p function in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a heap-based buffer over-read of size 4049 because it uses the strlen function instead of strnlen, leading to program crashes in several utilities such as addr2line, size, and strings. It could lead to information disclosure as well.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7226"
},
{
"id": "CVE-2017-7227",
"summary": "GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buffer overflow while processing a bogus input script, leading to a program crash. This relates to lack of '\\0' termination of a name field in ldlex.l.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7227"
},
{
"id": "CVE-2017-7299",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an invalid read (of size 8) because the code to emit relocs (bfd_elf_final_link function in bfd/elflink.c) does not check the format of the input file before trying to read the ELF reloc section header. The vulnerability leads to a GNU linker (ld) program crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7299"
},
{
"id": "CVE-2017-7300",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that is vulnerable to a heap-based buffer over-read (off-by-one) because of an incomplete check for invalid string offsets while loading symbols, leading to a GNU linker (ld) program crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7300"
},
{
"id": "CVE-2017-7301",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that has an off-by-one vulnerability because it does not carefully check the string offset. The vulnerability could lead to a GNU linker (ld) program crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7301"
},
{
"id": "CVE-2017-7302",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a swap_std_reloc_out function in bfd/aoutx.h that is vulnerable to an invalid read (of size 4) because of missing checks for relocs that could not be recognised. This vulnerability causes Binutils utilities like strip to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7302"
},
{
"id": "CVE-2017-7303",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 4) because of missing a check (in the find_link function) for null headers before attempting to match them. This vulnerability causes Binutils utilities like strip to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7303"
},
{
"id": "CVE-2017-7304",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field before attempting to follow it. This vulnerability causes Binutils utilities like strip to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7304"
},
{
"id": "CVE-2017-7614",
"summary": "elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a \"member access within null pointer\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an \"int main() {return 0;}\" program.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7614"
},
{
"id": "CVE-2017-8392",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8392"
},
{
"id": "CVE-2017-8393",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a global buffer over-read error because of an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy and strip, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8393"
},
{
"id": "CVE-2017-8394",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of _bfd_elf_large_com_section. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8394"
},
{
"id": "CVE-2017-8395",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of missing a malloc() return-value check to see if memory had actually been allocated in the _bfd_generic_get_section_contents function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8395"
},
{
"id": "CVE-2017-8396",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8396"
},
{
"id": "CVE-2017-8397",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 and an invalid write of size 1 during processing of a corrupt binary containing reloc(s) with negative addresses. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8397"
},
{
"id": "CVE-2017-8398",
"summary": "dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary. This vulnerability causes programs that conduct an analysis of binary programs, such as objdump and readelf, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8398"
},
{
"id": "CVE-2017-8421",
"summary": "The function coff_set_alignment_hook in coffcode.h in Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a memory leak vulnerability which can cause memory exhaustion in objdump via a crafted PE file. Additional validation in dump_relocs_in_section in objdump.c can resolve this.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8421"
},
{
"id": "CVE-2017-9038",
"summary": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to the byte_get_little_endian function in elfcomm.c, the get_unwind_section_word function in readelf.c, and ARM unwind information that contains invalid word offsets.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9038"
},
{
"id": "CVE-2017-9039",
"summary": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file with many program headers, related to the get_program_headers function in readelf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9039"
},
{
"id": "CVE-2017-9040",
"summary": "GNU Binutils 2017-04-03 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash), related to the process_mips_specific function in readelf.c, via a crafted ELF file that triggers a large memory-allocation attempt.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9040"
},
{
"id": "CVE-2017-9041",
"summary": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to MIPS GOT mishandling in the process_mips_specific function in readelf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9041"
},
{
"id": "CVE-2017-9042",
"summary": "readelf.c in GNU Binutils 2017-04-12 has a \"cannot be represented in type long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9042"
},
{
"id": "CVE-2017-9043",
"summary": "readelf.c in GNU Binutils 2017-04-12 has a \"shift exponent too large for type unsigned long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9043"
},
{
"id": "CVE-2017-9044",
"summary": "The print_symbol_for_build_attribute function in readelf.c in GNU Binutils 2017-04-12 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9044"
},
{
"id": "CVE-2017-9742",
"summary": "The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9742"
},
{
"id": "CVE-2017-9743",
"summary": "The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9743"
},
{
"id": "CVE-2017-9744",
"summary": "The sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9744"
},
{
"id": "CVE-2017-9745",
"summary": "The _bfd_vms_slurp_etir function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9745"
},
{
"id": "CVE-2017-9746",
"summary": "The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of rae insns printing for this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9746"
},
{
"id": "CVE-2017-9747",
"summary": "The ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9747"
},
{
"id": "CVE-2017-9748",
"summary": "The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9748"
},
{
"id": "CVE-2017-9749",
"summary": "The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9749"
},
{
"id": "CVE-2017-9750",
"summary": "opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain scale arrays, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9750"
},
{
"id": "CVE-2017-9751",
"summary": "opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE macro, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9751"
},
{
"id": "CVE-2017-9752",
"summary": "bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file in the _bfd_vms_get_value and _bfd_vms_slurp_etir functions during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9752"
},
{
"id": "CVE-2017-9753",
"summary": "The versados_mkobject function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not initialize a certain data structure, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9753"
},
{
"id": "CVE-2017-9754",
"summary": "The process_otr function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not validate a certain offset, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9754"
},
{
"id": "CVE-2017-9755",
"summary": "opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of registers for bnd mode, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9755"
},
{
"id": "CVE-2017-9756",
"summary": "The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9756"
},
{
"id": "CVE-2017-9954",
"summary": "The getvalue function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted tekhex file, as demonstrated by mishandling within the nm program.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9954"
},
{
"id": "CVE-2017-9955",
"summary": "The get_build_id function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file in which a certain size field is larger than a corresponding data field, as demonstrated by mishandling within the objdump program.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9955"
},
{
"id": "CVE-2018-1000876",
"summary": "binutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow trigger heap overflow. Successful exploitation allows execution of arbitrary code.. This attack appear to be exploitable via Local. This vulnerability appears to have been fixed in after commit 3a551c7a1b80fca579461774860574eabfd7f18f.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000876"
},
{
"id": "CVE-2018-10372",
"summary": "process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted binary file, as demonstrated by readelf.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10372"
},
{
"id": "CVE-2018-10373",
"summary": "concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by nm-new.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10373"
},
{
"id": "CVE-2018-10534",
"summary": "The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, processes a negative Data Directory size with an unbounded loop that increases the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so that the address exceeds its own memory region, resulting in an out-of-bounds memory write, as demonstrated by objcopy copying private info with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10534"
},
{
"id": "CVE-2018-10535",
"summary": "The ignore_section_sym function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, does not validate the output_section pointer in the case of a symtab entry with a \"SECTION\" type that has a \"0\" value, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file, as demonstrated by objcopy.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10535"
},
{
"id": "CVE-2018-12641",
"summary": "An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type, do_type, do_arg, demangle_args, and demangle_nested_args. This can occur during execution of nm-new.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12641"
},
{
"id": "CVE-2018-12697",
"summary": "A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12697"
},
{
"id": "CVE-2018-12698",
"summary": "demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the \"Create an array for saving the template argument values\" XNEWVEC call. This can occur during execution of objdump.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12698"
},
{
"id": "CVE-2018-12699",
"summary": "finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12699"
},
{
"id": "CVE-2018-12934",
"summary": "remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM). This can occur during execution of cxxfilt.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12934"
},
{
"id": "CVE-2018-13033",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file, as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc in libbfd.c. This can occur during execution of nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13033"
},
{
"id": "CVE-2018-17358",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in _bfd_stab_section_find_nearest_line in syms.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17358"
},
{
"id": "CVE-2018-17359",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in bfd_zalloc in opncls.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17359"
},
{
"id": "CVE-2018-17360",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. a heap-based buffer over-read in bfd_getl32 in libbfd.c allows an attacker to cause a denial of service through a crafted PE file. This vulnerability can be triggered by the executable objdump.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17360"
},
{
"id": "CVE-2018-17794",
"summary": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in work_stuff_copy_to_from when called from iterate_demangle_function.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17794"
},
{
"id": "CVE-2018-17985",
"summary": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption problem caused by the cplus_demangle_type function making recursive calls to itself in certain scenarios involving many 'P' characters.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17985"
},
{
"id": "CVE-2018-18309",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory address dereference was discovered in read_reloc in reloc.c. The vulnerability causes a segmentation fault and application crash, which leads to denial of service, as demonstrated by objdump, because of missing _bfd_clear_contents bounds checking.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18309"
},
{
"id": "CVE-2018-18483",
"summary": "The get_count function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31, allows remote attackers to cause a denial of service (malloc called with the result of an integer-overflowing calculation) or possibly have unspecified other impact via a crafted string, as demonstrated by c++filt.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18483"
},
{
"id": "CVE-2018-18484",
"summary": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: cplus_demangle_type, d_bare_function_type, d_function_type.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18484"
},
{
"id": "CVE-2018-18605",
"summary": "A heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, because _bfd_add_merge_section mishandles section merges when size is not a multiple of entsize. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18605"
},
{
"id": "CVE-2018-18606",
"summary": "An issue was discovered in the merge_strings function in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18606"
},
{
"id": "CVE-2018-18607",
"summary": "An issue was discovered in elf_link_input_bfd in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18607"
},
{
"id": "CVE-2018-18700",
"summary": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions d_name(), d_encoding(), and d_local_name() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18700"
},
{
"id": "CVE-2018-18701",
"summary": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions next_is_type_qual() and cplus_demangle_type() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18701"
},
{
"id": "CVE-2018-19931",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h because the number of program headers is not restricted.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19931"
},
{
"id": "CVE-2018-19932",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA macro in elf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19932"
},
{
"id": "CVE-2018-20002",
"summary": "The _bfd_generic_read_minisymbols function in syms.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, has a memory leak via a crafted ELF file, leading to a denial of service (memory consumption), as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20002"
},
{
"id": "CVE-2018-20623",
"summary": "In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20623"
},
{
"id": "CVE-2018-20651",
"summary": "A NULL pointer dereference was discovered in elf_link_add_object_symbols in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31.1. This occurs for a crafted ET_DYN with no program headers. A specially crafted ELF file allows remote attackers to cause a denial of service, as demonstrated by ld.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20651"
},
{
"id": "CVE-2018-20657",
"summary": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20657"
},
{
"id": "CVE-2018-20671",
"summary": "load_specific_debug_section in objdump.c in GNU Binutils through 2.31.1 contains an integer overflow vulnerability that can trigger a heap-based buffer overflow via a crafted section size.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20671"
},
{
"id": "CVE-2018-20673",
"summary": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20673"
},
{
"id": "CVE-2018-20712",
"summary": "A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20712"
},
{
"id": "CVE-2018-6323",
"summary": "The elf_object_p function in elfcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, has an unsigned integer overflow because bfd_size_type multiplication is not used. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6323"
},
{
"id": "CVE-2018-6543",
"summary": "In GNU Binutils 2.30, there's an integer overflow in the function load_specific_debug_section() in objdump.c, which results in `malloc()` with 0 size. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6543"
},
{
"id": "CVE-2018-6759",
"summary": "The bfd_get_debug_link_info_1 function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, has an unchecked strnlen operation. Remote attackers could leverage this vulnerability to cause a denial of service (segmentation fault) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6759"
},
{
"id": "CVE-2018-6872",
"summary": "The elf_parse_notes function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (out-of-bounds read and segmentation violation) via a note with a large alignment.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6872"
},
{
"id": "CVE-2018-7208",
"summary": "In the coff_pointerize_aux function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, an index is not validated, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted file, as demonstrated by objcopy of a COFF object.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7208"
},
{
"id": "CVE-2018-7568",
"summary": "The parse_die function in dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (integer overflow and application crash) via an ELF file with corrupt dwarf1 debug information, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7568"
},
{
"id": "CVE-2018-7569",
"summary": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (integer underflow or overflow, and application crash) via an ELF file with a corrupt DWARF FORM block, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7569"
},
{
"id": "CVE-2018-7570",
"summary": "The assign_file_positions_for_non_load_sections function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an ELF file with a RELRO segment that lacks a matching LOAD segment, as demonstrated by objcopy.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7570"
},
{
"id": "CVE-2018-7642",
"summary": "The swap_std_reloc_in function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (aout_32_swap_std_reloc_out NULL pointer dereference and application crash) via a crafted ELF file, as demonstrated by objcopy.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7642"
},
{
"id": "CVE-2018-7643",
"summary": "The display_debug_ranges function in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, as demonstrated by objdump.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7643"
},
{
"id": "CVE-2018-8945",
"summary": "The bfd_section_from_shdr function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (segmentation fault) via a large attribute section.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8945"
},
{
"id": "CVE-2018-9138",
"summary": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_nested_args, demangle_args, do_arg, and do_type.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9138"
},
{
"id": "CVE-2018-9996",
"summary": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9996"
},
{
"id": "CVE-2019-1010204",
"summary": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010204"
},
{
"id": "CVE-2019-12972",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. There is a heap-based buffer over-read in _bfd_doprnt in bfd.c because elf_object_p in elfcode.h mishandles an e_shstrndx section of type SHT_GROUP by omitting a trailing '\\0' character.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12972"
},
{
"id": "CVE-2019-14250",
"summary": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14250"
},
{
"id": "CVE-2019-14444",
"summary": "apply_relocations in readelf.c in GNU Binutils 2.32 contains an integer overflow that allows attackers to trigger a write access violation (in byte_put_little_endian function in elfcomm.c) via an ELF file, as demonstrated by readelf.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14444"
},
{
"id": "CVE-2019-17450",
"summary": "find_abstract_instance in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17450"
},
{
"id": "CVE-2019-17451",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an integer overflow leading to a SEGV in _bfd_dwarf2_find_nearest_line in dwarf2.c, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17451"
},
{
"id": "CVE-2019-9070",
"summary": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a heap-based buffer over-read in d_expression_1 in cp-demangle.c after many recursive calls.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9070"
},
{
"id": "CVE-2019-9071",
"summary": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a stack consumption issue in d_count_templates_scopes in cp-demangle.c after many recursive calls.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9071"
},
{
"id": "CVE-2019-9072",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in setup_group in elf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9072"
},
{
"id": "CVE-2019-9073",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in _bfd_elf_slurp_version_tables in elf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9073"
},
{
"id": "CVE-2019-9074",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an out-of-bounds read leading to a SEGV in bfd_getl32 in libbfd.c, when called from pex64_get_runtime_function in pei-x86_64.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9074"
},
{
"id": "CVE-2019-9075",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9075"
},
{
"id": "CVE-2019-9076",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in elf_read_notes in elf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9076"
},
{
"id": "CVE-2019-9077",
"summary": "An issue was discovered in GNU Binutils 2.32. It is a heap-based buffer overflow in process_mips_specific in readelf.c via a malformed MIPS option section.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9077"
},
{
"id": "CVE-2020-16590",
"summary": "A double free vulnerability exists in the Binary File Descriptor (BFD) (aka libbrd) in GNU Binutils 2.35 in the process_symbol_table, as demonstrated in readelf, via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16590"
},
{
"id": "CVE-2020-16591",
"summary": "A Denial of Service vulnerability exists in the Binary File Descriptor (BFD) in GNU Binutils 2.35 due to an invalid read in process_symbol_table, as demonstrated in readeif.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16591"
},
{
"id": "CVE-2020-16592",
"summary": "A use after free issue exists in the Binary File Descriptor (BFD) library (aka libbfd) in GNU Binutils 2.34 in bfd_hash_lookup, as demonstrated in nm-new, that can cause a denial of service via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16592"
},
{
"id": "CVE-2020-16593",
"summary": "A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in scan_unit_for_symbols, as demonstrated in addr2line, that can cause a denial of service via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16593"
},
{
"id": "CVE-2020-16599",
"summary": "A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in _bfd_elf_get_symbol_version_string, as demonstrated in nm-new, that can cause a denial of service via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16599"
},
{
"id": "CVE-2020-19724",
"summary": "A memory consumption issue in get_data function in binutils/nm.c in GNU nm before 2.34 allows attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19724"
},
{
"id": "CVE-2020-19726",
"summary": "An issue was discovered in binutils libbfd.c 2.36 relating to the auxiliary symbol data allows attackers to read or write to system memory or cause a denial of service.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19726"
},
{
"id": "CVE-2020-21490",
"summary": "An issue was discovered in GNU Binutils 2.34. It is a memory leak when process microblaze-dis.c. This one will consume memory on each insn disassembled.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-21490"
},
{
"id": "CVE-2020-35342",
"summary": "GNU Binutils before 2.34 has an uninitialized-heap vulnerability in function tic4x_print_cond (file opcodes/tic4x-dis.c) which could allow attackers to make an information leak.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35342"
},
{
"id": "CVE-2020-35448",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35.1. A heap-based buffer over-read can occur in bfd_getl_signed_32 in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section in elf.c.",
"scorev2": "4.3",
"scorev3": "3.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35448"
},
{
"id": "CVE-2020-35493",
"summary": "A flaw exists in binutils in bfd/pef.c. An attacker who is able to submit a crafted PEF file to be parsed by objdump could cause a heap buffer overflow -> out-of-bounds read that could lead to an impact to application availability. This flaw affects binutils versions prior to 2.34.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35493"
},
{
"id": "CVE-2020-35494",
"summary": "There's a flaw in binutils /opcodes/tic4x-dis.c. An attacker who is able to submit a crafted input file to be processed by binutils could cause usage of uninitialized memory. The highest threat is to application availability with a lower threat to data confidentiality. This flaw affects binutils versions prior to 2.34.",
"scorev2": "5.8",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35494"
},
{
"id": "CVE-2020-35495",
"summary": "There's a flaw in binutils /bfd/pef.c. An attacker who is able to submit a crafted input file to be processed by the objdump program could cause a null pointer dereference. The greatest threat from this flaw is to application availability. This flaw affects binutils versions prior to 2.34.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35495"
},
{
"id": "CVE-2020-35496",
"summary": "There's a flaw in bfd_pef_scan_start_address() of bfd/pef.c in binutils which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability. This flaw affects binutils versions prior to 2.34.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35496"
},
{
"id": "CVE-2020-35507",
"summary": "There's a flaw in bfd_pef_parse_function_stubs of bfd/pef.c in binutils in versions prior to 2.34 which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35507"
},
{
"id": "CVE-2021-20197",
"summary": "There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink.",
"scorev2": "3.3",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20197"
},
{
"id": "CVE-2021-20284",
"summary": "A flaw was found in GNU Binutils 2.35.1, where there is a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c due to the number of symbols not calculated correctly. The highest threat from this vulnerability is to system availability.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20284"
},
{
"id": "CVE-2021-20294",
"summary": "A flaw was found in binutils readelf 2.35 program. An attacker who is able to convince a victim using readelf to read a crafted file could trigger a stack buffer overflow, out-of-bounds write of arbitrary data supplied by the attacker. The highest impact of this flaw is to confidentiality, integrity, and availability.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20294"
},
{
"id": "CVE-2021-32256",
"summary": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-32256"
},
{
"id": "CVE-2021-3530",
"summary": "A flaw was discovered in GNU libiberty within demangle_path() in rust-demangle.c, as distributed in GNU Binutils version 2.36. A crafted symbol can cause stack memory to be exhausted leading to a crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3530"
},
{
"id": "CVE-2021-3549",
"summary": "An out of bounds flaw was found in GNU binutils objdump utility version 2.36. An attacker could use this flaw and pass a large section to avr_elf32_load_records_from_section() probably resulting in a crash or in some cases memory corruption. The highest threat from this vulnerability is to integrity as well as system availability.",
"scorev2": "5.8",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3549"
},
{
"id": "CVE-2021-37322",
"summary": "GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37322"
},
{
"id": "CVE-2021-45078",
"summary": "stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45078"
},
{
"id": "CVE-2021-46174",
"summary": "Heap-based Buffer Overflow in function bfd_getl32 in Binutils objdump 3.37.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46174"
},
{
"id": "CVE-2022-35205",
"summary": "An issue was discovered in Binutils readelf 2.38.50, reachable assertion failure in function display_debug_names allows attackers to cause a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-35205"
},
{
"id": "CVE-2022-35206",
"summary": "Null pointer dereference vulnerability in Binutils readelf 2.38.50 via function read_and_display_attr_value in file dwarf.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-35206"
},
{
"id": "CVE-2022-38533",
"summary": "In GNU Binutils before 2.40, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new via a crafted file.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-38533"
},
{
"id": "CVE-2022-4285",
"summary": "An illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4285"
},
{
"id": "CVE-2022-44840",
"summary": "Heap buffer overflow vulnerability in binutils readelf before 2.40 via function find_section_in_set in file readelf.c.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-44840"
},
{
"id": "CVE-2022-45703",
"summary": "Heap buffer overflow vulnerability in binutils readelf before 2.40 via function display_debug_section in file readelf.c.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45703"
},
{
"id": "CVE-2022-47007",
"summary": "An issue was discovered function stab_demangle_v3_arg in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47007"
},
{
"id": "CVE-2022-47008",
"summary": "An issue was discovered function make_tempdir, and make_tempname in bucomm.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47008"
},
{
"id": "CVE-2022-47010",
"summary": "An issue was discovered function pr_function_type in prdbg.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47010"
},
{
"id": "CVE-2022-47011",
"summary": "An issue was discovered function parse_stab_struct_fields in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47011"
},
{
"id": "CVE-2022-47673",
"summary": "An issue was discovered in Binutils addr2line before 2.39.3, function parse_module contains multiple out of bound reads which may cause a denial of service or other unspecified impacts.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47673"
},
{
"id": "CVE-2022-47695",
"summary": "An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function bfd_mach_o_get_synthetic_symtab in match-o.c.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47695"
},
{
"id": "CVE-2022-47696",
"summary": "An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function compare_symbols.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47696"
},
{
"id": "CVE-2022-48063",
"summary": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function load_separate_debug_files at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48063"
},
{
"id": "CVE-2022-48064",
"summary": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064"
},
{
"id": "CVE-2022-48065",
"summary": "GNU Binutils before 2.40 was discovered to contain a memory leak vulnerability var the function find_abstract_instance in dwarf2.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48065"
},
{
"id": "CVE-2023-1579",
"summary": "Heap based buffer overflow in binutils-gdb/bfd/libbfd.c in bfd_getl64.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1579"
},
{
"id": "CVE-2023-1972",
"summary": "A potential heap based buffer overflow was found in _bfd_elf_slurp_version_tables() in bfd/elf.c. This may lead to loss of availability.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1972"
},
{
"id": "CVE-2023-25584",
"summary": "An out-of-bounds read flaw was found in the parse_module function in bfd/vms-alpha.c in Binutils.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25584",
"detail": "cpe-incorrect",
"description": "Applies only for version 2.40 and earlier"
},
{
"id": "CVE-2023-25585",
"summary": "A flaw was found in Binutils. The use of an uninitialized field in the struct module *module may lead to application crash and local denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25585"
},
{
"id": "CVE-2023-25586",
"summary": "A flaw was found in Binutils. A logic fail in the bfd_init_section_decompress_status function may lead to the use of an uninitialized variable that can cause a crash and local denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25586"
},
{
"id": "CVE-2023-25588",
"summary": "A flaw was found in Binutils. The field `the_bfd` of `asymbol`struct is uninitialized in the `bfd_mach_o_get_synthetic_symtab` function, which may lead to an application crash and local denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25588"
}
]
},
{
"name": "binutils-crosssdk-x86_64-aglsdk-linux",
"layer": "meta",
"version": "2.42",
"products": [
{
"product": "binutils",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2005-4807",
"summary": "Stack-based buffer overflow in the as_bad function in messages.c in the GNU as (gas) assembler in Free Software Foundation GNU Binutils before 20050721 allows attackers to execute arbitrary code via a .c file with crafted inline assembly code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4807"
},
{
"id": "CVE-2005-4808",
"summary": "Buffer overflow in reset_vars in config/tc-crx.c in the GNU as (gas) assembler in Free Software Foundation GNU Binutils before 20050714 allows user-assisted attackers to have an unknown impact via a crafted .s file.",
"scorev2": "7.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4808"
},
{
"id": "CVE-2006-2362",
"summary": "Buffer overflow in getsym in tekhex.c in libbfd in Free Software Foundation GNU Binutils before 20060423, as used by GNU strings, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a file with a crafted Tektronix Hex Format (TekHex) record in which the length character is not a valid hexadecimal character.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2362"
},
{
"id": "CVE-2012-3509",
"summary": "Multiple integer overflows in the (1) _objalloc_alloc function in objalloc.c and (2) objalloc_alloc macro in include/objalloc.h in GNU libiberty, as used by binutils 2.22, allow remote attackers to cause a denial of service (crash) via vectors related to the \"addition of CHUNK_HEADER_SIZE to the length,\" which triggers a heap-based buffer overflow.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3509"
},
{
"id": "CVE-2014-8484",
"summary": "The srec_scan function in bfd/srec.c in libdbfd in GNU binutils before 2.25 allows remote attackers to cause a denial of service (out-of-bounds read) via a small S-record.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8484"
},
{
"id": "CVE-2014-8485",
"summary": "The setup_group function in bfd/elf.c in libbfd in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted section group headers in an ELF file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8485"
},
{
"id": "CVE-2014-8501",
"summary": "The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) and possibly have other unspecified impact via a crafted NumberOfRvaAndSizes field in the AOUT header in a PE executable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8501"
},
{
"id": "CVE-2014-8502",
"summary": "Heap-based buffer overflow in the pe_print_edata function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a truncated export table in a PE file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8502"
},
{
"id": "CVE-2014-8503",
"summary": "Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted ihex file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8503"
},
{
"id": "CVE-2014-8504",
"summary": "Stack-based buffer overflow in the srec_scan function in bfd/srec.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8504"
},
{
"id": "CVE-2014-8737",
"summary": "Multiple directory traversal vulnerabilities in GNU binutils 2.24 and earlier allow local users to delete arbitrary files via a .. (dot dot) or full path name in an archive to (1) strip or (2) objcopy or create arbitrary files via (3) a .. (dot dot) or full path name in an archive to ar.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8737"
},
{
"id": "CVE-2014-8738",
"summary": "The _bfd_slurp_extended_name_table function in bfd/archive.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (invalid write, segmentation fault, and crash) via a crafted extended name table in an archive.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8738"
},
{
"id": "CVE-2014-9939",
"summary": "ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing bad bytes in Intel Hex objects.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9939"
},
{
"id": "CVE-2017-12448",
"summary": "The bfd_cache_close function in bfd/cache.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a heap use after free and possibly achieve code execution via a crafted nested archive file. This issue occurs because incorrect functions are called during an attempt to release memory. The issue can be addressed by better input validation in the bfd_generic_archive_p function in bfd/archive.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12448"
},
{
"id": "CVE-2017-12449",
"summary": "The _bfd_vms_save_sized_string function in vms-misc.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12449"
},
{
"id": "CVE-2017-12450",
"summary": "The alpha_vms_object_p function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap write and possibly achieve code execution via a crafted vms alpha file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12450"
},
{
"id": "CVE-2017-12451",
"summary": "The _bfd_xcoff_read_ar_hdr function in bfd/coff-rs6000.c and bfd/coff64-rs6000.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds stack read via a crafted COFF image file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12451"
},
{
"id": "CVE-2017-12452",
"summary": "The bfd_mach_o_i386_canonicalize_one_reloc function in bfd/mach-o-i386.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted mach-o file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12452"
},
{
"id": "CVE-2017-12453",
"summary": "The _bfd_vms_slurp_eeom function in libbfd.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12453"
},
{
"id": "CVE-2017-12454",
"summary": "The _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an arbitrary memory read via a crafted vms alpha file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12454"
},
{
"id": "CVE-2017-12455",
"summary": "The evax_bfd_print_emh function in vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12455"
},
{
"id": "CVE-2017-12456",
"summary": "The read_symbol_stabs_debugging_info function in rddbg.c in GNU Binutils 2.29 and earlier allows remote attackers to cause an out of bounds heap read via a crafted binary file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12456"
},
{
"id": "CVE-2017-12457",
"summary": "The bfd_make_section_with_flags function in section.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a NULL dereference via a crafted file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12457"
},
{
"id": "CVE-2017-12458",
"summary": "The nlm_swap_auxiliary_headers_in function in bfd/nlmcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted nlm file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12458"
},
{
"id": "CVE-2017-12459",
"summary": "The bfd_mach_o_read_symtab_strtab function in bfd/mach-o.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap write and possibly achieve code execution via a crafted mach-o file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12459"
},
{
"id": "CVE-2017-12799",
"summary": "The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12799"
},
{
"id": "CVE-2017-12967",
"summary": "The getsym function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a malformed tekhex binary.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12967"
},
{
"id": "CVE-2017-13710",
"summary": "The setup_group function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a group section that is too small.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13710"
},
{
"id": "CVE-2017-13716",
"summary": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13716"
},
{
"id": "CVE-2017-13757",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the PLT section size, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to elf_i386_get_synthetic_symtab in elf32-i386.c and elf_x86_64_get_synthetic_symtab in elf64-x86-64.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13757"
},
{
"id": "CVE-2017-14128",
"summary": "The decode_line_info function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (read_1_byte heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14128"
},
{
"id": "CVE-2017-14129",
"summary": "The read_section function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (parse_comp_unit heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14129"
},
{
"id": "CVE-2017-14130",
"summary": "The _bfd_elf_parse_attributes function in elf-attrs.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (_bfd_elf_attr_strdup heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14130"
},
{
"id": "CVE-2017-14333",
"summary": "The process_version_sections function in readelf.c in GNU Binutils 2.29 allows attackers to cause a denial of service (Integer Overflow, and hang because of a time-consuming loop) or possibly have unspecified other impact via a crafted binary file with invalid values of ent.vn_next, during \"readelf -a\" execution.",
"scorev2": "4.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14333"
},
{
"id": "CVE-2017-14529",
"summary": "The pe_print_idata function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles HintName vector entries, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted PE file, related to the bfd_getl16 function.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14529"
},
{
"id": "CVE-2017-14729",
"summary": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, do not ensure a unique PLT entry for a symbol, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14729"
},
{
"id": "CVE-2017-14745",
"summary": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, interpret a -1 value as a sorting count instead of an error flag, which allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14745"
},
{
"id": "CVE-2017-14930",
"summary": "Memory leak in decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14930"
},
{
"id": "CVE-2017-14932",
"summary": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14932"
},
{
"id": "CVE-2017-14933",
"summary": "read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14933"
},
{
"id": "CVE-2017-14934",
"summary": "process_debug_info in dwarf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file that contains a negative size value in a CU structure.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14934"
},
{
"id": "CVE-2017-14938",
"summary": "_bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14938"
},
{
"id": "CVE-2017-14939",
"summary": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles a length calculation, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to read_1_byte.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14939"
},
{
"id": "CVE-2017-14940",
"summary": "scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14940"
},
{
"id": "CVE-2017-14974",
"summary": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandle the failure of a certain canonicalization step, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14974"
},
{
"id": "CVE-2017-15020",
"summary": "dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles pointers, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file, related to parse_die and parse_line_table, as demonstrated by a parse_die heap-based buffer over-read.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15020"
},
{
"id": "CVE-2017-15021",
"summary": "bfd_get_debug_link_info_1 in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to bfd_getl32.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15021"
},
{
"id": "CVE-2017-15022",
"summary": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the DW_AT_name data type, which allows remote attackers to cause a denial of service (bfd_hash_hash NULL pointer dereference, or out-of-bounds access, and application crash) via a crafted ELF file, related to scan_unit_for_symbols and parse_comp_unit.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15022"
},
{
"id": "CVE-2017-15023",
"summary": "read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not properly validate the format count, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15023"
},
{
"id": "CVE-2017-15024",
"summary": "find_abstract_instance_name in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15024"
},
{
"id": "CVE-2017-15025",
"summary": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15025"
},
{
"id": "CVE-2017-15225",
"summary": "_bfd_dwarf2_cleanup_debug_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory leak) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15225"
},
{
"id": "CVE-2017-15938",
"summary": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs in the case of a relocatable object file, which allows remote attackers to cause a denial of service (find_abstract_instance_name invalid memory read, segmentation fault, and application crash).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15938"
},
{
"id": "CVE-2017-15939",
"summary": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line file table, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename. NOTE: this issue is caused by an incomplete fix for CVE-2017-15023.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15939"
},
{
"id": "CVE-2017-15996",
"summary": "elfcomm.c in readelf in GNU Binutils 2.29 allows remote attackers to cause a denial of service (excessive memory allocation) or possibly have unspecified other impact via a crafted ELF file that triggers a \"buffer overflow on fuzzed archive header,\" related to an uninitialized variable, an improper conditional jump, and the get_archive_member_name, process_archive_index_and_symbols, and setup_archive functions.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15996"
},
{
"id": "CVE-2017-16826",
"summary": "The coff_slurp_line_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted PE file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16826"
},
{
"id": "CVE-2017-16827",
"summary": "The aout_get_external_symbols function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (slurp_symtab invalid free and application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16827"
},
{
"id": "CVE-2017-16828",
"summary": "The display_debug_frames function in dwarf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (integer overflow and heap-based buffer over-read, and application crash) or possibly have unspecified other impact via a crafted ELF file, related to print_debug_frame.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16828"
},
{
"id": "CVE-2017-16829",
"summary": "The _bfd_elf_parse_gnu_properties function in elf-properties.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not prevent negative pointers, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16829"
},
{
"id": "CVE-2017-16830",
"summary": "The print_gnu_property_note function in readelf.c in GNU Binutils 2.29.1 does not have integer-overflow protection on 32-bit platforms, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16830"
},
{
"id": "CVE-2017-16831",
"summary": "coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate the symbol count, which allows remote attackers to cause a denial of service (integer overflow and application crash, or excessive memory allocation) or possibly have unspecified other impact via a crafted PE file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16831"
},
{
"id": "CVE-2017-16832",
"summary": "The pe_bfd_read_buildid function in peicode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate size and offset values in the data dictionary, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted PE file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16832"
},
{
"id": "CVE-2017-17080",
"summary": "elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate sizes of core notes, which allows remote attackers to cause a denial of service (bfd_getl32 heap-based buffer over-read and application crash) via a crafted object file, related to elfcore_grok_netbsd_procinfo, elfcore_grok_openbsd_procinfo, and elfcore_grok_nto_status.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17080"
},
{
"id": "CVE-2017-17121",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (memory access violation) or possibly have unspecified other impact via a COFF binary in which a relocation refers to a location after the end of the to-be-relocated section.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17121"
},
{
"id": "CVE-2017-17122",
"summary": "The dump_relocs_in_section function in objdump.c in GNU Binutils 2.29.1 does not check for reloc count integer overflows, which allows remote attackers to cause a denial of service (excessive memory allocation, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PE file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17122"
},
{
"id": "CVE-2017-17123",
"summary": "The coff_slurp_reloc_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted COFF based file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17123"
},
{
"id": "CVE-2017-17124",
"summary": "The _bfd_coff_read_string_table function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not properly validate the size of the external string table, which allows remote attackers to cause a denial of service (excessive memory consumption, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted COFF binary.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17124"
},
{
"id": "CVE-2017-17125",
"summary": "nm.c and objdump.c in GNU Binutils 2.29.1 mishandle certain global symbols, which allows remote attackers to cause a denial of service (_bfd_elf_get_symbol_version_string buffer over-read and application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17125"
},
{
"id": "CVE-2017-17126",
"summary": "The load_debug_section function in readelf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via an ELF file that lacks section headers.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17126"
},
{
"id": "CVE-2017-6965",
"summary": "readelf in GNU Binutils 2.28 writes to illegal addresses while processing corrupt input files containing symbol-difference relocations, leading to a heap-based buffer overflow.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6965"
},
{
"id": "CVE-2017-6966",
"summary": "readelf in GNU Binutils 2.28 has a use-after-free (specifically read-after-free) error while processing multiple, relocated sections in an MSP430 binary. This is caused by mishandling of an invalid symbol index, and mishandling of state across invocations.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6966"
},
{
"id": "CVE-2017-6969",
"summary": "readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6969"
},
{
"id": "CVE-2017-7209",
"summary": "The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while reading section contents in a corrupt binary, leading to a program crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7209"
},
{
"id": "CVE-2017-7210",
"summary": "objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7210"
},
{
"id": "CVE-2017-7223",
"summary": "GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer overflow (of size 1) while attempting to unget an EOF character from the input stream, potentially leading to a program crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7223"
},
{
"id": "CVE-2017-7224",
"summary": "The find_nearest_line function in objdump in GNU Binutils 2.28 is vulnerable to an invalid write (of size 1) while disassembling a corrupt binary that contains an empty function name, leading to a program crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7224"
},
{
"id": "CVE-2017-7225",
"summary": "The find_nearest_line function in addr2line in GNU Binutils 2.28 does not handle the case where the main file name and the directory name are both empty, triggering a NULL pointer dereference and an invalid write, and leading to a program crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7225"
},
{
"id": "CVE-2017-7226",
"summary": "The pe_ILF_object_p function in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a heap-based buffer over-read of size 4049 because it uses the strlen function instead of strnlen, leading to program crashes in several utilities such as addr2line, size, and strings. It could lead to information disclosure as well.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7226"
},
{
"id": "CVE-2017-7227",
"summary": "GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buffer overflow while processing a bogus input script, leading to a program crash. This relates to lack of '\\0' termination of a name field in ldlex.l.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7227"
},
{
"id": "CVE-2017-7299",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an invalid read (of size 8) because the code to emit relocs (bfd_elf_final_link function in bfd/elflink.c) does not check the format of the input file before trying to read the ELF reloc section header. The vulnerability leads to a GNU linker (ld) program crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7299"
},
{
"id": "CVE-2017-7300",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that is vulnerable to a heap-based buffer over-read (off-by-one) because of an incomplete check for invalid string offsets while loading symbols, leading to a GNU linker (ld) program crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7300"
},
{
"id": "CVE-2017-7301",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that has an off-by-one vulnerability because it does not carefully check the string offset. The vulnerability could lead to a GNU linker (ld) program crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7301"
},
{
"id": "CVE-2017-7302",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a swap_std_reloc_out function in bfd/aoutx.h that is vulnerable to an invalid read (of size 4) because of missing checks for relocs that could not be recognised. This vulnerability causes Binutils utilities like strip to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7302"
},
{
"id": "CVE-2017-7303",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 4) because of missing a check (in the find_link function) for null headers before attempting to match them. This vulnerability causes Binutils utilities like strip to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7303"
},
{
"id": "CVE-2017-7304",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field before attempting to follow it. This vulnerability causes Binutils utilities like strip to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7304"
},
{
"id": "CVE-2017-7614",
"summary": "elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a \"member access within null pointer\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an \"int main() {return 0;}\" program.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7614"
},
{
"id": "CVE-2017-8392",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8392"
},
{
"id": "CVE-2017-8393",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a global buffer over-read error because of an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy and strip, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8393"
},
{
"id": "CVE-2017-8394",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of _bfd_elf_large_com_section. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8394"
},
{
"id": "CVE-2017-8395",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of missing a malloc() return-value check to see if memory had actually been allocated in the _bfd_generic_get_section_contents function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8395"
},
{
"id": "CVE-2017-8396",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8396"
},
{
"id": "CVE-2017-8397",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 and an invalid write of size 1 during processing of a corrupt binary containing reloc(s) with negative addresses. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8397"
},
{
"id": "CVE-2017-8398",
"summary": "dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary. This vulnerability causes programs that conduct an analysis of binary programs, such as objdump and readelf, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8398"
},
{
"id": "CVE-2017-8421",
"summary": "The function coff_set_alignment_hook in coffcode.h in Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a memory leak vulnerability which can cause memory exhaustion in objdump via a crafted PE file. Additional validation in dump_relocs_in_section in objdump.c can resolve this.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8421"
},
{
"id": "CVE-2017-9038",
"summary": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to the byte_get_little_endian function in elfcomm.c, the get_unwind_section_word function in readelf.c, and ARM unwind information that contains invalid word offsets.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9038"
},
{
"id": "CVE-2017-9039",
"summary": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file with many program headers, related to the get_program_headers function in readelf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9039"
},
{
"id": "CVE-2017-9040",
"summary": "GNU Binutils 2017-04-03 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash), related to the process_mips_specific function in readelf.c, via a crafted ELF file that triggers a large memory-allocation attempt.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9040"
},
{
"id": "CVE-2017-9041",
"summary": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to MIPS GOT mishandling in the process_mips_specific function in readelf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9041"
},
{
"id": "CVE-2017-9042",
"summary": "readelf.c in GNU Binutils 2017-04-12 has a \"cannot be represented in type long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9042"
},
{
"id": "CVE-2017-9043",
"summary": "readelf.c in GNU Binutils 2017-04-12 has a \"shift exponent too large for type unsigned long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9043"
},
{
"id": "CVE-2017-9044",
"summary": "The print_symbol_for_build_attribute function in readelf.c in GNU Binutils 2017-04-12 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9044"
},
{
"id": "CVE-2017-9742",
"summary": "The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9742"
},
{
"id": "CVE-2017-9743",
"summary": "The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9743"
},
{
"id": "CVE-2017-9744",
"summary": "The sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9744"
},
{
"id": "CVE-2017-9745",
"summary": "The _bfd_vms_slurp_etir function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9745"
},
{
"id": "CVE-2017-9746",
"summary": "The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of rae insns printing for this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9746"
},
{
"id": "CVE-2017-9747",
"summary": "The ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9747"
},
{
"id": "CVE-2017-9748",
"summary": "The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9748"
},
{
"id": "CVE-2017-9749",
"summary": "The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9749"
},
{
"id": "CVE-2017-9750",
"summary": "opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain scale arrays, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9750"
},
{
"id": "CVE-2017-9751",
"summary": "opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE macro, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9751"
},
{
"id": "CVE-2017-9752",
"summary": "bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file in the _bfd_vms_get_value and _bfd_vms_slurp_etir functions during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9752"
},
{
"id": "CVE-2017-9753",
"summary": "The versados_mkobject function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not initialize a certain data structure, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9753"
},
{
"id": "CVE-2017-9754",
"summary": "The process_otr function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not validate a certain offset, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9754"
},
{
"id": "CVE-2017-9755",
"summary": "opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of registers for bnd mode, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9755"
},
{
"id": "CVE-2017-9756",
"summary": "The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9756"
},
{
"id": "CVE-2017-9954",
"summary": "The getvalue function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted tekhex file, as demonstrated by mishandling within the nm program.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9954"
},
{
"id": "CVE-2017-9955",
"summary": "The get_build_id function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file in which a certain size field is larger than a corresponding data field, as demonstrated by mishandling within the objdump program.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9955"
},
{
"id": "CVE-2018-1000876",
"summary": "binutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow trigger heap overflow. Successful exploitation allows execution of arbitrary code.. This attack appear to be exploitable via Local. This vulnerability appears to have been fixed in after commit 3a551c7a1b80fca579461774860574eabfd7f18f.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000876"
},
{
"id": "CVE-2018-10372",
"summary": "process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted binary file, as demonstrated by readelf.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10372"
},
{
"id": "CVE-2018-10373",
"summary": "concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by nm-new.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10373"
},
{
"id": "CVE-2018-10534",
"summary": "The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, processes a negative Data Directory size with an unbounded loop that increases the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so that the address exceeds its own memory region, resulting in an out-of-bounds memory write, as demonstrated by objcopy copying private info with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10534"
},
{
"id": "CVE-2018-10535",
"summary": "The ignore_section_sym function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, does not validate the output_section pointer in the case of a symtab entry with a \"SECTION\" type that has a \"0\" value, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file, as demonstrated by objcopy.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10535"
},
{
"id": "CVE-2018-12641",
"summary": "An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type, do_type, do_arg, demangle_args, and demangle_nested_args. This can occur during execution of nm-new.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12641"
},
{
"id": "CVE-2018-12697",
"summary": "A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12697"
},
{
"id": "CVE-2018-12698",
"summary": "demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the \"Create an array for saving the template argument values\" XNEWVEC call. This can occur during execution of objdump.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12698"
},
{
"id": "CVE-2018-12699",
"summary": "finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12699"
},
{
"id": "CVE-2018-12934",
"summary": "remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM). This can occur during execution of cxxfilt.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12934"
},
{
"id": "CVE-2018-13033",
"summary": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file, as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc in libbfd.c. This can occur during execution of nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13033"
},
{
"id": "CVE-2018-17358",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in _bfd_stab_section_find_nearest_line in syms.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17358"
},
{
"id": "CVE-2018-17359",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in bfd_zalloc in opncls.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17359"
},
{
"id": "CVE-2018-17360",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. a heap-based buffer over-read in bfd_getl32 in libbfd.c allows an attacker to cause a denial of service through a crafted PE file. This vulnerability can be triggered by the executable objdump.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17360"
},
{
"id": "CVE-2018-17794",
"summary": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in work_stuff_copy_to_from when called from iterate_demangle_function.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17794"
},
{
"id": "CVE-2018-17985",
"summary": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption problem caused by the cplus_demangle_type function making recursive calls to itself in certain scenarios involving many 'P' characters.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17985"
},
{
"id": "CVE-2018-18309",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory address dereference was discovered in read_reloc in reloc.c. The vulnerability causes a segmentation fault and application crash, which leads to denial of service, as demonstrated by objdump, because of missing _bfd_clear_contents bounds checking.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18309"
},
{
"id": "CVE-2018-18483",
"summary": "The get_count function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31, allows remote attackers to cause a denial of service (malloc called with the result of an integer-overflowing calculation) or possibly have unspecified other impact via a crafted string, as demonstrated by c++filt.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18483"
},
{
"id": "CVE-2018-18484",
"summary": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: cplus_demangle_type, d_bare_function_type, d_function_type.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18484"
},
{
"id": "CVE-2018-18605",
"summary": "A heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, because _bfd_add_merge_section mishandles section merges when size is not a multiple of entsize. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18605"
},
{
"id": "CVE-2018-18606",
"summary": "An issue was discovered in the merge_strings function in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18606"
},
{
"id": "CVE-2018-18607",
"summary": "An issue was discovered in elf_link_input_bfd in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18607"
},
{
"id": "CVE-2018-18700",
"summary": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions d_name(), d_encoding(), and d_local_name() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18700"
},
{
"id": "CVE-2018-18701",
"summary": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions next_is_type_qual() and cplus_demangle_type() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18701"
},
{
"id": "CVE-2018-19931",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h because the number of program headers is not restricted.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19931"
},
{
"id": "CVE-2018-19932",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA macro in elf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19932"
},
{
"id": "CVE-2018-20002",
"summary": "The _bfd_generic_read_minisymbols function in syms.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, has a memory leak via a crafted ELF file, leading to a denial of service (memory consumption), as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20002"
},
{
"id": "CVE-2018-20623",
"summary": "In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20623"
},
{
"id": "CVE-2018-20651",
"summary": "A NULL pointer dereference was discovered in elf_link_add_object_symbols in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31.1. This occurs for a crafted ET_DYN with no program headers. A specially crafted ELF file allows remote attackers to cause a denial of service, as demonstrated by ld.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20651"
},
{
"id": "CVE-2018-20657",
"summary": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20657"
},
{
"id": "CVE-2018-20671",
"summary": "load_specific_debug_section in objdump.c in GNU Binutils through 2.31.1 contains an integer overflow vulnerability that can trigger a heap-based buffer overflow via a crafted section size.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20671"
},
{
"id": "CVE-2018-20673",
"summary": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20673"
},
{
"id": "CVE-2018-20712",
"summary": "A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20712"
},
{
"id": "CVE-2018-6323",
"summary": "The elf_object_p function in elfcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, has an unsigned integer overflow because bfd_size_type multiplication is not used. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6323"
},
{
"id": "CVE-2018-6543",
"summary": "In GNU Binutils 2.30, there's an integer overflow in the function load_specific_debug_section() in objdump.c, which results in `malloc()` with 0 size. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6543"
},
{
"id": "CVE-2018-6759",
"summary": "The bfd_get_debug_link_info_1 function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, has an unchecked strnlen operation. Remote attackers could leverage this vulnerability to cause a denial of service (segmentation fault) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6759"
},
{
"id": "CVE-2018-6872",
"summary": "The elf_parse_notes function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (out-of-bounds read and segmentation violation) via a note with a large alignment.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6872"
},
{
"id": "CVE-2018-7208",
"summary": "In the coff_pointerize_aux function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, an index is not validated, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted file, as demonstrated by objcopy of a COFF object.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7208"
},
{
"id": "CVE-2018-7568",
"summary": "The parse_die function in dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (integer overflow and application crash) via an ELF file with corrupt dwarf1 debug information, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7568"
},
{
"id": "CVE-2018-7569",
"summary": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (integer underflow or overflow, and application crash) via an ELF file with a corrupt DWARF FORM block, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7569"
},
{
"id": "CVE-2018-7570",
"summary": "The assign_file_positions_for_non_load_sections function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an ELF file with a RELRO segment that lacks a matching LOAD segment, as demonstrated by objcopy.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7570"
},
{
"id": "CVE-2018-7642",
"summary": "The swap_std_reloc_in function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (aout_32_swap_std_reloc_out NULL pointer dereference and application crash) via a crafted ELF file, as demonstrated by objcopy.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7642"
},
{
"id": "CVE-2018-7643",
"summary": "The display_debug_ranges function in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, as demonstrated by objdump.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7643"
},
{
"id": "CVE-2018-8945",
"summary": "The bfd_section_from_shdr function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (segmentation fault) via a large attribute section.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8945"
},
{
"id": "CVE-2018-9138",
"summary": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_nested_args, demangle_args, do_arg, and do_type.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9138"
},
{
"id": "CVE-2018-9996",
"summary": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9996"
},
{
"id": "CVE-2019-1010204",
"summary": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010204"
},
{
"id": "CVE-2019-12972",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. There is a heap-based buffer over-read in _bfd_doprnt in bfd.c because elf_object_p in elfcode.h mishandles an e_shstrndx section of type SHT_GROUP by omitting a trailing '\\0' character.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12972"
},
{
"id": "CVE-2019-14250",
"summary": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14250"
},
{
"id": "CVE-2019-14444",
"summary": "apply_relocations in readelf.c in GNU Binutils 2.32 contains an integer overflow that allows attackers to trigger a write access violation (in byte_put_little_endian function in elfcomm.c) via an ELF file, as demonstrated by readelf.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14444"
},
{
"id": "CVE-2019-17450",
"summary": "find_abstract_instance in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17450"
},
{
"id": "CVE-2019-17451",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an integer overflow leading to a SEGV in _bfd_dwarf2_find_nearest_line in dwarf2.c, as demonstrated by nm.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17451"
},
{
"id": "CVE-2019-9070",
"summary": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a heap-based buffer over-read in d_expression_1 in cp-demangle.c after many recursive calls.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9070"
},
{
"id": "CVE-2019-9071",
"summary": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a stack consumption issue in d_count_templates_scopes in cp-demangle.c after many recursive calls.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9071"
},
{
"id": "CVE-2019-9072",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in setup_group in elf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9072"
},
{
"id": "CVE-2019-9073",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in _bfd_elf_slurp_version_tables in elf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9073"
},
{
"id": "CVE-2019-9074",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an out-of-bounds read leading to a SEGV in bfd_getl32 in libbfd.c, when called from pex64_get_runtime_function in pei-x86_64.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9074"
},
{
"id": "CVE-2019-9075",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9075"
},
{
"id": "CVE-2019-9076",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in elf_read_notes in elf.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9076"
},
{
"id": "CVE-2019-9077",
"summary": "An issue was discovered in GNU Binutils 2.32. It is a heap-based buffer overflow in process_mips_specific in readelf.c via a malformed MIPS option section.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9077"
},
{
"id": "CVE-2020-16590",
"summary": "A double free vulnerability exists in the Binary File Descriptor (BFD) (aka libbrd) in GNU Binutils 2.35 in the process_symbol_table, as demonstrated in readelf, via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16590"
},
{
"id": "CVE-2020-16591",
"summary": "A Denial of Service vulnerability exists in the Binary File Descriptor (BFD) in GNU Binutils 2.35 due to an invalid read in process_symbol_table, as demonstrated in readeif.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16591"
},
{
"id": "CVE-2020-16592",
"summary": "A use after free issue exists in the Binary File Descriptor (BFD) library (aka libbfd) in GNU Binutils 2.34 in bfd_hash_lookup, as demonstrated in nm-new, that can cause a denial of service via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16592"
},
{
"id": "CVE-2020-16593",
"summary": "A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in scan_unit_for_symbols, as demonstrated in addr2line, that can cause a denial of service via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16593"
},
{
"id": "CVE-2020-16599",
"summary": "A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in _bfd_elf_get_symbol_version_string, as demonstrated in nm-new, that can cause a denial of service via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16599"
},
{
"id": "CVE-2020-19724",
"summary": "A memory consumption issue in get_data function in binutils/nm.c in GNU nm before 2.34 allows attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19724"
},
{
"id": "CVE-2020-19726",
"summary": "An issue was discovered in binutils libbfd.c 2.36 relating to the auxiliary symbol data allows attackers to read or write to system memory or cause a denial of service.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19726"
},
{
"id": "CVE-2020-21490",
"summary": "An issue was discovered in GNU Binutils 2.34. It is a memory leak when process microblaze-dis.c. This one will consume memory on each insn disassembled.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-21490"
},
{
"id": "CVE-2020-35342",
"summary": "GNU Binutils before 2.34 has an uninitialized-heap vulnerability in function tic4x_print_cond (file opcodes/tic4x-dis.c) which could allow attackers to make an information leak.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35342"
},
{
"id": "CVE-2020-35448",
"summary": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35.1. A heap-based buffer over-read can occur in bfd_getl_signed_32 in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section in elf.c.",
"scorev2": "4.3",
"scorev3": "3.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35448"
},
{
"id": "CVE-2020-35493",
"summary": "A flaw exists in binutils in bfd/pef.c. An attacker who is able to submit a crafted PEF file to be parsed by objdump could cause a heap buffer overflow -> out-of-bounds read that could lead to an impact to application availability. This flaw affects binutils versions prior to 2.34.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35493"
},
{
"id": "CVE-2020-35494",
"summary": "There's a flaw in binutils /opcodes/tic4x-dis.c. An attacker who is able to submit a crafted input file to be processed by binutils could cause usage of uninitialized memory. The highest threat is to application availability with a lower threat to data confidentiality. This flaw affects binutils versions prior to 2.34.",
"scorev2": "5.8",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35494"
},
{
"id": "CVE-2020-35495",
"summary": "There's a flaw in binutils /bfd/pef.c. An attacker who is able to submit a crafted input file to be processed by the objdump program could cause a null pointer dereference. The greatest threat from this flaw is to application availability. This flaw affects binutils versions prior to 2.34.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35495"
},
{
"id": "CVE-2020-35496",
"summary": "There's a flaw in bfd_pef_scan_start_address() of bfd/pef.c in binutils which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability. This flaw affects binutils versions prior to 2.34.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35496"
},
{
"id": "CVE-2020-35507",
"summary": "There's a flaw in bfd_pef_parse_function_stubs of bfd/pef.c in binutils in versions prior to 2.34 which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35507"
},
{
"id": "CVE-2021-20197",
"summary": "There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink.",
"scorev2": "3.3",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20197"
},
{
"id": "CVE-2021-20284",
"summary": "A flaw was found in GNU Binutils 2.35.1, where there is a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c due to the number of symbols not calculated correctly. The highest threat from this vulnerability is to system availability.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20284"
},
{
"id": "CVE-2021-20294",
"summary": "A flaw was found in binutils readelf 2.35 program. An attacker who is able to convince a victim using readelf to read a crafted file could trigger a stack buffer overflow, out-of-bounds write of arbitrary data supplied by the attacker. The highest impact of this flaw is to confidentiality, integrity, and availability.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20294"
},
{
"id": "CVE-2021-32256",
"summary": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-32256"
},
{
"id": "CVE-2021-3530",
"summary": "A flaw was discovered in GNU libiberty within demangle_path() in rust-demangle.c, as distributed in GNU Binutils version 2.36. A crafted symbol can cause stack memory to be exhausted leading to a crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3530"
},
{
"id": "CVE-2021-3549",
"summary": "An out of bounds flaw was found in GNU binutils objdump utility version 2.36. An attacker could use this flaw and pass a large section to avr_elf32_load_records_from_section() probably resulting in a crash or in some cases memory corruption. The highest threat from this vulnerability is to integrity as well as system availability.",
"scorev2": "5.8",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3549"
},
{
"id": "CVE-2021-37322",
"summary": "GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37322"
},
{
"id": "CVE-2021-45078",
"summary": "stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45078"
},
{
"id": "CVE-2021-46174",
"summary": "Heap-based Buffer Overflow in function bfd_getl32 in Binutils objdump 3.37.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46174"
},
{
"id": "CVE-2022-35205",
"summary": "An issue was discovered in Binutils readelf 2.38.50, reachable assertion failure in function display_debug_names allows attackers to cause a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-35205"
},
{
"id": "CVE-2022-35206",
"summary": "Null pointer dereference vulnerability in Binutils readelf 2.38.50 via function read_and_display_attr_value in file dwarf.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-35206"
},
{
"id": "CVE-2022-38533",
"summary": "In GNU Binutils before 2.40, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new via a crafted file.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-38533"
},
{
"id": "CVE-2022-4285",
"summary": "An illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4285"
},
{
"id": "CVE-2022-44840",
"summary": "Heap buffer overflow vulnerability in binutils readelf before 2.40 via function find_section_in_set in file readelf.c.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-44840"
},
{
"id": "CVE-2022-45703",
"summary": "Heap buffer overflow vulnerability in binutils readelf before 2.40 via function display_debug_section in file readelf.c.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45703"
},
{
"id": "CVE-2022-47007",
"summary": "An issue was discovered function stab_demangle_v3_arg in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47007"
},
{
"id": "CVE-2022-47008",
"summary": "An issue was discovered function make_tempdir, and make_tempname in bucomm.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47008"
},
{
"id": "CVE-2022-47010",
"summary": "An issue was discovered function pr_function_type in prdbg.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47010"
},
{
"id": "CVE-2022-47011",
"summary": "An issue was discovered function parse_stab_struct_fields in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47011"
},
{
"id": "CVE-2022-47673",
"summary": "An issue was discovered in Binutils addr2line before 2.39.3, function parse_module contains multiple out of bound reads which may cause a denial of service or other unspecified impacts.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47673"
},
{
"id": "CVE-2022-47695",
"summary": "An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function bfd_mach_o_get_synthetic_symtab in match-o.c.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47695"
},
{
"id": "CVE-2022-47696",
"summary": "An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function compare_symbols.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47696"
},
{
"id": "CVE-2022-48063",
"summary": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function load_separate_debug_files at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48063"
},
{
"id": "CVE-2022-48064",
"summary": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064"
},
{
"id": "CVE-2022-48065",
"summary": "GNU Binutils before 2.40 was discovered to contain a memory leak vulnerability var the function find_abstract_instance in dwarf2.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48065"
},
{
"id": "CVE-2023-1579",
"summary": "Heap based buffer overflow in binutils-gdb/bfd/libbfd.c in bfd_getl64.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1579"
},
{
"id": "CVE-2023-1972",
"summary": "A potential heap based buffer overflow was found in _bfd_elf_slurp_version_tables() in bfd/elf.c. This may lead to loss of availability.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1972"
},
{
"id": "CVE-2023-25584",
"summary": "An out-of-bounds read flaw was found in the parse_module function in bfd/vms-alpha.c in Binutils.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25584",
"detail": "cpe-incorrect",
"description": "Applies only for version 2.40 and earlier"
},
{
"id": "CVE-2023-25585",
"summary": "A flaw was found in Binutils. The use of an uninitialized field in the struct module *module may lead to application crash and local denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25585"
},
{
"id": "CVE-2023-25586",
"summary": "A flaw was found in Binutils. A logic fail in the bfd_init_section_decompress_status function may lead to the use of an uninitialized variable that can cause a crash and local denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25586"
},
{
"id": "CVE-2023-25588",
"summary": "A flaw was found in Binutils. The field `the_bfd` of `asymbol`struct is uninitialized in the `bfd_mach_o_get_synthetic_symtab` function, which may lead to an application crash and local denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25588"
}
]
},
{
"name": "bison",
"layer": "meta",
"version": "3.8.2",
"products": [
{
"product": "bison",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2020-14150",
"summary": "GNU Bison before 3.5.4 allows attackers to cause a denial of service (application crash). NOTE: there is a risk only if Bison is used with untrusted input, and an observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug reports were intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated by Bison.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14150"
},
{
"id": "CVE-2020-24240",
"summary": "GNU Bison before 3.7.1 has a use-after-free in _obstack_free in lib/obstack.c (called from gram_lex) when a '\\0' byte is encountered. NOTE: there is a risk only if Bison is used with untrusted input, and the observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug report was intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated by Bison.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24240"
}
]
},
{
"name": "bison-native",
"layer": "meta",
"version": "3.8.2",
"products": [
{
"product": "bison",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2020-14150",
"summary": "GNU Bison before 3.5.4 allows attackers to cause a denial of service (application crash). NOTE: there is a risk only if Bison is used with untrusted input, and an observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug reports were intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated by Bison.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14150"
},
{
"id": "CVE-2020-24240",
"summary": "GNU Bison before 3.7.1 has a use-after-free in _obstack_free in lib/obstack.c (called from gram_lex) when a '\\0' byte is encountered. NOTE: there is a risk only if Bison is used with untrusted input, and the observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug report was intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated by Bison.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24240"
}
]
},
{
"name": "blktrace",
"layer": "meta",
"version": "1.3.0+git",
"products": [
{
"product": "blktrace",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2018-10689",
"summary": "blktrace (aka Block IO Tracing) 1.2.0, as used with the Linux kernel and Android, has a buffer overflow in the dev_map_read function in btt/devmap.c because the device and devno arrays are too small, as demonstrated by an invalid free when using the btt program with a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10689"
}
]
},
{
"name": "bluez-glib",
"layer": "meta-agl-demo",
"version": "1.0+git",
"products": [
{
"product": "bluez-glib",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "bluez5",
"layer": "meta",
"version": "5.72",
"products": [
{
"product": "bluez",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2005-2547",
"summary": "security.c in hcid for BlueZ 2.16, 2.17, and 2.18 allows remote attackers to execute arbitrary commands via shell metacharacters in the Bluetooth device name when invoking the PIN helper.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2547"
},
{
"id": "CVE-2006-6899",
"summary": "hidd in BlueZ (bluez-utils) before 2.25 allows remote attackers to obtain control of the (1) Mouse and (2) Keyboard Human Interface Device (HID) via a certain configuration of two HID (PSM) endpoints, operating as a server, aka HidAttack.",
"scorev2": "5.4",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6899"
},
{
"id": "CVE-2016-7837",
"summary": "Buffer overflow in BlueZ 5.41 and earlier allows an attacker to execute arbitrary code via the parse_line function used in some userland utilities.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7837"
},
{
"id": "CVE-2016-9797",
"summary": "In BlueZ 5.42, a buffer over-read was observed in \"l2cap_dump\" function in \"tools/parser/l2cap.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9797"
},
{
"id": "CVE-2016-9798",
"summary": "In BlueZ 5.42, a use-after-free was identified in \"conf_opt\" function in \"tools/parser/l2cap.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9798"
},
{
"id": "CVE-2016-9799",
"summary": "In BlueZ 5.42, a buffer overflow was observed in \"pklg_read_hci\" function in \"btsnoop.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9799"
},
{
"id": "CVE-2016-9800",
"summary": "In BlueZ 5.42, a buffer overflow was observed in \"pin_code_reply_dump\" function in \"tools/parser/hci.c\" source file. The issue exists because \"pin\" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame \"pin_code_reply_cp *cp\" parameter.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9800"
},
{
"id": "CVE-2016-9801",
"summary": "In BlueZ 5.42, a buffer overflow was observed in \"set_ext_ctrl\" function in \"tools/parser/l2cap.c\" source file when processing corrupted dump file.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9801"
},
{
"id": "CVE-2016-9802",
"summary": "In BlueZ 5.42, a buffer over-read was identified in \"l2cap_packet\" function in \"monitor/packet.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9802"
},
{
"id": "CVE-2016-9803",
"summary": "In BlueZ 5.42, an out-of-bounds read was observed in \"le_meta_ev_dump\" function in \"tools/parser/hci.c\" source file. This issue exists because 'subevent' (which is used to read correct element from 'ev_le_meta_str' array) is overflowed.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9803"
},
{
"id": "CVE-2016-9804",
"summary": "In BlueZ 5.42, a buffer overflow was observed in \"commands_dump\" function in \"tools/parser/csr.c\" source file. The issue exists because \"commands\" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame \"frm->ptr\" parameter. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9804"
},
{
"id": "CVE-2016-9917",
"summary": "In BlueZ 5.42, a buffer overflow was observed in \"read_n\" function in \"tools/hcidump.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9917"
},
{
"id": "CVE-2016-9918",
"summary": "In BlueZ 5.42, an out-of-bounds read was identified in \"packet_hexdump\" function in \"monitor/packet.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9918"
},
{
"id": "CVE-2017-1000250",
"summary": "All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests.",
"scorev2": "3.3",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000250"
},
{
"id": "CVE-2018-10910",
"summary": "A bug in Bluez may allow for the Bluetooth Discoverable state being set to on when no Bluetooth agent is registered with the system. This situation could lead to the unauthorized pairing of certain Bluetooth devices without any form of authentication. Versions before bluez 5.51 are vulnerable.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10910"
},
{
"id": "CVE-2019-8921",
"summary": "An issue was discovered in bluetoothd in BlueZ through 5.48. The vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data. The root cause can be found in the function service_attr_req of sdpd-request.c. The server does not check whether the CSTATE data is the same in consecutive requests, and instead simply trusts that it is the same.",
"scorev2": "3.3",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8921"
},
{
"id": "CVE-2019-8922",
"summary": "A heap-based buffer overflow was discovered in bluetoothd in BlueZ through 5.48. There isn't any check on whether there is enough space in the destination buffer. The function simply appends all data passed to it. The values of all attributes that are requested are appended to the output buffer. There are no size checks whatsoever, resulting in a simple heap overflow if one can craft a request where the response is large enough to overflow the preallocated buffer. This issue exists in service_attr_req gets called by process_request (in sdpd-request.c), which also allocates the response buffer.",
"scorev2": "5.8",
"scorev3": "8.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8922"
},
{
"id": "CVE-2020-0556",
"summary": "Improper access control in subsystem for BlueZ before version 5.54 may allow an unauthenticated user to potentially enable escalation of privilege and denial of service via adjacent access",
"scorev2": "5.8",
"scorev3": "7.1",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0556"
},
{
"id": "CVE-2020-24490",
"summary": "Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. This affects all Linux kernel versions that support BlueZ.",
"scorev2": "3.3",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24490",
"detail": "cpe-incorrect",
"description": "This issue has kernel fixes rather than bluez fixes"
},
{
"id": "CVE-2020-27153",
"summary": "In BlueZ before 5.55, a double free was found in the gatttool disconnect_cb() routine from shared/att.c. A remote attacker could potentially cause a denial of service or code execution, during service discovery, due to a redundant disconnect MGMT event.",
"scorev2": "7.5",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27153"
},
{
"id": "CVE-2021-0129",
"summary": "Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-0129"
},
{
"id": "CVE-2021-3588",
"summary": "The cli_feat_read_cb() function in src/gatt-database.c does not perform bounds checks on the 'offset' variable before using it as an index into an array for reading.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3588"
},
{
"id": "CVE-2021-3658",
"summary": "bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discoverable when powered on again. This could lead to inadvertent exposure of the bluetooth stack to physically nearby attackers.",
"scorev2": "3.3",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3658"
},
{
"id": "CVE-2021-41229",
"summary": "BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash.",
"scorev2": "3.3",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41229"
},
{
"id": "CVE-2021-43400",
"summary": "An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client disconnects during D-Bus processing of a WriteValue call.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43400"
},
{
"id": "CVE-2022-0204",
"summary": "A heap overflow vulnerability was found in bluez in versions prior to 5.63. An attacker with local network access could pass specially crafted files causing an application to halt or crash, leading to a denial of service.",
"scorev2": "5.8",
"scorev3": "8.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0204"
},
{
"id": "CVE-2022-3563",
"summary": "A vulnerability classified as problematic has been found in Linux Kernel. Affected is the function read_50_controller_cap_complete of the file tools/mgmt-tester.c of the component BlueZ. The manipulation of the argument cap_len leads to null pointer dereference. It is recommended to apply a patch to fix this issue. VDB-211086 is the identifier assigned to this vulnerability.",
"scorev2": "0.0",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3563"
},
{
"id": "CVE-2022-3637",
"summary": "A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function jlink_init of the file monitor/jlink.c of the component BlueZ. The manipulation leads to denial of service. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211936.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3637"
},
{
"id": "CVE-2022-39176",
"summary": "BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-39176"
},
{
"id": "CVE-2022-39177",
"summary": "BlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-39177"
}
]
},
{
"name": "boost",
"layer": "meta",
"version": "1.84.0",
"products": [
{
"product": "boost",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2008-0171",
"summary": "regex/v4/perl_matcher_non_recursive.hpp in the Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial of service (failed assertion and crash) via an invalid regular expression.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0171"
},
{
"id": "CVE-2008-0172",
"summary": "The get_repeat_type function in basic_regex_creator.hpp in the Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial of service (NULL dereference and crash) via an invalid regular expression.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0172"
},
{
"id": "CVE-2013-0252",
"summary": "boost::locale::utf::utf_traits in the Boost.Locale library in Boost 1.48 through 1.52 does not properly detect certain invalid UTF-8 sequences, which might allow remote attackers to bypass input validation protection mechanisms via crafted trailing bytes.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0252"
}
]
},
{
"name": "boost-build-native",
"layer": "meta",
"version": "1_1.84.0",
"products": [
{
"product": "boost-build",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "btrfs-tools",
"layer": "meta",
"version": "6.7.1",
"products": [
{
"product": "btrfs-tools",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "busybox",
"layer": "meta",
"version": "1.36.1",
"products": [
{
"product": "busybox",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2006-1058",
"summary": "BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1058"
},
{
"id": "CVE-2006-5050",
"summary": "Directory traversal vulnerability in httpd in Rob Landley BusyBox allows remote attackers to read arbitrary files via URL-encoded \"%2e%2e/\" sequences in the URI.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5050"
},
{
"id": "CVE-2011-2716",
"summary": "The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2716"
},
{
"id": "CVE-2011-5325",
"summary": "Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-5325"
},
{
"id": "CVE-2013-1813",
"summary": "util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1813"
},
{
"id": "CVE-2014-9645",
"summary": "The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an \"ifconfig /usbserial up\" command or a \"mount -t /snd_pcm none /\" command.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9645"
},
{
"id": "CVE-2015-9261",
"summary": "huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9261"
},
{
"id": "CVE-2016-2147",
"summary": "Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2147"
},
{
"id": "CVE-2016-2148",
"summary": "Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2148"
},
{
"id": "CVE-2016-6301",
"summary": "The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6301"
},
{
"id": "CVE-2017-15873",
"summary": "The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15873"
},
{
"id": "CVE-2017-15874",
"summary": "archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integer Underflow that leads to a read access violation.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15874"
},
{
"id": "CVE-2017-16544",
"summary": "In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.",
"scorev2": "6.5",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16544"
},
{
"id": "CVE-2018-1000500",
"summary": "Busybox contains a Missing SSL certificate validation vulnerability in The \"busybox wget\" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using \"busybox wget https://compromised-domain.com/important-file\".",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000500"
},
{
"id": "CVE-2018-1000517",
"summary": "BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000517"
},
{
"id": "CVE-2018-20679",
"summary": "An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20679"
},
{
"id": "CVE-2019-5747",
"summary": "An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5747"
},
{
"id": "CVE-2021-28831",
"summary": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28831"
},
{
"id": "CVE-2021-42373",
"summary": "A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is supplied but no page argument is given",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42373"
},
{
"id": "CVE-2021-42374",
"summary": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that",
"scorev2": "3.3",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42374"
},
{
"id": "CVE-2021-42375",
"summary": "An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42375"
},
{
"id": "CVE-2021-42376",
"summary": "A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \\x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42376"
},
{
"id": "CVE-2021-42377",
"summary": "An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.",
"scorev2": "6.8",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42377"
},
{
"id": "CVE-2021-42378",
"summary": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function",
"scorev2": "6.5",
"scorev3": "7.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42378"
},
{
"id": "CVE-2021-42379",
"summary": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function",
"scorev2": "6.5",
"scorev3": "7.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42379"
},
{
"id": "CVE-2021-42380",
"summary": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function",
"scorev2": "6.5",
"scorev3": "7.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42380"
},
{
"id": "CVE-2021-42381",
"summary": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function",
"scorev2": "6.5",
"scorev3": "7.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42381"
},
{
"id": "CVE-2021-42382",
"summary": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function",
"scorev2": "6.5",
"scorev3": "7.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42382"
},
{
"id": "CVE-2021-42383",
"summary": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function",
"scorev2": "6.5",
"scorev3": "7.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42383"
},
{
"id": "CVE-2021-42384",
"summary": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function",
"scorev2": "6.5",
"scorev3": "7.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42384"
},
{
"id": "CVE-2021-42385",
"summary": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function",
"scorev2": "6.5",
"scorev3": "7.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42385"
},
{
"id": "CVE-2021-42386",
"summary": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function",
"scorev2": "6.5",
"scorev3": "7.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42386"
},
{
"id": "CVE-2022-28391",
"summary": "BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-28391"
},
{
"id": "CVE-2022-30065",
"summary": "A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-30065"
},
{
"id": "CVE-2022-48174",
"summary": "There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48174"
},
{
"id": "CVE-2023-39810",
"summary": "An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39810"
},
{
"id": "CVE-2023-42363",
"summary": "A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-42363"
},
{
"id": "CVE-2023-42364",
"summary": "A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-42364"
},
{
"id": "CVE-2023-42365",
"summary": "A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-42365"
},
{
"id": "CVE-2023-42366",
"summary": "A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-42366"
}
]
},
{
"name": "bzip2",
"layer": "meta",
"version": "1.0.8",
"products": [
{
"product": "bzip2",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2002-0759",
"summary": "bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1, and possibly other operating systems, does not use the O_EXCL flag to create files during decompression and does not warn the user if an existing file would be overwritten, which could allow attackers to overwrite files via a bzip2 archive.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0759"
},
{
"id": "CVE-2002-0760",
"summary": "Race condition in bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1, and possibly other operating systems, decompresses files with world-readable permissions before setting the permissions to what is specified in the bzip2 archive, which could allow local users to read the files as they are being decompressed.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0760"
},
{
"id": "CVE-2002-0761",
"summary": "bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1, and possibly systems, uses the permissions of symbolic links instead of the actual files when creating an archive, which could cause the files to be extracted with less restrictive permissions than intended.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0761"
},
{
"id": "CVE-2005-0953",
"summary": "Race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0953"
},
{
"id": "CVE-2005-1260",
"summary": "bzip2 allows remote attackers to cause a denial of service (hard drive consumption) via a crafted bzip2 file that causes an infinite loop (a.k.a \"decompression bomb\").",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1260"
},
{
"id": "CVE-2008-1372",
"summary": "bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite for Archive Formats.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1372"
},
{
"id": "CVE-2010-0405",
"summary": "Integer overflow in the BZ2_decompress function in decompress.c in bzip2 and libbzip2 before 1.0.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted compressed file.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0405"
},
{
"id": "CVE-2011-4089",
"summary": "The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4089"
},
{
"id": "CVE-2016-3189",
"summary": "Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3189"
},
{
"id": "CVE-2019-12900",
"summary": "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12900"
},
{
"id": "CVE-2023-22895",
"summary": "The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. NOTE: this is unrelated to the https://crates.io/crates/bzip2-rs product.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-22895"
}
]
},
{
"name": "bzip2-native",
"layer": "meta",
"version": "1.0.8",
"products": [
{
"product": "bzip2",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2002-0759",
"summary": "bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1, and possibly other operating systems, does not use the O_EXCL flag to create files during decompression and does not warn the user if an existing file would be overwritten, which could allow attackers to overwrite files via a bzip2 archive.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0759"
},
{
"id": "CVE-2002-0760",
"summary": "Race condition in bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1, and possibly other operating systems, decompresses files with world-readable permissions before setting the permissions to what is specified in the bzip2 archive, which could allow local users to read the files as they are being decompressed.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0760"
},
{
"id": "CVE-2002-0761",
"summary": "bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1, and possibly systems, uses the permissions of symbolic links instead of the actual files when creating an archive, which could cause the files to be extracted with less restrictive permissions than intended.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0761"
},
{
"id": "CVE-2005-0953",
"summary": "Race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0953"
},
{
"id": "CVE-2005-1260",
"summary": "bzip2 allows remote attackers to cause a denial of service (hard drive consumption) via a crafted bzip2 file that causes an infinite loop (a.k.a \"decompression bomb\").",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1260"
},
{
"id": "CVE-2008-1372",
"summary": "bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite for Archive Formats.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1372"
},
{
"id": "CVE-2010-0405",
"summary": "Integer overflow in the BZ2_decompress function in decompress.c in bzip2 and libbzip2 before 1.0.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted compressed file.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0405"
},
{
"id": "CVE-2011-4089",
"summary": "The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4089"
},
{
"id": "CVE-2016-3189",
"summary": "Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3189"
},
{
"id": "CVE-2019-12900",
"summary": "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12900"
},
{
"id": "CVE-2023-22895",
"summary": "The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. NOTE: this is unrelated to the https://crates.io/crates/bzip2-rs product.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-22895"
}
]
},
{
"name": "c-ares",
"layer": "meta-oe",
"version": "1.27.0",
"products": [
{
"product": "c-ares",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-3152",
"summary": "c-ares before 1.4.0 uses a predictable seed for the random number generator for the DNS Transaction ID field, which might allow remote attackers to spoof DNS responses by guessing the field value.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3152"
},
{
"id": "CVE-2007-3153",
"summary": "The ares_init:randomize_key function in c-ares, on platforms other than Windows, uses a weak facility for producing a random number sequence (Unix rand), which makes it easier for remote attackers to spoof DNS responses by guessing certain values.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3153"
},
{
"id": "CVE-2016-5180",
"summary": "Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5180"
},
{
"id": "CVE-2017-1000381",
"summary": "The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000381"
},
{
"id": "CVE-2020-14354",
"summary": "A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14354"
},
{
"id": "CVE-2020-22217",
"summary": "Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-22217"
},
{
"id": "CVE-2020-8277",
"summary": "A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8277"
},
{
"id": "CVE-2021-3672",
"summary": "A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.",
"scorev2": "6.8",
"scorev3": "5.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3672"
},
{
"id": "CVE-2022-4904",
"summary": "A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.",
"scorev2": "0.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4904"
},
{
"id": "CVE-2023-31124",
"summary": "c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.\n",
"scorev2": "0.0",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31124"
},
{
"id": "CVE-2023-31130",
"summary": "c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular \"0::00:00:00/2\" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.\n",
"scorev2": "0.0",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31130"
},
{
"id": "CVE-2023-31147",
"summary": "c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31147"
},
{
"id": "CVE-2023-32067",
"summary": "c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32067"
}
]
},
{
"name": "c-ares-native",
"layer": "meta-oe",
"version": "1.27.0",
"products": [
{
"product": "c-ares",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-3152",
"summary": "c-ares before 1.4.0 uses a predictable seed for the random number generator for the DNS Transaction ID field, which might allow remote attackers to spoof DNS responses by guessing the field value.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3152"
},
{
"id": "CVE-2007-3153",
"summary": "The ares_init:randomize_key function in c-ares, on platforms other than Windows, uses a weak facility for producing a random number sequence (Unix rand), which makes it easier for remote attackers to spoof DNS responses by guessing certain values.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3153"
},
{
"id": "CVE-2016-5180",
"summary": "Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5180"
},
{
"id": "CVE-2017-1000381",
"summary": "The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000381"
},
{
"id": "CVE-2020-14354",
"summary": "A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14354"
},
{
"id": "CVE-2020-22217",
"summary": "Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-22217"
},
{
"id": "CVE-2020-8277",
"summary": "A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8277"
},
{
"id": "CVE-2021-3672",
"summary": "A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.",
"scorev2": "6.8",
"scorev3": "5.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3672"
},
{
"id": "CVE-2022-4904",
"summary": "A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.",
"scorev2": "0.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4904"
},
{
"id": "CVE-2023-31124",
"summary": "c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.\n",
"scorev2": "0.0",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31124"
},
{
"id": "CVE-2023-31130",
"summary": "c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular \"0::00:00:00/2\" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.\n",
"scorev2": "0.0",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31130"
},
{
"id": "CVE-2023-31147",
"summary": "c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31147"
},
{
"id": "CVE-2023-32067",
"summary": "c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32067"
}
]
},
{
"name": "ca-certificates",
"layer": "meta",
"version": "20211016",
"products": [
{
"product": "ca-certificates",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "ca-certificates-native",
"layer": "meta",
"version": "20211016",
"products": [
{
"product": "ca-certificates",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "cairo",
"layer": "meta",
"version": "1.18.0",
"products": [
{
"product": "cairo",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-5503",
"summary": "Multiple integer overflows in Cairo before 1.4.12 might allow remote attackers to execute arbitrary code, as demonstrated using a crafted PNG image with large width and height values, which is not properly handled by the read_png function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5503"
},
{
"id": "CVE-2014-5116",
"summary": "The cairo_image_surface_get_data function in Cairo 1.10.2, as used in GTK+ and Wireshark, allows context-dependent attackers to cause a denial of service (NULL pointer dereference) via a large string.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5116"
},
{
"id": "CVE-2016-3190",
"summary": "The fill_xrgb32_lerp_opaque_spans function in cairo-image-compositor.c in cairo before 1.14.2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a negative span length.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3190"
},
{
"id": "CVE-2016-9082",
"summary": "Integer overflow in the write_png function in cairo 1.14.6 allows remote attackers to cause a denial of service (invalid pointer dereference) via a large svg file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9082"
},
{
"id": "CVE-2017-7475",
"summary": "Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7475"
},
{
"id": "CVE-2017-9814",
"summary": "cairo-truetype-subset.c in cairo 1.15.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) because of mishandling of an unexpected malloc(0) call.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9814"
},
{
"id": "CVE-2018-18064",
"summary": "cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function).",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18064"
},
{
"id": "CVE-2018-19876",
"summary": "cairo 1.16.0, in cairo_ft_apply_variations() in cairo-ft-font.c, would free memory using a free function incompatible with WebKit's fastMalloc, leading to an application crash with a \"free(): invalid pointer\" error.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19876"
},
{
"id": "CVE-2019-6461",
"summary": "An issue was discovered in cairo 1.16.0. There is an assertion problem in the function _cairo_arc_in_direction in the file cairo-arc.c.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6461"
},
{
"id": "CVE-2019-6462",
"summary": "An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6462"
},
{
"id": "CVE-2020-35492",
"summary": "A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35492"
}
]
},
{
"name": "cairo-native",
"layer": "meta",
"version": "1.18.0",
"products": [
{
"product": "cairo",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-5503",
"summary": "Multiple integer overflows in Cairo before 1.4.12 might allow remote attackers to execute arbitrary code, as demonstrated using a crafted PNG image with large width and height values, which is not properly handled by the read_png function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5503"
},
{
"id": "CVE-2014-5116",
"summary": "The cairo_image_surface_get_data function in Cairo 1.10.2, as used in GTK+ and Wireshark, allows context-dependent attackers to cause a denial of service (NULL pointer dereference) via a large string.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5116"
},
{
"id": "CVE-2016-3190",
"summary": "The fill_xrgb32_lerp_opaque_spans function in cairo-image-compositor.c in cairo before 1.14.2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a negative span length.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3190"
},
{
"id": "CVE-2016-9082",
"summary": "Integer overflow in the write_png function in cairo 1.14.6 allows remote attackers to cause a denial of service (invalid pointer dereference) via a large svg file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9082"
},
{
"id": "CVE-2017-7475",
"summary": "Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7475"
},
{
"id": "CVE-2017-9814",
"summary": "cairo-truetype-subset.c in cairo 1.15.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) because of mishandling of an unexpected malloc(0) call.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9814"
},
{
"id": "CVE-2018-18064",
"summary": "cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function).",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18064"
},
{
"id": "CVE-2018-19876",
"summary": "cairo 1.16.0, in cairo_ft_apply_variations() in cairo-ft-font.c, would free memory using a free function incompatible with WebKit's fastMalloc, leading to an application crash with a \"free(): invalid pointer\" error.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19876"
},
{
"id": "CVE-2019-6461",
"summary": "An issue was discovered in cairo 1.16.0. There is an assertion problem in the function _cairo_arc_in_direction in the file cairo-arc.c.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6461"
},
{
"id": "CVE-2019-6462",
"summary": "An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6462"
},
{
"id": "CVE-2020-35492",
"summary": "A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35492"
}
]
},
{
"name": "camera-gstreamer",
"layer": "meta-agl-demo",
"version": "1.0+git",
"products": [
{
"product": "camera-gstreamer",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "can-dev-helper",
"layer": "meta-agl-demo",
"version": "1.0",
"products": [
{
"product": "can-dev-helper",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "can-utils",
"layer": "meta-oe",
"version": "2023.03",
"products": [
{
"product": "can-utils",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "cannelloni",
"layer": "meta-networking",
"version": "1.1.0",
"products": [
{
"product": "cannelloni",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "cantarell-fonts",
"layer": "meta",
"version": "0.303.1",
"products": [
{
"product": "cantarell-fonts",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "cargo-native",
"layer": "meta",
"version": "1.75.0",
"products": [
{
"product": "cargo",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2022-36113",
"summary": "Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes \"ok\" to the .cargo-ok file at the root of the extracted source code once it extracted all the files. It was discovered that Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo would extract. Then, when Cargo attempted to write \"ok\" into .cargo-ok, it would actually replace the first two bytes of the file the symlink pointed to with ok. This would allow an attacker to corrupt one file on the machine using Cargo to extract the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain.\nMitigations We recommend users of alternate registries to exercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to exercise care in choosing their dependencies though, as remote code execution is allowed by design there as well.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-36113"
},
{
"id": "CVE-2022-36114",
"summary": "Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size (also known as a \"zip bomb\"), exhausting the disk space on the machine using Cargo to download the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. We recommend users of alternate registries to excercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to excercise care in choosing their dependencies though, as the same concerns about build scripts and procedural macros apply here.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-36114"
},
{
"id": "CVE-2022-46176",
"summary": "Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url..insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible. ",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-46176"
},
{
"id": "CVE-2023-38497",
"summary": "Cargo downloads the Rust project\u2019s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.",
"scorev2": "0.0",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38497"
}
]
},
{
"name": "checkpolicy",
"layer": "meta-selinux",
"version": "3.6",
"products": [
{
"product": "selinux",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2020-10751",
"summary": "A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.",
"scorev2": "3.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10751"
}
]
},
{
"name": "checkpolicy-native",
"layer": "meta-selinux",
"version": "3.6",
"products": [
{
"product": "selinux",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2020-10751",
"summary": "A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.",
"scorev2": "3.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10751"
}
]
},
{
"name": "chrpath-native",
"layer": "meta",
"version": "0.16",
"products": [
{
"product": "chrpath",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "cmake",
"layer": "meta",
"version": "3.28.3",
"products": [
{
"product": "cmake",
"cvesInRecord": "No"
}
],
"issue": [
{
"id": "CVE-2016-10642",
"summary": "cmake installs the cmake x86 linux binaries. cmake downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.",
"scorev2": "9.3",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10642",
"detail": "cpe-incorrect",
"description": "This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded"
}
]
},
{
"name": "cmake-native",
"layer": "meta",
"version": "3.28.3",
"products": [
{
"product": "cmake",
"cvesInRecord": "No"
}
],
"issue": [
{
"id": "CVE-2016-10642",
"summary": "cmake installs the cmake x86 linux binaries. cmake downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.",
"scorev2": "9.3",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10642",
"detail": "cpe-incorrect",
"description": "This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded"
}
]
},
{
"name": "cmocka",
"layer": "meta-oe",
"version": "1.1.7+git",
"products": [
{
"product": "cmocka",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "connman",
"layer": "meta",
"version": "1.42",
"products": [
{
"product": "connman",
"cvesInRecord": "Yes"
},
{
"product": "connection_manager",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2012-2320",
"summary": "ConnMan before 0.85 does not ensure that netlink messages originate from the kernel, which allows remote attackers to bypass intended access restrictions and cause a denial of service via a crafted netlink message.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2320"
},
{
"id": "CVE-2012-2321",
"summary": "The loopback plug-in in ConnMan before 0.85 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) host name or (2) domain name in a DHCP reply.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2321"
},
{
"id": "CVE-2012-2322",
"summary": "Integer overflow in the dhcpv6_get_option function in gdhcp/client.c in ConnMan before 0.85 allows remote attackers to cause a denial of service (infinite loop and crash) via an invalid length value in a DHCP packet.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2322"
},
{
"id": "CVE-2012-6459",
"summary": "ConnMan 1.3 on Tizen continues to list the bluetooth service after offline mode has been enabled, which might allow remote attackers to obtain sensitive information via Bluetooth packets.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6459"
},
{
"id": "CVE-2017-12865",
"summary": "Stack-based buffer overflow in \"dnsproxy.c\" in connman 1.34 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted response query string passed to the \"name\" variable.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12865"
},
{
"id": "CVE-2021-26675",
"summary": "A stack-based buffer overflow in dnsproxy in ConnMan before 1.39 could be used by network adjacent attackers to execute code.",
"scorev2": "5.8",
"scorev3": "8.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-26675"
},
{
"id": "CVE-2021-26676",
"summary": "gdhcp in ConnMan before 1.39 could be used by network-adjacent attackers to leak sensitive stack information, allowing further exploitation of bugs in gdhcp.",
"scorev2": "3.3",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-26676"
},
{
"id": "CVE-2021-33833",
"summary": "ConnMan (aka Connection Manager) 1.30 through 1.39 has a stack-based buffer overflow in uncompress in dnsproxy.c via NAME, RDATA, or RDLENGTH (for A or AAAA).",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33833"
},
{
"id": "CVE-2022-23096",
"summary": "An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation lacks a check for the presence of sufficient Header Data, leading to an out-of-bounds read.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23096"
},
{
"id": "CVE-2022-23097",
"summary": "An issue was discovered in the DNS proxy in Connman through 1.40. forward_dns_reply mishandles a strnlen call, leading to an out-of-bounds read.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23097"
},
{
"id": "CVE-2022-23098",
"summary": "An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation has an infinite loop if no data is received.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23098"
},
{
"id": "CVE-2022-32292",
"summary": "In ConnMan through 1.41, remote attackers able to send HTTP requests to the gweb component are able to exploit a heap-based buffer overflow in received_data to execute code.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32292"
},
{
"id": "CVE-2022-32293",
"summary": "In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HTTP query could be used to trigger a use-after-free in WISPR handling, leading to crashes or code execution.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32293"
},
{
"id": "CVE-2023-28488",
"summary": "client.c in gdhcp in ConnMan through 1.41 could be used by network-adjacent attackers (operating a crafted DHCP server) to cause a stack-based buffer overflow and denial of service, terminating the connman process.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-28488"
}
]
},
{
"name": "connman-conf",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "connman-conf",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "connman-glib",
"layer": "meta-agl-demo",
"version": "1.0+git",
"products": [
{
"product": "connman-glib",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "connman-ncurses",
"layer": "meta-agl-core",
"version": "git",
"products": [
{
"product": "connman-ncurses",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "coreutils",
"layer": "meta",
"version": "9.4",
"products": [
{
"product": "coreutils",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2005-1039",
"summary": "Race condition in Core Utilities (coreutils) 5.2.1, when (1) mkdir, (2) mknod, or (3) mkfifo is running with the -m switch, allows local users to modify permissions of other files.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1039"
},
{
"id": "CVE-2008-1946",
"summary": "The default configuration of su in /etc/pam.d/su in GNU coreutils 5.2.1 allows local users to gain the privileges of a (1) locked or (2) expired account by entering the account name on the command line, related to improper use of the pam_succeed_if.so module.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1946"
},
{
"id": "CVE-2009-4135",
"summary": "The distcheck rule in dist-check.mk in GNU coreutils 5.2.1 through 8.1 allows local users to gain privileges via a symlink attack on a file in a directory tree under /tmp.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4135"
},
{
"id": "CVE-2014-9471",
"summary": "The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the \"--date=TZ=\"123\"345\" @1\" string to the touch or date command.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9471"
},
{
"id": "CVE-2015-1865",
"summary": "fts.c in coreutils 8.4 allows local users to delete arbitrary files.",
"scorev2": "3.3",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1865"
},
{
"id": "CVE-2015-4041",
"summary": "The keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 on 64-bit platforms performs a size calculation without considering the number of bytes occupied by multibyte characters, which allows attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via long UTF-8 strings.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4041"
},
{
"id": "CVE-2015-4042",
"summary": "Integer overflow in the keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 might allow attackers to cause a denial of service (application crash) or possibly have unspecified other impact via long strings.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4042"
},
{
"id": "CVE-2016-2781",
"summary": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2781",
"detail": "disputed",
"description": "runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue."
},
{
"id": "CVE-2017-18018",
"summary": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18018"
},
{
"id": "CVE-2024-0684",
"summary": "A flaw was found in the GNU coreutils \"split\" program. A heap overflow with user-controlled data of multiple hundred bytes in length could occur in the line_bytes_split() function, potentially leading to an application crash and denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0684"
}
]
},
{
"name": "coreutils-native",
"layer": "meta",
"version": "9.4",
"products": [
{
"product": "coreutils",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2005-1039",
"summary": "Race condition in Core Utilities (coreutils) 5.2.1, when (1) mkdir, (2) mknod, or (3) mkfifo is running with the -m switch, allows local users to modify permissions of other files.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1039"
},
{
"id": "CVE-2008-1946",
"summary": "The default configuration of su in /etc/pam.d/su in GNU coreutils 5.2.1 allows local users to gain the privileges of a (1) locked or (2) expired account by entering the account name on the command line, related to improper use of the pam_succeed_if.so module.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1946"
},
{
"id": "CVE-2009-4135",
"summary": "The distcheck rule in dist-check.mk in GNU coreutils 5.2.1 through 8.1 allows local users to gain privileges via a symlink attack on a file in a directory tree under /tmp.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4135"
},
{
"id": "CVE-2014-9471",
"summary": "The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the \"--date=TZ=\"123\"345\" @1\" string to the touch or date command.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9471"
},
{
"id": "CVE-2015-1865",
"summary": "fts.c in coreutils 8.4 allows local users to delete arbitrary files.",
"scorev2": "3.3",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1865"
},
{
"id": "CVE-2015-4041",
"summary": "The keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 on 64-bit platforms performs a size calculation without considering the number of bytes occupied by multibyte characters, which allows attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via long UTF-8 strings.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4041"
},
{
"id": "CVE-2015-4042",
"summary": "Integer overflow in the keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 might allow attackers to cause a denial of service (application crash) or possibly have unspecified other impact via long strings.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4042"
},
{
"id": "CVE-2016-2781",
"summary": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2781",
"detail": "disputed",
"description": "runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue."
},
{
"id": "CVE-2017-18018",
"summary": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18018"
},
{
"id": "CVE-2024-0684",
"summary": "A flaw was found in the GNU coreutils \"split\" program. A heap overflow with user-controlled data of multiple hundred bytes in length could occur in the line_bytes_split() function, potentially leading to an application crash and denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0684"
}
]
},
{
"name": "cracklib",
"layer": "meta",
"version": "2.9.11",
"products": [
{
"product": "cracklib",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-1140",
"summary": "Buffer overflow in CrackLib 2.5 may allow local users to gain root privileges via a long GECOS field.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1140"
},
{
"id": "CVE-2016-6318",
"summary": "Stack-based buffer overflow in the FascistGecosUser function in lib/fascist.c in cracklib allows local users to cause a denial of service (application crash) or gain privileges via a long GECOS field, involving longbuffer.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6318"
}
]
},
{
"name": "cracklib-native",
"layer": "meta",
"version": "2.9.11",
"products": [
{
"product": "cracklib",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-1140",
"summary": "Buffer overflow in CrackLib 2.5 may allow local users to gain root privileges via a long GECOS field.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1140"
},
{
"id": "CVE-2016-6318",
"summary": "Stack-based buffer overflow in the FascistGecosUser function in lib/fascist.c in cracklib allows local users to cause a denial of service (application crash) or gain privileges via a long GECOS field, involving longbuffer.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6318"
}
]
},
{
"name": "createrepo-c-native",
"layer": "meta",
"version": "1.0.4",
"products": [
{
"product": "createrepo-c",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "cross-localedef-native",
"layer": "meta",
"version": "2.39+git",
"products": [
{
"product": "cross-localedef",
"cvesInRecord": "No"
}
],
"issue": [
{
"id": "CVE-2023-4911",
"summary": "A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4911",
"detail": "fixed-version",
"description": "Fixed in stable branch updates"
}
]
},
{
"name": "cryptsetup",
"layer": "meta-oe",
"version": "2.7.2",
"products": [
{
"product": "cryptsetup",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2016-4484",
"summary": "The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.",
"scorev2": "7.2",
"scorev3": "6.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4484"
},
{
"id": "CVE-2020-14382",
"summary": "A vulnerability was found in upstream release cryptsetup-2.2.0 where, there's a bug in LUKS2 format validation code, that is effectively invoked on every device/image presenting itself as LUKS2 container. The bug is in segments validation code in file 'lib/luks2/luks2_json_metadata.c' in function hdr_validate_segments(struct crypt_device *cd, json_object *hdr_jobj) where the code does not check for possible overflow on memory allocation used for intervals array (see statement \"intervals = malloc(first_backup * sizeof(*intervals));\"). Due to the bug, library can be *tricked* to expect such allocation was successful but for far less memory then originally expected. Later it may read data FROM image crafted by an attacker and actually write such data BEYOND allocated memory.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14382"
},
{
"id": "CVE-2021-4122",
"summary": "It was found that a specially crafted LUKS header could trick cryptsetup into disabling encryption during the recovery of the device. An attacker with physical access to the medium, such as a flash disk, could use this flaw to force a user into permanently disabling the encryption layer of that medium.",
"scorev2": "0.0",
"scorev3": "4.3",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4122"
}
]
},
{
"name": "curl",
"layer": "meta",
"version": "8.7.1",
"products": [
{
"product": "curl",
"cvesInRecord": "Yes"
},
{
"product": "libcurl",
"cvesInRecord": "Yes"
},
{
"product": "curl",
"cvesInRecord": "Yes"
},
{
"product": "libcurl",
"cvesInRecord": "Yes"
},
{
"product": "libcurl",
"cvesInRecord": "Yes"
},
{
"product": "curl",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2000-0973",
"summary": "Buffer overflow in curl earlier than 6.0-1.1, and curl-ssl earlier than 6.0-1.2, allows remote attackers to execute arbitrary commands by forcing a long error message to be generated.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0973"
},
{
"id": "CVE-2003-1605",
"summary": "curl 7.x before 7.10.7 sends CONNECT proxy credentials to the remote server.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-1605"
},
{
"id": "CVE-2005-0490",
"summary": "Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication.",
"scorev2": "5.1",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0490"
},
{
"id": "CVE-2005-3185",
"summary": "Stack-based buffer overflow in the ntlm_output function in http-ntlm.c for (1) wget 1.10, (2) curl 7.13.2, and (3) libcurl 7.13.2, and other products that use libcurl, when NTLM authentication is enabled, allows remote servers to execute arbitrary code via a long NTLM username.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3185"
},
{
"id": "CVE-2005-4077",
"summary": "Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a \"?\" separator in the hostname portion, which causes a \"/\" to be prepended to the resulting string.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4077"
},
{
"id": "CVE-2006-1061",
"summary": "Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows remote attackers to execute arbitrary commands via a TFTP URL (tftp://) with a valid hostname and a long path.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1061"
},
{
"id": "CVE-2007-3564",
"summary": "libcurl 7.14.0 through 7.16.3, when built with GnuTLS support, does not check SSL/TLS certificate expiration or activation dates, which allows remote attackers to bypass certain access restrictions.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3564"
},
{
"id": "CVE-2009-0037",
"summary": "The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0037"
},
{
"id": "CVE-2009-2417",
"summary": "lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2417"
},
{
"id": "CVE-2010-0734",
"summary": "content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0734"
},
{
"id": "CVE-2010-3842",
"summary": "Absolute path traversal vulnerability in curl 7.20.0 through 7.21.1, when the --remote-header-name or -J option is used, allows remote servers to create or overwrite arbitrary files by using \\ (backslash) as a separator of path components within the Content-disposition HTTP header.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3842"
},
{
"id": "CVE-2011-2192",
"summary": "The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2192"
},
{
"id": "CVE-2011-3389",
"summary": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3389"
},
{
"id": "CVE-2012-0036",
"summary": "curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0036"
},
{
"id": "CVE-2013-0249",
"summary": "Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0249"
},
{
"id": "CVE-2013-1944",
"summary": "The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1944"
},
{
"id": "CVE-2013-2174",
"summary": "Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a \"%\" (percent) character.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2174"
},
{
"id": "CVE-2013-4545",
"summary": "cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4545"
},
{
"id": "CVE-2013-6422",
"summary": "The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6422"
},
{
"id": "CVE-2014-0015",
"summary": "cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0015"
},
{
"id": "CVE-2014-0138",
"summary": "The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0138"
},
{
"id": "CVE-2014-0139",
"summary": "cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0139"
},
{
"id": "CVE-2014-2522",
"summary": "curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2522"
},
{
"id": "CVE-2014-3613",
"summary": "cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3613"
},
{
"id": "CVE-2014-3620",
"summary": "cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3620"
},
{
"id": "CVE-2014-3707",
"summary": "The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3707"
},
{
"id": "CVE-2014-8150",
"summary": "CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8150"
},
{
"id": "CVE-2014-8151",
"summary": "The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8151"
},
{
"id": "CVE-2015-3143",
"summary": "cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3143"
},
{
"id": "CVE-2015-3144",
"summary": "The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by \"http://:80\" and \":80.\"",
"scorev2": "9.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3144"
},
{
"id": "CVE-2015-3145",
"summary": "The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly have other unspecified impact via a cookie path containing only a double-quote character.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3145"
},
{
"id": "CVE-2015-3148",
"summary": "cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3148"
},
{
"id": "CVE-2015-3153",
"summary": "The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3153"
},
{
"id": "CVE-2015-3236",
"summary": "cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same host name, which allows remote attackers to obtain sensitive information via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3236"
},
{
"id": "CVE-2015-3237",
"summary": "The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers to obtain sensitive information from memory or cause a denial of service (out-of-bounds read and crash) via crafted length and offset values.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3237"
},
{
"id": "CVE-2016-0754",
"summary": "cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0754"
},
{
"id": "CVE-2016-0755",
"summary": "The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.",
"scorev2": "5.0",
"scorev3": "7.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0755"
},
{
"id": "CVE-2016-3739",
"summary": "The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.",
"scorev2": "2.6",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3739"
},
{
"id": "CVE-2016-4606",
"summary": "Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4606"
},
{
"id": "CVE-2016-4802",
"summary": "Multiple untrusted search path vulnerabilities in cURL and libcurl before 7.49.1, when built with SSPI or telnet is enabled, allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) security.dll, (2) secur32.dll, or (3) ws2_32.dll in the application or current working directory.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4802"
},
{
"id": "CVE-2016-5419",
"summary": "curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5419"
},
{
"id": "CVE-2016-5420",
"summary": "curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5420"
},
{
"id": "CVE-2016-5421",
"summary": "Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5421"
},
{
"id": "CVE-2016-7141",
"summary": "curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7141"
},
{
"id": "CVE-2016-7167",
"summary": "Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7167"
},
{
"id": "CVE-2016-8615",
"summary": "A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8615"
},
{
"id": "CVE-2016-8616",
"summary": "A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8616"
},
{
"id": "CVE-2016-8617",
"summary": "The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8617"
},
{
"id": "CVE-2016-8618",
"summary": "The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8618"
},
{
"id": "CVE-2016-8619",
"summary": "The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8619"
},
{
"id": "CVE-2016-8620",
"summary": "The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and out-of-bounds read via user controlled input.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8620"
},
{
"id": "CVE-2016-8621",
"summary": "The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8621"
},
{
"id": "CVE-2016-8622",
"summary": "The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8622"
},
{
"id": "CVE-2016-8623",
"summary": "A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8623"
},
{
"id": "CVE-2016-8624",
"summary": "curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8624"
},
{
"id": "CVE-2016-8625",
"summary": "curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8625"
},
{
"id": "CVE-2016-9586",
"summary": "curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9586"
},
{
"id": "CVE-2016-9594",
"summary": "curl before version 7.52.1 is vulnerable to an uninitialized random in libcurl's internal function that returns a good 32bit random value. Having a weak or virtually non-existent random value makes the operations that use it vulnerable.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9594"
},
{
"id": "CVE-2016-9952",
"summary": "The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted wildcard SAN in a server certificate, as demonstrated by \"*.com.\"",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9952"
},
{
"id": "CVE-2016-9953",
"summary": "The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly have unspecified other impact via a wildcard certificate name, which triggers an out-of-bounds read.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9953"
},
{
"id": "CVE-2017-1000099",
"summary": "When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000099"
},
{
"id": "CVE-2017-1000100",
"summary": "When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000100"
},
{
"id": "CVE-2017-1000101",
"summary": "curl supports \"globbing\" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be `http://ur%20[0-60000000000000000000`.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000101"
},
{
"id": "CVE-2017-1000254",
"summary": "libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000254"
},
{
"id": "CVE-2017-1000257",
"summary": "An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000257"
},
{
"id": "CVE-2017-2628",
"summary": "curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2628"
},
{
"id": "CVE-2017-2629",
"summary": "curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status).",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2629"
},
{
"id": "CVE-2017-7407",
"summary": "The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.",
"scorev2": "2.1",
"scorev3": "2.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7407"
},
{
"id": "CVE-2017-7468",
"summary": "In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7468"
},
{
"id": "CVE-2017-8816",
"summary": "The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8816"
},
{
"id": "CVE-2017-8817",
"summary": "The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8817"
},
{
"id": "CVE-2017-8818",
"summary": "curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact because too little memory is allocated for interfacing to an SSL library.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8818"
},
{
"id": "CVE-2017-9502",
"summary": "In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given \"URL\" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string \"file://\").",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9502"
},
{
"id": "CVE-2018-0500",
"summary": "Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that might be exploitable by an attacker who can control the data that curl transmits over SMTP with certain settings (i.e., use of a nonstandard --limit-rate argument or CURLOPT_BUFFERSIZE value).",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0500"
},
{
"id": "CVE-2018-1000005",
"summary": "libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000005"
},
{
"id": "CVE-2018-1000007",
"summary": "libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequent hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.",
"scorev2": "5.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000007"
},
{
"id": "CVE-2018-1000120",
"summary": "A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000120"
},
{
"id": "CVE-2018-1000121",
"summary": "A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in the LDAP code that allows an attacker to cause a denial of service",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000121"
},
{
"id": "CVE-2018-1000122",
"summary": "A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000122"
},
{
"id": "CVE-2018-1000300",
"summary": "curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.. This vulnerability appears to have been fixed in curl < 7.54.1 and curl >= 7.60.0.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000300"
},
{
"id": "CVE-2018-1000301",
"summary": "curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000301"
},
{
"id": "CVE-2018-14618",
"summary": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14618"
},
{
"id": "CVE-2018-16839",
"summary": "Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16839"
},
{
"id": "CVE-2018-16840",
"summary": "A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16840"
},
{
"id": "CVE-2018-16842",
"summary": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16842"
},
{
"id": "CVE-2018-16890",
"summary": "libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.",
"scorev2": "5.0",
"scorev3": "5.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16890"
},
{
"id": "CVE-2019-3822",
"summary": "libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.",
"scorev2": "7.5",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3822"
},
{
"id": "CVE-2019-3823",
"summary": "libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3823"
},
{
"id": "CVE-2019-5435",
"summary": "An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5435"
},
{
"id": "CVE-2019-5436",
"summary": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5436"
},
{
"id": "CVE-2019-5443",
"summary": "A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl \"engine\") on invocation. If that curl is invoked by a privileged user it can do anything it wants.",
"scorev2": "4.4",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5443"
},
{
"id": "CVE-2019-5481",
"summary": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5481"
},
{
"id": "CVE-2019-5482",
"summary": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5482"
},
{
"id": "CVE-2020-19909",
"summary": "Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large value as the retry delay. NOTE: many parties report that this has no direct security impact on the curl user; however, it may (in theory) cause a denial of service to associated systems or networks if, for example, --retry-delay is misinterpreted as a value much smaller than what was intended. This is not especially plausible because the overflow only happens if the user was trying to specify that curl should wait weeks (or longer) before trying to recover from a transient error.",
"scorev2": "0.0",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19909"
},
{
"id": "CVE-2020-8169",
"summary": "curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8169"
},
{
"id": "CVE-2020-8177",
"summary": "curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8177"
},
{
"id": "CVE-2020-8231",
"summary": "Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8231"
},
{
"id": "CVE-2020-8284",
"summary": "A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8284"
},
{
"id": "CVE-2020-8285",
"summary": "curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8285"
},
{
"id": "CVE-2020-8286",
"summary": "curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8286"
},
{
"id": "CVE-2021-22876",
"summary": "curl 7.1.1 to and including 7.75.0 is vulnerable to an \"Exposure of Private Personal Information to an Unauthorized Actor\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22876"
},
{
"id": "CVE-2021-22890",
"summary": "curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly \"short-cut\" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22890"
},
{
"id": "CVE-2021-22897",
"summary": "curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single \"static\" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.",
"scorev2": "4.3",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22897"
},
{
"id": "CVE-2021-22898",
"summary": "curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.",
"scorev2": "2.6",
"scorev3": "3.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22898"
},
{
"id": "CVE-2021-22901",
"summary": "curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22901"
},
{
"id": "CVE-2021-22922",
"summary": "When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22922"
},
{
"id": "CVE-2021-22923",
"summary": "When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.",
"scorev2": "2.6",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22923"
},
{
"id": "CVE-2021-22924",
"summary": "libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22924"
},
{
"id": "CVE-2021-22925",
"summary": "curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22925"
},
{
"id": "CVE-2021-22926",
"summary": "libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert` with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.If the appliction runs with a current working directory that is writable by other users (like `/tmp`), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22926"
},
{
"id": "CVE-2021-22945",
"summary": "When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*.",
"scorev2": "5.8",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22945"
},
{
"id": "CVE-2021-22946",
"summary": "A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22946"
},
{
"id": "CVE-2021-22947",
"summary": "When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22947"
},
{
"id": "CVE-2022-22576",
"summary": "An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).",
"scorev2": "5.5",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22576"
},
{
"id": "CVE-2022-27774",
"summary": "An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.",
"scorev2": "3.5",
"scorev3": "5.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27774"
},
{
"id": "CVE-2022-27775",
"summary": "An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27775"
},
{
"id": "CVE-2022-27776",
"summary": "A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27776"
},
{
"id": "CVE-2022-27778",
"summary": "A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.",
"scorev2": "5.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27778"
},
{
"id": "CVE-2022-27779",
"summary": "libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's \"cookie engine\" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27779"
},
{
"id": "CVE-2022-27780",
"summary": "The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27780"
},
{
"id": "CVE-2022-27781",
"summary": "libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27781"
},
{
"id": "CVE-2022-27782",
"summary": "libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27782"
},
{
"id": "CVE-2022-30115",
"summary": "Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.",
"scorev2": "4.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-30115"
},
{
"id": "CVE-2022-32205",
"summary": "A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a \"sister server\" to effectively cause a denial of service for a sibling site on the same second level domain using this method.",
"scorev2": "4.3",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32205"
},
{
"id": "CVE-2022-32206",
"summary": "curl < 7.84.0 supports \"chained\" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable \"links\" in this \"decompression chain\" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a \"malloc bomb\", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32206"
},
{
"id": "CVE-2022-32207",
"summary": "When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32207"
},
{
"id": "CVE-2022-32208",
"summary": "When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32208"
},
{
"id": "CVE-2022-32221",
"summary": "When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32221"
},
{
"id": "CVE-2022-35252",
"summary": "When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a\"sister site\" to deny service to all siblings.",
"scorev2": "0.0",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-35252"
},
{
"id": "CVE-2022-35260",
"summary": "curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-35260"
},
{
"id": "CVE-2022-42915",
"summary": "curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42915"
},
{
"id": "CVE-2022-42916",
"summary": "In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42916"
},
{
"id": "CVE-2022-43551",
"summary": "A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43551"
},
{
"id": "CVE-2022-43552",
"summary": "A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43552"
},
{
"id": "CVE-2023-23914",
"summary": "A cleartext transmission of sensitive information vulnerability exists in curl = 7.60.0.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000300"
},
{
"id": "CVE-2018-1000301",
"summary": "curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000301"
},
{
"id": "CVE-2018-14618",
"summary": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14618"
},
{
"id": "CVE-2018-16839",
"summary": "Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16839"
},
{
"id": "CVE-2018-16840",
"summary": "A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16840"
},
{
"id": "CVE-2018-16842",
"summary": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16842"
},
{
"id": "CVE-2018-16890",
"summary": "libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.",
"scorev2": "5.0",
"scorev3": "5.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16890"
},
{
"id": "CVE-2019-3822",
"summary": "libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.",
"scorev2": "7.5",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3822"
},
{
"id": "CVE-2019-3823",
"summary": "libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3823"
},
{
"id": "CVE-2019-5435",
"summary": "An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5435"
},
{
"id": "CVE-2019-5436",
"summary": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5436"
},
{
"id": "CVE-2019-5443",
"summary": "A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl \"engine\") on invocation. If that curl is invoked by a privileged user it can do anything it wants.",
"scorev2": "4.4",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5443"
},
{
"id": "CVE-2019-5481",
"summary": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5481"
},
{
"id": "CVE-2019-5482",
"summary": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5482"
},
{
"id": "CVE-2020-19909",
"summary": "Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large value as the retry delay. NOTE: many parties report that this has no direct security impact on the curl user; however, it may (in theory) cause a denial of service to associated systems or networks if, for example, --retry-delay is misinterpreted as a value much smaller than what was intended. This is not especially plausible because the overflow only happens if the user was trying to specify that curl should wait weeks (or longer) before trying to recover from a transient error.",
"scorev2": "0.0",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19909"
},
{
"id": "CVE-2020-8169",
"summary": "curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8169"
},
{
"id": "CVE-2020-8177",
"summary": "curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8177"
},
{
"id": "CVE-2020-8231",
"summary": "Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8231"
},
{
"id": "CVE-2020-8284",
"summary": "A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8284"
},
{
"id": "CVE-2020-8285",
"summary": "curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8285"
},
{
"id": "CVE-2020-8286",
"summary": "curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8286"
},
{
"id": "CVE-2021-22876",
"summary": "curl 7.1.1 to and including 7.75.0 is vulnerable to an \"Exposure of Private Personal Information to an Unauthorized Actor\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22876"
},
{
"id": "CVE-2021-22890",
"summary": "curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly \"short-cut\" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22890"
},
{
"id": "CVE-2021-22897",
"summary": "curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single \"static\" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.",
"scorev2": "4.3",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22897"
},
{
"id": "CVE-2021-22898",
"summary": "curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.",
"scorev2": "2.6",
"scorev3": "3.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22898"
},
{
"id": "CVE-2021-22901",
"summary": "curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22901"
},
{
"id": "CVE-2021-22922",
"summary": "When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22922"
},
{
"id": "CVE-2021-22923",
"summary": "When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.",
"scorev2": "2.6",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22923"
},
{
"id": "CVE-2021-22924",
"summary": "libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22924"
},
{
"id": "CVE-2021-22925",
"summary": "curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22925"
},
{
"id": "CVE-2021-22926",
"summary": "libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert` with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.If the appliction runs with a current working directory that is writable by other users (like `/tmp`), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22926"
},
{
"id": "CVE-2021-22945",
"summary": "When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*.",
"scorev2": "5.8",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22945"
},
{
"id": "CVE-2021-22946",
"summary": "A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22946"
},
{
"id": "CVE-2021-22947",
"summary": "When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22947"
},
{
"id": "CVE-2022-22576",
"summary": "An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).",
"scorev2": "5.5",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22576"
},
{
"id": "CVE-2022-27774",
"summary": "An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.",
"scorev2": "3.5",
"scorev3": "5.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27774"
},
{
"id": "CVE-2022-27775",
"summary": "An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27775"
},
{
"id": "CVE-2022-27776",
"summary": "A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27776"
},
{
"id": "CVE-2022-27778",
"summary": "A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.",
"scorev2": "5.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27778"
},
{
"id": "CVE-2022-27779",
"summary": "libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's \"cookie engine\" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27779"
},
{
"id": "CVE-2022-27780",
"summary": "The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27780"
},
{
"id": "CVE-2022-27781",
"summary": "libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27781"
},
{
"id": "CVE-2022-27782",
"summary": "libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27782"
},
{
"id": "CVE-2022-30115",
"summary": "Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.",
"scorev2": "4.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-30115"
},
{
"id": "CVE-2022-32205",
"summary": "A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a \"sister server\" to effectively cause a denial of service for a sibling site on the same second level domain using this method.",
"scorev2": "4.3",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32205"
},
{
"id": "CVE-2022-32206",
"summary": "curl < 7.84.0 supports \"chained\" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable \"links\" in this \"decompression chain\" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a \"malloc bomb\", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32206"
},
{
"id": "CVE-2022-32207",
"summary": "When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32207"
},
{
"id": "CVE-2022-32208",
"summary": "When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32208"
},
{
"id": "CVE-2022-32221",
"summary": "When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32221"
},
{
"id": "CVE-2022-35252",
"summary": "When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a\"sister site\" to deny service to all siblings.",
"scorev2": "0.0",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-35252"
},
{
"id": "CVE-2022-35260",
"summary": "curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-35260"
},
{
"id": "CVE-2022-42915",
"summary": "curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42915"
},
{
"id": "CVE-2022-42916",
"summary": "In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42916"
},
{
"id": "CVE-2022-43551",
"summary": "A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43551"
},
{
"id": "CVE-2022-43552",
"summary": "A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43552"
},
{
"id": "CVE-2023-23914",
"summary": "A cleartext transmission of sensitive information vulnerability exists in curl = 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12049"
},
{
"id": "CVE-2020-35512",
"summary": "A use-after-free flaw was found in D-Bus Development branch <= 1.13.16, dbus-1.12.x stable branch <= 1.12.18, and dbus-1.10.x and older branches <= 1.10.30 when a system has multiple usernames sharing the same UID. When a set of policy rules references these usernames, D-Bus may free some memory in the heap, which is still used by data structures necessary for the other usernames sharing the UID, possibly leading to a crash or other undefined behaviors",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35512"
},
{
"id": "CVE-2022-42010",
"summary": "An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42010"
},
{
"id": "CVE-2022-42011",
"summary": "An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42011"
},
{
"id": "CVE-2022-42012",
"summary": "An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42012"
},
{
"id": "CVE-2023-34969",
"summary": "D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34969"
}
]
},
{
"name": "dbus-glib",
"layer": "meta",
"version": "0.112",
"products": [
{
"product": "dbus-glib",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2010-1172",
"summary": "DBus-GLib 0.73 disregards the access flag of exported GObject properties, which allows local users to bypass intended access restrictions and possibly cause a denial of service by modifying properties, as demonstrated by properties of the (1) DeviceKit-Power, (2) NetworkManager, and (3) ModemManager services.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1172"
},
{
"id": "CVE-2013-0292",
"summary": "The dbus_g_proxy_manager_filter function in dbus-gproxy in Dbus-glib before 0.100.1 does not properly verify the sender of NameOwnerChanged signals, which allows local users to gain privileges via a spoofed signal.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0292"
}
]
},
{
"name": "dbus-glib-native",
"layer": "meta",
"version": "0.112",
"products": [
{
"product": "dbus-glib",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2010-1172",
"summary": "DBus-GLib 0.73 disregards the access flag of exported GObject properties, which allows local users to bypass intended access restrictions and possibly cause a denial of service by modifying properties, as demonstrated by properties of the (1) DeviceKit-Power, (2) NetworkManager, and (3) ModemManager services.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1172"
},
{
"id": "CVE-2013-0292",
"summary": "The dbus_g_proxy_manager_filter function in dbus-gproxy in Dbus-glib before 0.100.1 does not properly verify the sender of NameOwnerChanged signals, which allows local users to gain privileges via a spoofed signal.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0292"
}
]
},
{
"name": "dbus-native",
"layer": "meta",
"version": "1.14.10",
"products": [
{
"product": "d-bus",
"cvesInRecord": "Yes"
},
{
"product": "dbus",
"cvesInRecord": "Yes"
},
{
"product": "libdbus",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2008-0595",
"summary": "dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interface.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0595"
},
{
"id": "CVE-2008-3834",
"summary": "The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3834"
},
{
"id": "CVE-2008-4311",
"summary": "The default configuration of system.conf in D-Bus (aka DBus) before 1.2.6 omits the send_type attribute in certain rules, which allows local users to bypass intended access restrictions by (1) sending messages, related to send_requested_reply; and possibly (2) receiving messages, related to receive_requested_reply.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4311"
},
{
"id": "CVE-2009-1189",
"summary": "The _dbus_validate_signature_with_reason function (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses incorrect logic to validate a basic type, which allows remote attackers to spoof a signature via a crafted key. NOTE: this is due to an incorrect fix for CVE-2008-3834.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1189"
},
{
"id": "CVE-2010-4352",
"summary": "Stack consumption vulnerability in D-Bus (aka DBus) before 1.4.1 allows local users to cause a denial of service (daemon crash) via a message containing many nested variants.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4352"
},
{
"id": "CVE-2011-2200",
"summary": "The _dbus_header_byteswap function in dbus-marshal-header.c in D-Bus (aka DBus) 1.2.x before 1.2.28, 1.4.x before 1.4.12, and 1.5.x before 1.5.4 does not properly handle a non-native byte order, which allows local users to cause a denial of service (connection loss), obtain potentially sensitive information, or conduct unspecified state-modification attacks via crafted messages.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2200"
},
{
"id": "CVE-2011-2533",
"summary": "The configure script in D-Bus (aka DBus) 1.2.x before 1.2.28 allows local users to overwrite arbitrary files via a symlink attack on an unspecified file in /tmp/.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2533"
},
{
"id": "CVE-2012-3524",
"summary": "libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: \"we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus.\"",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3524"
},
{
"id": "CVE-2013-2168",
"summary": "The _dbus_printf_string_upper_bound function in dbus/dbus-sysdeps-unix.c in D-Bus (aka DBus) 1.4.x before 1.4.26, 1.6.x before 1.6.12, and 1.7.x before 1.7.4 allows local users to cause a denial of service (service crash) via a crafted message.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2168"
},
{
"id": "CVE-2014-3477",
"summary": "The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3477"
},
{
"id": "CVE-2014-3532",
"summary": "dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3532"
},
{
"id": "CVE-2014-3533",
"summary": "dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3533"
},
{
"id": "CVE-2014-3635",
"summary": "Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3635"
},
{
"id": "CVE-2014-3636",
"summary": "D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to have more than the allowed number of file descriptors for a single sendmsg call.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3636"
},
{
"id": "CVE-2014-3637",
"summary": "D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3637"
},
{
"id": "CVE-2014-3638",
"summary": "The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3638"
},
{
"id": "CVE-2014-3639",
"summary": "The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3639"
},
{
"id": "CVE-2014-7824",
"summary": "D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3636.1.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7824"
},
{
"id": "CVE-2015-0245",
"summary": "D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0245"
},
{
"id": "CVE-2019-12749",
"summary": "dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12749"
},
{
"id": "CVE-2020-12049",
"summary": "An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12049"
},
{
"id": "CVE-2020-35512",
"summary": "A use-after-free flaw was found in D-Bus Development branch <= 1.13.16, dbus-1.12.x stable branch <= 1.12.18, and dbus-1.10.x and older branches <= 1.10.30 when a system has multiple usernames sharing the same UID. When a set of policy rules references these usernames, D-Bus may free some memory in the heap, which is still used by data structures necessary for the other usernames sharing the UID, possibly leading to a crash or other undefined behaviors",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35512"
},
{
"id": "CVE-2022-42010",
"summary": "An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42010"
},
{
"id": "CVE-2022-42011",
"summary": "An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42011"
},
{
"id": "CVE-2022-42012",
"summary": "An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42012"
},
{
"id": "CVE-2023-34969",
"summary": "D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34969"
}
]
},
{
"name": "debianutils-native",
"layer": "meta",
"version": "5.16",
"products": [
{
"product": "debianutils",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "debugedit",
"layer": "meta",
"version": "5.0",
"products": [
{
"product": "debugedit",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "depmodwrapper-cross",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "depmodwrapper",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "desktop-file-utils",
"layer": "meta",
"version": "0.27",
"products": [
{
"product": "desktop-file-utils",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "desktop-file-utils-native",
"layer": "meta",
"version": "0.27",
"products": [
{
"product": "desktop-file-utils",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "diffutils",
"layer": "meta",
"version": "3.10",
"products": [
{
"product": "diffutils",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "dnf",
"layer": "meta",
"version": "4.19.0",
"products": [
{
"product": "dnf",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "dnf-native",
"layer": "meta",
"version": "4.19.0",
"products": [
{
"product": "dnf",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "docbook-xml-dtd4-native",
"layer": "meta",
"version": "4.5",
"products": [
{
"product": "docbook-xml-dtd4",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "docbook-xsl-stylesheets-native",
"layer": "meta",
"version": "1.79.1",
"products": [
{
"product": "docbook-xsl-stylesheets",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "dosfstools",
"layer": "meta",
"version": "4.2",
"products": [
{
"product": "dosfstools",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-8872",
"summary": "The set_fat function in fat.c in dosfstools before 4.0 might allow attackers to corrupt a FAT12 filesystem or cause a denial of service (invalid memory read and crash) by writing an odd number of clusters to the third to last entry on a FAT12 filesystem, which triggers an \"off-by-two error.\"",
"scorev2": "2.1",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8872"
},
{
"id": "CVE-2016-4804",
"summary": "The read_boot function in boot.c in dosfstools before 4.0 allows attackers to cause a denial of service (crash) via a crafted filesystem, which triggers a heap-based buffer overflow in the (1) read_fat function or an out-of-bounds heap read in (2) get_fat function.",
"scorev2": "2.1",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4804"
}
]
},
{
"name": "doxygen-native",
"layer": "meta-oe",
"version": "1.9.3",
"products": [
{
"product": "doxygen",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2016-10245",
"summary": "Insufficient sanitization of the query parameter in templates/html/search_opensearch.php could lead to reflected cross-site scripting or iframe injection.",
"scorev2": "4.3",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10245"
}
]
},
{
"name": "dwarfsrcfiles-native",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "dwarfsrcfiles",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "e2fsprogs",
"layer": "meta",
"version": "1.47.0",
"products": [
{
"product": "e2fsprogs",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-5497",
"summary": "Multiple integer overflows in libext2fs in e2fsprogs before 1.40.3 allow user-assisted remote attackers to execute arbitrary code via a crafted filesystem image.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5497"
},
{
"id": "CVE-2015-0247",
"summary": "Heap-based buffer overflow in openfs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code via crafted block group descriptor data in a filesystem image.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0247"
},
{
"id": "CVE-2015-1572",
"summary": "Heap-based buffer overflow in closefs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code by causing a crafted block group descriptor to be marked as dirty. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0247.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1572"
},
{
"id": "CVE-2019-5094",
"summary": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5094"
},
{
"id": "CVE-2019-5188",
"summary": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"scorev2": "4.4",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5188"
},
{
"id": "CVE-2022-1304",
"summary": "An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1304"
}
]
},
{
"name": "e2fsprogs-native",
"layer": "meta",
"version": "1.47.0",
"products": [
{
"product": "e2fsprogs",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-5497",
"summary": "Multiple integer overflows in libext2fs in e2fsprogs before 1.40.3 allow user-assisted remote attackers to execute arbitrary code via a crafted filesystem image.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5497"
},
{
"id": "CVE-2015-0247",
"summary": "Heap-based buffer overflow in openfs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code via crafted block group descriptor data in a filesystem image.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0247"
},
{
"id": "CVE-2015-1572",
"summary": "Heap-based buffer overflow in closefs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code by causing a crafted block group descriptor to be marked as dirty. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0247.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1572"
},
{
"id": "CVE-2019-5094",
"summary": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5094"
},
{
"id": "CVE-2019-5188",
"summary": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"scorev2": "4.4",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5188"
},
{
"id": "CVE-2022-1304",
"summary": "An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1304"
}
]
},
{
"name": "elfutils",
"layer": "meta",
"version": "0.191",
"products": [
{
"product": "elfutils",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2014-0172",
"summary": "Integer overflow in the check_section function in dwarf_begin_elf.c in the libdw library, as used in elfutils 0.153 and possibly through 0.158 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed compressed debug section in an ELF file, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0172"
},
{
"id": "CVE-2014-9447",
"summary": "Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9447"
},
{
"id": "CVE-2016-10254",
"summary": "The allocate_elf function in common.h in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted ELF file, which triggers a memory allocation failure.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10254"
},
{
"id": "CVE-2016-10255",
"summary": "The __libelf_set_rawdata_wrlock function in elf_getdata.c in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted (1) sh_off or (2) sh_size ELF header value, which triggers a memory allocation failure.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10255"
},
{
"id": "CVE-2017-7607",
"summary": "The handle_gnu_hash function in readelf.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7607"
},
{
"id": "CVE-2017-7608",
"summary": "The ebl_object_note_type_name function in eblobjnotetypename.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7608"
},
{
"id": "CVE-2017-7609",
"summary": "elf_compress.c in elfutils 0.168 does not validate the zlib compression factor, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7609"
},
{
"id": "CVE-2017-7610",
"summary": "The check_group function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7610"
},
{
"id": "CVE-2017-7611",
"summary": "The check_symtab_shndx function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7611"
},
{
"id": "CVE-2017-7612",
"summary": "The check_sysv_hash function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7612"
},
{
"id": "CVE-2017-7613",
"summary": "elflint.c in elfutils 0.168 does not validate the number of sections and the number of segments, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7613"
},
{
"id": "CVE-2018-16062",
"summary": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16062"
},
{
"id": "CVE-2018-16402",
"summary": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16402"
},
{
"id": "CVE-2018-16403",
"summary": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16403"
},
{
"id": "CVE-2018-18310",
"summary": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18310"
},
{
"id": "CVE-2018-18520",
"summary": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18520"
},
{
"id": "CVE-2018-18521",
"summary": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18521"
},
{
"id": "CVE-2018-8769",
"summary": "elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8769"
},
{
"id": "CVE-2019-7146",
"summary": "In elfutils 0.175, there is a buffer over-read in the ebl_object_note function in eblobjnote.c in libebl. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted elf file, as demonstrated by eu-readelf.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7146"
},
{
"id": "CVE-2019-7148",
"summary": "An attempted excessive memory allocation was discovered in the function read_long_names in elf_begin.c in libelf in elfutils 0.174. Remote attackers could leverage this vulnerability to cause a denial-of-service via crafted elf input, which leads to an out-of-memory exception. NOTE: The maintainers believe this is not a real issue, but instead a \"warning caused by ASAN because the allocation is big. By setting ASAN_OPTIONS=allocator_may_return_null=1 and running the reproducer, nothing happens.\"",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7148"
},
{
"id": "CVE-2019-7149",
"summary": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7149"
},
{
"id": "CVE-2019-7150",
"summary": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7150"
},
{
"id": "CVE-2019-7664",
"summary": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7664"
},
{
"id": "CVE-2019-7665",
"summary": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7665"
},
{
"id": "CVE-2020-21047",
"summary": "The libcpu component which is used by libasm of elfutils version 0.177 (git 47780c9e), suffers from denial-of-service vulnerability caused by application crashes due to out-of-bounds write (CWE-787), off-by-one error (CWE-193) and reachable assertion (CWE-617); to exploit the vulnerability, the attackers need to craft certain ELF files which bypass the missing bound checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-21047"
},
{
"id": "CVE-2021-33294",
"summary": "In elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c .Which allows attackers to cause a denial of service (infinite loop) via crafted file.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33294"
}
]
},
{
"name": "elfutils-native",
"layer": "meta",
"version": "0.191",
"products": [
{
"product": "elfutils",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2014-0172",
"summary": "Integer overflow in the check_section function in dwarf_begin_elf.c in the libdw library, as used in elfutils 0.153 and possibly through 0.158 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed compressed debug section in an ELF file, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0172"
},
{
"id": "CVE-2014-9447",
"summary": "Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9447"
},
{
"id": "CVE-2016-10254",
"summary": "The allocate_elf function in common.h in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted ELF file, which triggers a memory allocation failure.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10254"
},
{
"id": "CVE-2016-10255",
"summary": "The __libelf_set_rawdata_wrlock function in elf_getdata.c in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted (1) sh_off or (2) sh_size ELF header value, which triggers a memory allocation failure.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10255"
},
{
"id": "CVE-2017-7607",
"summary": "The handle_gnu_hash function in readelf.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7607"
},
{
"id": "CVE-2017-7608",
"summary": "The ebl_object_note_type_name function in eblobjnotetypename.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7608"
},
{
"id": "CVE-2017-7609",
"summary": "elf_compress.c in elfutils 0.168 does not validate the zlib compression factor, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7609"
},
{
"id": "CVE-2017-7610",
"summary": "The check_group function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7610"
},
{
"id": "CVE-2017-7611",
"summary": "The check_symtab_shndx function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7611"
},
{
"id": "CVE-2017-7612",
"summary": "The check_sysv_hash function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7612"
},
{
"id": "CVE-2017-7613",
"summary": "elflint.c in elfutils 0.168 does not validate the number of sections and the number of segments, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7613"
},
{
"id": "CVE-2018-16062",
"summary": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16062"
},
{
"id": "CVE-2018-16402",
"summary": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16402"
},
{
"id": "CVE-2018-16403",
"summary": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16403"
},
{
"id": "CVE-2018-18310",
"summary": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18310"
},
{
"id": "CVE-2018-18520",
"summary": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18520"
},
{
"id": "CVE-2018-18521",
"summary": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18521"
},
{
"id": "CVE-2018-8769",
"summary": "elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8769"
},
{
"id": "CVE-2019-7146",
"summary": "In elfutils 0.175, there is a buffer over-read in the ebl_object_note function in eblobjnote.c in libebl. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted elf file, as demonstrated by eu-readelf.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7146"
},
{
"id": "CVE-2019-7148",
"summary": "An attempted excessive memory allocation was discovered in the function read_long_names in elf_begin.c in libelf in elfutils 0.174. Remote attackers could leverage this vulnerability to cause a denial-of-service via crafted elf input, which leads to an out-of-memory exception. NOTE: The maintainers believe this is not a real issue, but instead a \"warning caused by ASAN because the allocation is big. By setting ASAN_OPTIONS=allocator_may_return_null=1 and running the reproducer, nothing happens.\"",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7148"
},
{
"id": "CVE-2019-7149",
"summary": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7149"
},
{
"id": "CVE-2019-7150",
"summary": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7150"
},
{
"id": "CVE-2019-7664",
"summary": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7664"
},
{
"id": "CVE-2019-7665",
"summary": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7665"
},
{
"id": "CVE-2020-21047",
"summary": "The libcpu component which is used by libasm of elfutils version 0.177 (git 47780c9e), suffers from denial-of-service vulnerability caused by application crashes due to out-of-bounds write (CWE-787), off-by-one error (CWE-193) and reachable assertion (CWE-617); to exploit the vulnerability, the attackers need to craft certain ELF files which bypass the missing bound checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-21047"
},
{
"id": "CVE-2021-33294",
"summary": "In elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c .Which allows attackers to cause a denial of service (infinite loop) via crafted file.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33294"
}
]
},
{
"name": "ell",
"layer": "meta",
"version": "0.64",
"products": [
{
"product": "ell",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "expat",
"layer": "meta",
"version": "2.6.2",
"products": [
{
"product": "expat",
"cvesInRecord": "No"
},
{
"product": "libexpat",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2009-3560",
"summary": "The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3560"
},
{
"id": "CVE-2009-3720",
"summary": "The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3720"
},
{
"id": "CVE-2012-0876",
"summary": "The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0876"
},
{
"id": "CVE-2012-1147",
"summary": "readfilemap.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (file descriptor consumption) via a large number of crafted XML files.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1147"
},
{
"id": "CVE-2012-1148",
"summary": "Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures when expanding entities.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1148"
},
{
"id": "CVE-2012-6702",
"summary": "Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6702"
},
{
"id": "CVE-2013-0340",
"summary": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0340"
},
{
"id": "CVE-2015-1283",
"summary": "Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1283"
},
{
"id": "CVE-2016-0718",
"summary": "Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0718"
},
{
"id": "CVE-2016-4472",
"summary": "The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4472"
},
{
"id": "CVE-2016-5300",
"summary": "The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5300"
},
{
"id": "CVE-2017-11742",
"summary": "The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local users to gain privileges via a Trojan horse ADVAPI32.DLL in the current working directory because of an untrusted search path, aka DLL hijacking.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11742"
},
{
"id": "CVE-2017-9233",
"summary": "XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9233"
},
{
"id": "CVE-2018-20843",
"summary": "In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20843"
},
{
"id": "CVE-2019-15903",
"summary": "In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15903"
},
{
"id": "CVE-2021-45960",
"summary": "In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).",
"scorev2": "9.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45960"
},
{
"id": "CVE-2021-46143",
"summary": "In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46143"
},
{
"id": "CVE-2022-22822",
"summary": "addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22822"
},
{
"id": "CVE-2022-22823",
"summary": "build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22823"
},
{
"id": "CVE-2022-22824",
"summary": "defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22824"
},
{
"id": "CVE-2022-22825",
"summary": "lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22825"
},
{
"id": "CVE-2022-22826",
"summary": "nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22826"
},
{
"id": "CVE-2022-22827",
"summary": "storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22827"
},
{
"id": "CVE-2022-23852",
"summary": "Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23852"
},
{
"id": "CVE-2022-23990",
"summary": "Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23990"
},
{
"id": "CVE-2022-25235",
"summary": "xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25235"
},
{
"id": "CVE-2022-25236",
"summary": "xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25236"
},
{
"id": "CVE-2022-25313",
"summary": "In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25313"
},
{
"id": "CVE-2022-25314",
"summary": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25314"
},
{
"id": "CVE-2022-25315",
"summary": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25315"
},
{
"id": "CVE-2022-40674",
"summary": "libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40674"
},
{
"id": "CVE-2022-43680",
"summary": "In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43680"
},
{
"id": "CVE-2023-52425",
"summary": "libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52425"
},
{
"id": "CVE-2023-52426",
"summary": "libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52426"
}
]
},
{
"name": "expat-native",
"layer": "meta",
"version": "2.6.2",
"products": [
{
"product": "expat",
"cvesInRecord": "No"
},
{
"product": "libexpat",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2009-3560",
"summary": "The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3560"
},
{
"id": "CVE-2009-3720",
"summary": "The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3720"
},
{
"id": "CVE-2012-0876",
"summary": "The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0876"
},
{
"id": "CVE-2012-1147",
"summary": "readfilemap.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (file descriptor consumption) via a large number of crafted XML files.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1147"
},
{
"id": "CVE-2012-1148",
"summary": "Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures when expanding entities.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1148"
},
{
"id": "CVE-2012-6702",
"summary": "Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6702"
},
{
"id": "CVE-2013-0340",
"summary": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0340"
},
{
"id": "CVE-2015-1283",
"summary": "Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1283"
},
{
"id": "CVE-2016-0718",
"summary": "Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0718"
},
{
"id": "CVE-2016-4472",
"summary": "The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4472"
},
{
"id": "CVE-2016-5300",
"summary": "The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5300"
},
{
"id": "CVE-2017-11742",
"summary": "The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local users to gain privileges via a Trojan horse ADVAPI32.DLL in the current working directory because of an untrusted search path, aka DLL hijacking.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11742"
},
{
"id": "CVE-2017-9233",
"summary": "XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9233"
},
{
"id": "CVE-2018-20843",
"summary": "In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20843"
},
{
"id": "CVE-2019-15903",
"summary": "In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15903"
},
{
"id": "CVE-2021-45960",
"summary": "In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).",
"scorev2": "9.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45960"
},
{
"id": "CVE-2021-46143",
"summary": "In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46143"
},
{
"id": "CVE-2022-22822",
"summary": "addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22822"
},
{
"id": "CVE-2022-22823",
"summary": "build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22823"
},
{
"id": "CVE-2022-22824",
"summary": "defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22824"
},
{
"id": "CVE-2022-22825",
"summary": "lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22825"
},
{
"id": "CVE-2022-22826",
"summary": "nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22826"
},
{
"id": "CVE-2022-22827",
"summary": "storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22827"
},
{
"id": "CVE-2022-23852",
"summary": "Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23852"
},
{
"id": "CVE-2022-23990",
"summary": "Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23990"
},
{
"id": "CVE-2022-25235",
"summary": "xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25235"
},
{
"id": "CVE-2022-25236",
"summary": "xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25236"
},
{
"id": "CVE-2022-25313",
"summary": "In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25313"
},
{
"id": "CVE-2022-25314",
"summary": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25314"
},
{
"id": "CVE-2022-25315",
"summary": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25315"
},
{
"id": "CVE-2022-40674",
"summary": "libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40674"
},
{
"id": "CVE-2022-43680",
"summary": "In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43680"
},
{
"id": "CVE-2023-52425",
"summary": "libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52425"
},
{
"id": "CVE-2023-52426",
"summary": "libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52426"
}
]
},
{
"name": "file",
"layer": "meta",
"version": "5.45",
"products": [
{
"product": "file",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2003-0102",
"summary": "Buffer overflow in tryelf() in readelf.c of the file command allows attackers to execute arbitrary code as the user running file, possibly via a large entity size value in an ELF header (elfhdr.e_shentsize).",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0102"
},
{
"id": "CVE-2004-1304",
"summary": "Stack-based buffer overflow in the ELF header parsing code in file before 4.12 allows attackers to execute arbitrary code via a crafted ELF file.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1304"
},
{
"id": "CVE-2007-1536",
"summary": "Integer underflow in the file_printf function in the \"file\" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1536"
},
{
"id": "CVE-2007-2026",
"summary": "The gnu regular expression code in file 4.20 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted document with a large number of line feed characters, which is not well handled by OS/2 REXX regular expressions that use wildcards, as originally reported for AMaViS.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2026"
},
{
"id": "CVE-2007-2799",
"summary": "Integer overflow in the \"file\" program 4.20, when running on 32-bit systems, as used in products including The Sleuth Kit, might allow user-assisted attackers to execute arbitrary code via a large file that triggers an overflow that bypasses an assert() statement. NOTE: this issue is due to an incorrect patch for CVE-2007-1536.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2799"
},
{
"id": "CVE-2009-1515",
"summary": "Heap-based buffer overflow in the cdf_read_sat function in src/cdf.c in Christos Zoulas file 5.00 allows user-assisted remote attackers to execute arbitrary code via a crafted compound document file, as demonstrated by a .msi, .doc, or .mpp file. NOTE: some of these details are obtained from third party information.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1515"
},
{
"id": "CVE-2009-3930",
"summary": "Multiple integer overflows in Christos Zoulas file before 5.02 allow user-assisted remote attackers to have an unspecified impact via a malformed compound document (aka cdf) file that triggers a buffer overflow.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3930"
},
{
"id": "CVE-2012-1571",
"summary": "file before 5.11 and libmagic allow remote attackers to cause a denial of service (crash) via a crafted Composite Document File (CDF) file that triggers (1) an out-of-bounds read or (2) an invalid pointer dereference.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1571"
},
{
"id": "CVE-2013-7345",
"summary": "The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7345"
},
{
"id": "CVE-2014-0207",
"summary": "The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0207"
},
{
"id": "CVE-2014-2270",
"summary": "softmagic.c in file before 5.17 and libmagic allows context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2270"
},
{
"id": "CVE-2014-3478",
"summary": "Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3478"
},
{
"id": "CVE-2014-3479",
"summary": "The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3479"
},
{
"id": "CVE-2014-3480",
"summary": "The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3480"
},
{
"id": "CVE-2014-3487",
"summary": "The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3487"
},
{
"id": "CVE-2014-3538",
"summary": "file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7345.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3538"
},
{
"id": "CVE-2014-3587",
"summary": "Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3587"
},
{
"id": "CVE-2014-8116",
"summary": "The ELF parser (readelf.c) in file before 5.21 allows remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8116"
},
{
"id": "CVE-2014-8117",
"summary": "softmagic.c in file before 5.21 does not properly limit recursion, which allows remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8117"
},
{
"id": "CVE-2014-9620",
"summary": "The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9620"
},
{
"id": "CVE-2014-9621",
"summary": "The ELF parser in file 5.16 through 5.21 allows remote attackers to cause a denial of service via a long string.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9621"
},
{
"id": "CVE-2014-9652",
"summary": "The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9652"
},
{
"id": "CVE-2014-9653",
"summary": "readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9653"
},
{
"id": "CVE-2017-1000249",
"summary": "An issue in file() was introduced in commit 9611f31313a93aa036389c5f3b15eea53510d4d1 (Oct 2016) lets an attacker overwrite a fixed 20 bytes stack buffer with a specially crafted .notes section in an ELF binary. This was fixed in commit 35c94dc6acc418f1ad7f6241a6680e5327495793 (Aug 2017).",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000249"
},
{
"id": "CVE-2018-10360",
"summary": "The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10360"
},
{
"id": "CVE-2019-18218",
"summary": "cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18218"
},
{
"id": "CVE-2019-8904",
"summary": "do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8904"
},
{
"id": "CVE-2019-8905",
"summary": "do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360.",
"scorev2": "3.6",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8905"
},
{
"id": "CVE-2019-8906",
"summary": "do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read because memcpy is misused.",
"scorev2": "3.6",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8906"
},
{
"id": "CVE-2019-8907",
"summary": "do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8907"
},
{
"id": "CVE-2022-48554",
"summary": "File before 5.43 has an stack-based buffer over-read in file_copystr in funcs.c. NOTE: \"File\" is the name of an Open Source project.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48554"
}
]
},
{
"name": "file-native",
"layer": "meta",
"version": "5.45",
"products": [
{
"product": "file",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2003-0102",
"summary": "Buffer overflow in tryelf() in readelf.c of the file command allows attackers to execute arbitrary code as the user running file, possibly via a large entity size value in an ELF header (elfhdr.e_shentsize).",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0102"
},
{
"id": "CVE-2004-1304",
"summary": "Stack-based buffer overflow in the ELF header parsing code in file before 4.12 allows attackers to execute arbitrary code via a crafted ELF file.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1304"
},
{
"id": "CVE-2007-1536",
"summary": "Integer underflow in the file_printf function in the \"file\" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1536"
},
{
"id": "CVE-2007-2026",
"summary": "The gnu regular expression code in file 4.20 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted document with a large number of line feed characters, which is not well handled by OS/2 REXX regular expressions that use wildcards, as originally reported for AMaViS.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2026"
},
{
"id": "CVE-2007-2799",
"summary": "Integer overflow in the \"file\" program 4.20, when running on 32-bit systems, as used in products including The Sleuth Kit, might allow user-assisted attackers to execute arbitrary code via a large file that triggers an overflow that bypasses an assert() statement. NOTE: this issue is due to an incorrect patch for CVE-2007-1536.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2799"
},
{
"id": "CVE-2009-1515",
"summary": "Heap-based buffer overflow in the cdf_read_sat function in src/cdf.c in Christos Zoulas file 5.00 allows user-assisted remote attackers to execute arbitrary code via a crafted compound document file, as demonstrated by a .msi, .doc, or .mpp file. NOTE: some of these details are obtained from third party information.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1515"
},
{
"id": "CVE-2009-3930",
"summary": "Multiple integer overflows in Christos Zoulas file before 5.02 allow user-assisted remote attackers to have an unspecified impact via a malformed compound document (aka cdf) file that triggers a buffer overflow.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3930"
},
{
"id": "CVE-2012-1571",
"summary": "file before 5.11 and libmagic allow remote attackers to cause a denial of service (crash) via a crafted Composite Document File (CDF) file that triggers (1) an out-of-bounds read or (2) an invalid pointer dereference.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1571"
},
{
"id": "CVE-2013-7345",
"summary": "The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7345"
},
{
"id": "CVE-2014-0207",
"summary": "The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0207"
},
{
"id": "CVE-2014-2270",
"summary": "softmagic.c in file before 5.17 and libmagic allows context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2270"
},
{
"id": "CVE-2014-3478",
"summary": "Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3478"
},
{
"id": "CVE-2014-3479",
"summary": "The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3479"
},
{
"id": "CVE-2014-3480",
"summary": "The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3480"
},
{
"id": "CVE-2014-3487",
"summary": "The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3487"
},
{
"id": "CVE-2014-3538",
"summary": "file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7345.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3538"
},
{
"id": "CVE-2014-3587",
"summary": "Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3587"
},
{
"id": "CVE-2014-8116",
"summary": "The ELF parser (readelf.c) in file before 5.21 allows remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8116"
},
{
"id": "CVE-2014-8117",
"summary": "softmagic.c in file before 5.21 does not properly limit recursion, which allows remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8117"
},
{
"id": "CVE-2014-9620",
"summary": "The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9620"
},
{
"id": "CVE-2014-9621",
"summary": "The ELF parser in file 5.16 through 5.21 allows remote attackers to cause a denial of service via a long string.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9621"
},
{
"id": "CVE-2014-9652",
"summary": "The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9652"
},
{
"id": "CVE-2014-9653",
"summary": "readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9653"
},
{
"id": "CVE-2017-1000249",
"summary": "An issue in file() was introduced in commit 9611f31313a93aa036389c5f3b15eea53510d4d1 (Oct 2016) lets an attacker overwrite a fixed 20 bytes stack buffer with a specially crafted .notes section in an ELF binary. This was fixed in commit 35c94dc6acc418f1ad7f6241a6680e5327495793 (Aug 2017).",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000249"
},
{
"id": "CVE-2018-10360",
"summary": "The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10360"
},
{
"id": "CVE-2019-18218",
"summary": "cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18218"
},
{
"id": "CVE-2019-8904",
"summary": "do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8904"
},
{
"id": "CVE-2019-8905",
"summary": "do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360.",
"scorev2": "3.6",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8905"
},
{
"id": "CVE-2019-8906",
"summary": "do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read because memcpy is misused.",
"scorev2": "3.6",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8906"
},
{
"id": "CVE-2019-8907",
"summary": "do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8907"
},
{
"id": "CVE-2022-48554",
"summary": "File before 5.43 has an stack-based buffer over-read in file_copystr in funcs.c. NOTE: \"File\" is the name of an Open Source project.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48554"
}
]
},
{
"name": "findutils",
"layer": "meta",
"version": "4.9.0",
"products": [
{
"product": "findutils",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2001-1036",
"summary": "GNU locate in findutils 4.1 on Slackware 7.1 and 8.0 allows local users to gain privileges via an old formatted filename database (locatedb) that contains an entry with an out-of-range offset, which causes locate to write to arbitrary process memory.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1036"
},
{
"id": "CVE-2007-2452",
"summary": "Heap-based buffer overflow in the visit_old_format function in locate/locate.c in locate in GNU findutils before 4.2.31 might allow context-dependent attackers to execute arbitrary code via a long pathname in a locate database that has the old format, a different vulnerability than CVE-2001-1036.",
"scorev2": "6.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2452"
}
]
},
{
"name": "flac",
"layer": "meta",
"version": "1.4.3",
"products": [
{
"product": "libflac",
"cvesInRecord": "Yes"
},
{
"product": "flac",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-4619",
"summary": "Multiple integer overflows in Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1, as used in Winamp before 5.5 and other products, allow user-assisted remote attackers to execute arbitrary code via a malformed FLAC file that triggers improper memory allocation, resulting in a heap-based buffer overflow.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4619"
},
{
"id": "CVE-2007-6277",
"summary": "Multiple buffer overflows in Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1 allow user-assisted remote attackers to execute arbitrary code via large (1) Metadata Block Size, (2) VORBIS Comment String Size, (3) Picture Metadata MIME-TYPE Size, (4) Picture Description Size, (5) Picture Data Length, (6) Padding Length, and (7) PICTURE Metadata width and height values in a .FLAC file, which result in a heap-based overflow; and large (8) VORBIS Comment String Size Length, (9) Picture MIME-Type, (10) Picture MIME-Type URL, and (11) Picture Description Length values in a .FLAC file, which result in a stack-based overflow. NOTE: some of these issues may overlap CVE-2007-4619.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6277"
},
{
"id": "CVE-2007-6278",
"summary": "Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1 allows user-assisted remote attackers to force a client to download arbitrary files via the MIME-Type URL flag (-->) for the FLAC image file in a crafted .FLAC file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6278"
},
{
"id": "CVE-2007-6279",
"summary": "Multiple double free vulnerabilities in Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1 allow user-assisted remote attackers to execute arbitrary code via malformed (1) Seektable values or (2) Seektable Data Offsets in a .FLAC file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6279"
},
{
"id": "CVE-2014-8962",
"summary": "Stack-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8962"
},
{
"id": "CVE-2014-9028",
"summary": "Heap-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9028"
},
{
"id": "CVE-2017-6888",
"summary": "An error in the \"read_metadata_vorbiscomment_()\" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a specially crafted FLAC file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6888"
},
{
"id": "CVE-2020-22219",
"summary": "Buffer Overflow vulnerability in function bitwriter_grow_ in flac before 1.4.0 allows remote attackers to run arbitrary code via crafted input to the encoder.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-22219"
}
]
},
{
"name": "flex",
"layer": "meta",
"version": "2.6.4",
"products": [
{
"product": "flex",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "flex-native",
"layer": "meta",
"version": "2.6.4",
"products": [
{
"product": "flex",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "flite",
"layer": "meta-agl-demo",
"version": "1.06",
"products": [
{
"product": "flite",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2014-0027",
"summary": "The play_wave_from_socket function in audio/auserver.c in Flite 1.4 allows local users to modify arbitrary files via a symlink attack on /tmp/awb.wav. NOTE: some of these details are obtained from third party information.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0027"
}
]
},
{
"name": "flite-voicedata",
"layer": "meta-agl-demo",
"version": "1.05",
"products": [
{
"product": "flite-voicedata",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "fmt",
"layer": "meta-oe",
"version": "10.2.1",
"products": [
{
"product": "fmt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2018-1000052",
"summary": "fmtlib version prior to version 4.1.0 (before commit 0555cea5fc0bf890afe0071a558e44625a34ba85) contains a Memory corruption (SIGSEGV), CWE-134 vulnerability in fmt::print() library function that can result in Denial of Service. This attack appear to be exploitable via Specifying an invalid format specifier in the fmt::print() function results in a SIGSEGV (memory corruption, invalid write). This vulnerability appears to have been fixed in after commit 8cf30aa2be256eba07bb1cefb998c52326e846e7.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000052"
}
]
},
{
"name": "fontconfig",
"layer": "meta",
"version": "2.15.0",
"products": [
{
"product": "fontconfig",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2016-5384",
"summary": "fontconfig before 2.12.1 does not validate offsets, which allows local users to trigger arbitrary free calls and consequently conduct double free attacks and execute arbitrary code via a crafted cache file.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5384"
}
]
},
{
"name": "fontconfig-native",
"layer": "meta",
"version": "2.15.0",
"products": [
{
"product": "fontconfig",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2016-5384",
"summary": "fontconfig before 2.12.1 does not validate offsets, which allows local users to trigger arbitrary free calls and consequently conduct double free attacks and execute arbitrary code via a crafted cache file.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5384"
}
]
},
{
"name": "fontforge-native",
"layer": "meta-oe",
"version": "20230101",
"products": [
{
"product": "fontforge",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2010-4259",
"summary": "Stack-based buffer overflow in FontForge 20100501 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long CHARSET_REGISTRY header in a BDF font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4259"
},
{
"id": "CVE-2017-11568",
"summary": "FontForge 20161012 is vulnerable to a heap-based buffer over-read in PSCharStringToSplines (psread.c) resulting in DoS or code execution via a crafted otf file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11568"
},
{
"id": "CVE-2017-11569",
"summary": "FontForge 20161012 is vulnerable to a heap-based buffer over-read in readttfcopyrights (parsettf.c) resulting in DoS or code execution via a crafted otf file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11569"
},
{
"id": "CVE-2017-11570",
"summary": "FontForge 20161012 is vulnerable to a buffer over-read in umodenc (parsettf.c) resulting in DoS or code execution via a crafted otf file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11570"
},
{
"id": "CVE-2017-11571",
"summary": "FontForge 20161012 is vulnerable to a stack-based buffer overflow in addnibble (parsettf.c) resulting in DoS or code execution via a crafted otf file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11571"
},
{
"id": "CVE-2017-11572",
"summary": "FontForge 20161012 is vulnerable to a heap-based buffer over-read in readcfftopdicts (parsettf.c) resulting in DoS or code execution via a crafted otf file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11572"
},
{
"id": "CVE-2017-11573",
"summary": "FontForge 20161012 is vulnerable to a buffer over-read in ValidatePostScriptFontName (parsettf.c) resulting in DoS or code execution via a crafted otf file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11573"
},
{
"id": "CVE-2017-11574",
"summary": "FontForge 20161012 is vulnerable to a heap-based buffer overflow in readcffset (parsettf.c) resulting in DoS or code execution via a crafted otf file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11574"
},
{
"id": "CVE-2017-11575",
"summary": "FontForge 20161012 is vulnerable to a buffer over-read in strnmatch (char.c) resulting in DoS or code execution via a crafted otf file, related to a call from the readttfcopyrights function in parsettf.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11575"
},
{
"id": "CVE-2017-11576",
"summary": "FontForge 20161012 does not ensure a positive size in a weight vector memcpy call in readcfftopdict (parsettf.c) resulting in DoS via a crafted otf file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11576"
},
{
"id": "CVE-2017-11577",
"summary": "FontForge 20161012 is vulnerable to a buffer over-read in getsid (parsettf.c) resulting in DoS or code execution via a crafted otf file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11577"
},
{
"id": "CVE-2017-17521",
"summary": "uiutil.c in FontForge through 20170731 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, a different vulnerability than CVE-2017-17534.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17521"
},
{
"id": "CVE-2019-15785",
"summary": "FontForge 20190813 through 20190820 has a buffer overflow in PrefsUI_LoadPrefs in prefs.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15785"
},
{
"id": "CVE-2020-25690",
"summary": "An out-of-bounds write flaw was found in FontForge in versions before 20200314 while parsing SFD files containing certain LayerCount tokens. This flaw allows an attacker to manipulate the memory allocated on the heap, causing the application to crash or execute arbitrary code. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25690"
},
{
"id": "CVE-2020-5395",
"summary": "FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in sfd.c.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-5395"
},
{
"id": "CVE-2020-5496",
"summary": "FontForge 20190801 has a heap-based buffer overflow in the Type2NotDefSplines() function in splinesave.c.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-5496"
}
]
},
{
"name": "freetype",
"layer": "meta",
"version": "2.13.2",
"products": [
{
"product": "freetype",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2006-0747",
"summary": "Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0747"
},
{
"id": "CVE-2006-1861",
"summary": "Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. NOTE: item 4 was originally identified by CVE-2006-2493.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1861"
},
{
"id": "CVE-2006-2661",
"summary": "ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers a null dereference.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2661"
},
{
"id": "CVE-2006-3467",
"summary": "Integer overflow in FreeType before 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PCF file, as demonstrated by the Red Hat bad1.pcf test file, due to a partial fix of CVE-2006-1861.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3467"
},
{
"id": "CVE-2007-2754",
"summary": "Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2754"
},
{
"id": "CVE-2007-3506",
"summary": "The ft_bitmap_assure_buffer function in src/base/ftbimap.c in FreeType 2.3.3 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors involving bitmap fonts, related to a \"memory buffer overwrite bug.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3506"
},
{
"id": "CVE-2008-1806",
"summary": "Integer overflow in FreeType2 before 2.3.6 allows context-dependent attackers to execute arbitrary code via a crafted set of 16-bit length values within the Private dictionary table in a Printer Font Binary (PFB) file, which triggers a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1806"
},
{
"id": "CVE-2008-1807",
"summary": "FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via an invalid \"number of axes\" field in a Printer Font Binary (PFB) file, which triggers a free of arbitrary memory locations, leading to memory corruption.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1807"
},
{
"id": "CVE-2008-1808",
"summary": "Multiple off-by-one errors in FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via (1) a crafted table in a Printer Font Binary (PFB) file or (2) a crafted SHC instruction in a TrueType Font (TTF) file, which triggers a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1808"
},
{
"id": "CVE-2009-0946",
"summary": "Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0946"
},
{
"id": "CVE-2010-2497",
"summary": "Integer underflow in glyph handling in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2497"
},
{
"id": "CVE-2010-2498",
"summary": "The psh_glyph_find_strong_points function in pshinter/pshalgo.c in FreeType before 2.4.0 does not properly implement hinting masks, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted font file that triggers an invalid free operation.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2498"
},
{
"id": "CVE-2010-2499",
"summary": "Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted LaserWriter PS font file with an embedded PFB fragment.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2499"
},
{
"id": "CVE-2010-2500",
"summary": "Integer overflow in the gray_render_span function in smooth/ftgrays.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2500"
},
{
"id": "CVE-2010-2519",
"summary": "Heap-based buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted length value in a POST fragment header in a font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2519"
},
{
"id": "CVE-2010-2520",
"summary": "Heap-based buffer overflow in the Ins_IUP function in truetype/ttinterp.c in FreeType before 2.4.0, when TrueType bytecode support is enabled, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2520"
},
{
"id": "CVE-2010-2527",
"summary": "Multiple buffer overflows in demo programs in FreeType before 2.4.0 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2527"
},
{
"id": "CVE-2010-2541",
"summary": "Buffer overflow in ftmulti.c in the ftmulti demo program in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2541"
},
{
"id": "CVE-2010-2805",
"summary": "The FT_Stream_EnterFrame function in base/ftstream.c in FreeType before 2.4.2 does not properly validate certain position values, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2805"
},
{
"id": "CVE-2010-2806",
"summary": "Array index error in the t42_parse_sfnts function in type42/t42parse.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via negative size values for certain strings in FontType42 font files, leading to a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2806"
},
{
"id": "CVE-2010-2807",
"summary": "FreeType before 2.4.2 uses incorrect integer data types during bounds checking, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2807"
},
{
"id": "CVE-2010-2808",
"summary": "Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Adobe Type 1 Mac Font File (aka LWFN) font.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2808"
},
{
"id": "CVE-2010-3053",
"summary": "bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) via a crafted BDF font file, related to an attempted modification of a value in a static string.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3053"
},
{
"id": "CVE-2010-3054",
"summary": "Unspecified vulnerability in FreeType 2.3.9, and other versions before 2.4.2, allows remote attackers to cause a denial of service via vectors involving nested Standard Encoding Accented Character (aka seac) calls, related to psaux.h, cffgload.c, cffgload.h, and t1decode.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3054"
},
{
"id": "CVE-2010-3311",
"summary": "Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in FreeType before 2.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Compact Font Format (CFF) font file that triggers a heap-based buffer overflow, related to an \"input stream position error\" issue, a different vulnerability than CVE-2010-1797.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3311"
},
{
"id": "CVE-2010-3814",
"summary": "Heap-based buffer overflow in the Ins_SHZ function in ttinterp.c in FreeType 2.4.3 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted SHZ bytecode instruction, related to TrueType opcodes, as demonstrated by a PDF document with a crafted embedded font.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3814"
},
{
"id": "CVE-2010-3855",
"summary": "Buffer overflow in the ft_var_readpackedpoints function in truetype/ttgxvar.c in FreeType 2.4.3 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TrueType GX font.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3855"
},
{
"id": "CVE-2011-0226",
"summary": "Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0226"
},
{
"id": "CVE-2011-2895",
"summary": "The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2895"
},
{
"id": "CVE-2012-1126",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a BDF font.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1126"
},
{
"id": "CVE-2012-1127",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1127"
},
{
"id": "CVE-2012-1128",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (NULL pointer dereference and memory corruption) or possibly execute arbitrary code via a crafted TrueType font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1128"
},
{
"id": "CVE-2012-1129",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted SFNT string in a Type 42 font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1129"
},
{
"id": "CVE-2012-1130",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a PCF font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1130"
},
{
"id": "CVE-2012-1131",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, on 64-bit platforms allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors related to the cell table of a font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1131"
},
{
"id": "CVE-2012-1132",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted dictionary data in a Type 1 font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1132"
},
{
"id": "CVE-2012-1133",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1133"
},
{
"id": "CVE-2012-1134",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted private-dictionary data in a Type 1 font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1134"
},
{
"id": "CVE-2012-1135",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the NPUSHB and NPUSHW instructions in a TrueType font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1135"
},
{
"id": "CVE-2012-1136",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font that lacks an ENCODING field.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1136"
},
{
"id": "CVE-2012-1137",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted header in a BDF font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1137"
},
{
"id": "CVE-2012-1138",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the MIRP instruction in a TrueType font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1138"
},
{
"id": "CVE-2012-1139",
"summary": "Array index error in FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid stack read operation and memory corruption) or possibly execute arbitrary code via crafted glyph data in a BDF font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1139"
},
{
"id": "CVE-2012-1140",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted PostScript font object.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1140"
},
{
"id": "CVE-2012-1141",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted ASCII string in a BDF font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1141"
},
{
"id": "CVE-2012-1142",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph-outline data in a font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1142"
},
{
"id": "CVE-2012-1143",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted font.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1143"
},
{
"id": "CVE-2012-1144",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via a crafted TrueType font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1144"
},
{
"id": "CVE-2012-5668",
"summary": "FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to BDF fonts and the improper handling of an \"allocation error\" in the bdf_free_font function.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5668"
},
{
"id": "CVE-2012-5669",
"summary": "The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to BDF fonts and an incorrect calculation that triggers an out-of-bounds read.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5669"
},
{
"id": "CVE-2012-5670",
"summary": "The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) via vectors related to BDF fonts and an ENCODING field with a negative value.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5670"
},
{
"id": "CVE-2014-2240",
"summary": "Stack-based buffer overflow in the cf2_hintmap_build function in cff/cf2hints.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of stem hints in a font file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2240"
},
{
"id": "CVE-2014-2241",
"summary": "The (1) cf2_initLocalRegionBuffer and (2) cf2_initGlobalRegionBuffer functions in cff/cf2ft.c in FreeType before 2.5.3 do not properly check if a subroutine exists, which allows remote attackers to cause a denial of service (assertion failure), as demonstrated by a crafted ttf file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2241"
},
{
"id": "CVE-2014-9656",
"summary": "The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType before 2.5.4 does not properly check for an integer overflow, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted OpenType font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9656"
},
{
"id": "CVE-2014-9657",
"summary": "The tt_face_load_hdmx function in truetype/ttpload.c in FreeType before 2.5.4 does not establish a minimum record size, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9657"
},
{
"id": "CVE-2014-9658",
"summary": "The tt_face_load_kern function in sfnt/ttkern.c in FreeType before 2.5.4 enforces an incorrect minimum table length, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9658"
},
{
"id": "CVE-2014-9659",
"summary": "cff/cf2intrp.c in the CFF CharString interpreter in FreeType before 2.5.4 proceeds with additional hints after the hint mask has been computed, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted OpenType font. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2240.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9659"
},
{
"id": "CVE-2014-9660",
"summary": "The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before 2.5.4 does not properly handle a missing ENDCHAR record, which allows remote attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted BDF font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9660"
},
{
"id": "CVE-2014-9661",
"summary": "type42/t42parse.c in FreeType before 2.5.4 does not consider that scanning can be incomplete without triggering an error, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted Type42 font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9661"
},
{
"id": "CVE-2014-9662",
"summary": "cff/cf2ft.c in FreeType before 2.5.4 does not validate the return values of point-allocation functions, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted OTF font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9662"
},
{
"id": "CVE-2014-9663",
"summary": "The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before 2.5.4 validates a certain length field before that field's value is completely calculated, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted cmap SFNT table.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9663"
},
{
"id": "CVE-2014-9664",
"summary": "FreeType before 2.5.4 does not check for the end of the data during certain parsing actions, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted Type42 font, related to type42/t42parse.c and type1/t1load.c.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9664"
},
{
"id": "CVE-2014-9665",
"summary": "The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 does not restrict the rows and pitch values of PNG data, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact by embedding a PNG file in a .ttf font file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9665"
},
{
"id": "CVE-2014-9666",
"summary": "The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before 2.5.4 proceeds with a count-to-size association without restricting the count value, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted embedded bitmap.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9666"
},
{
"id": "CVE-2014-9667",
"summary": "sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting the values, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted SFNT table.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9667"
},
{
"id": "CVE-2014-9668",
"summary": "The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting length values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Web Open Font Format (WOFF) file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9668"
},
{
"id": "CVE-2014-9669",
"summary": "Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (out-of-bounds read or memory corruption) or possibly have unspecified other impact via a crafted cmap SFNT table.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9669"
},
{
"id": "CVE-2014-9670",
"summary": "Multiple integer signedness errors in the pcf_get_encodings function in pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (integer overflow, NULL pointer dereference, and application crash) via a crafted PCF file that specifies negative values for the first column and first row.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9670"
},
{
"id": "CVE-2014-9671",
"summary": "Off-by-one error in the pcf_get_properties function in pcf/pcfread.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PCF file with a 0xffffffff size value that is improperly incremented.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9671"
},
{
"id": "CVE-2014-9672",
"summary": "Array index error in the parse_fond function in base/ftmac.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information from process memory via a crafted FOND resource in a Mac font file.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9672"
},
{
"id": "CVE-2014-9673",
"summary": "Integer signedness error in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9673"
},
{
"id": "CVE-2014-9674",
"summary": "The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 proceeds with adding to length values without validating the original values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9674"
},
{
"id": "CVE-2014-9675",
"summary": "bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only verifying that an initial substring is present, which allows remote attackers to discover heap pointer values and bypass the ASLR protection mechanism via a crafted BDF font.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9675"
},
{
"id": "CVE-2014-9745",
"summary": "The parse_encoding function in type1/t1load.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (infinite loop) via a \"broken number-with-base\" in a Postscript stream, as demonstrated by 8#garbage.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9745"
},
{
"id": "CVE-2014-9746",
"summary": "The (1) t1_parse_font_matrix function in type1/t1load.c, (2) cid_parse_font_matrix function in cid/cidload.c, (3) t42_parse_font_matrix function in type42/t42parse.c, and (4) ps_parser_load_field function in psaux/psobjs.c in FreeType before 2.5.4 do not check return values, which allows remote attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted font.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9746"
},
{
"id": "CVE-2014-9747",
"summary": "The t42_parse_encoding function in type42/t42parse.c in FreeType before 2.5.4 does not properly update the current position for immediates-only mode, which allows remote attackers to cause a denial of service (infinite loop) via a Type42 font.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9747"
},
{
"id": "CVE-2015-9290",
"summary": "In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c on function T1_Get_Private_Dict where there is no check that the new values of cur and limit are sensible before going to Again.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9290"
},
{
"id": "CVE-2015-9381",
"summary": "FreeType before 2.6.1 has a heap-based buffer over-read in T1_Get_Private_Dict in type1/t1parse.c.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9381"
},
{
"id": "CVE-2015-9382",
"summary": "FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9382"
},
{
"id": "CVE-2015-9383",
"summary": "FreeType before 2.6.2 has a heap-based buffer over-read in tt_cmap14_validate in sfnt/ttcmap.c.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9383"
},
{
"id": "CVE-2016-10244",
"summary": "The parse_charstrings function in type1/t1load.c in FreeType 2 before 2.7 does not ensure that a font contains a glyph name, which allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10244"
},
{
"id": "CVE-2016-10328",
"summary": "FreeType 2 before 2016-12-16 has an out-of-bounds write caused by a heap-based buffer overflow related to the cff_parser_run function in cff/cffparse.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10328"
},
{
"id": "CVE-2017-7857",
"summary": "FreeType 2 before 2017-03-08 has an out-of-bounds write caused by a heap-based buffer overflow related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7857"
},
{
"id": "CVE-2017-7858",
"summary": "FreeType 2 before 2017-03-07 has an out-of-bounds write related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7858"
},
{
"id": "CVE-2017-7864",
"summary": "FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a heap-based buffer overflow related to the tt_size_reset function in truetype/ttobjs.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7864"
},
{
"id": "CVE-2017-8105",
"summary": "FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8105"
},
{
"id": "CVE-2017-8287",
"summary": "FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_contour function in psaux/psobjs.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8287"
},
{
"id": "CVE-2018-6942",
"summary": "An issue was discovered in FreeType 2 through 2.9. A NULL pointer dereference in the Ins_GETVARIATION() function within ttinterp.c could lead to DoS via a crafted font file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6942"
},
{
"id": "CVE-2020-15999",
"summary": "Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15999"
},
{
"id": "CVE-2022-27404",
"summary": "FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27404"
},
{
"id": "CVE-2022-27405",
"summary": "FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27405"
},
{
"id": "CVE-2022-27406",
"summary": "FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27406"
}
]
},
{
"name": "freetype-native",
"layer": "meta",
"version": "2.13.2",
"products": [
{
"product": "freetype",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2006-0747",
"summary": "Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0747"
},
{
"id": "CVE-2006-1861",
"summary": "Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. NOTE: item 4 was originally identified by CVE-2006-2493.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1861"
},
{
"id": "CVE-2006-2661",
"summary": "ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers a null dereference.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2661"
},
{
"id": "CVE-2006-3467",
"summary": "Integer overflow in FreeType before 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PCF file, as demonstrated by the Red Hat bad1.pcf test file, due to a partial fix of CVE-2006-1861.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3467"
},
{
"id": "CVE-2007-2754",
"summary": "Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2754"
},
{
"id": "CVE-2007-3506",
"summary": "The ft_bitmap_assure_buffer function in src/base/ftbimap.c in FreeType 2.3.3 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors involving bitmap fonts, related to a \"memory buffer overwrite bug.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3506"
},
{
"id": "CVE-2008-1806",
"summary": "Integer overflow in FreeType2 before 2.3.6 allows context-dependent attackers to execute arbitrary code via a crafted set of 16-bit length values within the Private dictionary table in a Printer Font Binary (PFB) file, which triggers a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1806"
},
{
"id": "CVE-2008-1807",
"summary": "FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via an invalid \"number of axes\" field in a Printer Font Binary (PFB) file, which triggers a free of arbitrary memory locations, leading to memory corruption.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1807"
},
{
"id": "CVE-2008-1808",
"summary": "Multiple off-by-one errors in FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via (1) a crafted table in a Printer Font Binary (PFB) file or (2) a crafted SHC instruction in a TrueType Font (TTF) file, which triggers a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1808"
},
{
"id": "CVE-2009-0946",
"summary": "Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0946"
},
{
"id": "CVE-2010-2497",
"summary": "Integer underflow in glyph handling in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2497"
},
{
"id": "CVE-2010-2498",
"summary": "The psh_glyph_find_strong_points function in pshinter/pshalgo.c in FreeType before 2.4.0 does not properly implement hinting masks, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted font file that triggers an invalid free operation.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2498"
},
{
"id": "CVE-2010-2499",
"summary": "Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted LaserWriter PS font file with an embedded PFB fragment.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2499"
},
{
"id": "CVE-2010-2500",
"summary": "Integer overflow in the gray_render_span function in smooth/ftgrays.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2500"
},
{
"id": "CVE-2010-2519",
"summary": "Heap-based buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted length value in a POST fragment header in a font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2519"
},
{
"id": "CVE-2010-2520",
"summary": "Heap-based buffer overflow in the Ins_IUP function in truetype/ttinterp.c in FreeType before 2.4.0, when TrueType bytecode support is enabled, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2520"
},
{
"id": "CVE-2010-2527",
"summary": "Multiple buffer overflows in demo programs in FreeType before 2.4.0 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2527"
},
{
"id": "CVE-2010-2541",
"summary": "Buffer overflow in ftmulti.c in the ftmulti demo program in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2541"
},
{
"id": "CVE-2010-2805",
"summary": "The FT_Stream_EnterFrame function in base/ftstream.c in FreeType before 2.4.2 does not properly validate certain position values, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2805"
},
{
"id": "CVE-2010-2806",
"summary": "Array index error in the t42_parse_sfnts function in type42/t42parse.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via negative size values for certain strings in FontType42 font files, leading to a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2806"
},
{
"id": "CVE-2010-2807",
"summary": "FreeType before 2.4.2 uses incorrect integer data types during bounds checking, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2807"
},
{
"id": "CVE-2010-2808",
"summary": "Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Adobe Type 1 Mac Font File (aka LWFN) font.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2808"
},
{
"id": "CVE-2010-3053",
"summary": "bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) via a crafted BDF font file, related to an attempted modification of a value in a static string.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3053"
},
{
"id": "CVE-2010-3054",
"summary": "Unspecified vulnerability in FreeType 2.3.9, and other versions before 2.4.2, allows remote attackers to cause a denial of service via vectors involving nested Standard Encoding Accented Character (aka seac) calls, related to psaux.h, cffgload.c, cffgload.h, and t1decode.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3054"
},
{
"id": "CVE-2010-3311",
"summary": "Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in FreeType before 2.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Compact Font Format (CFF) font file that triggers a heap-based buffer overflow, related to an \"input stream position error\" issue, a different vulnerability than CVE-2010-1797.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3311"
},
{
"id": "CVE-2010-3814",
"summary": "Heap-based buffer overflow in the Ins_SHZ function in ttinterp.c in FreeType 2.4.3 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted SHZ bytecode instruction, related to TrueType opcodes, as demonstrated by a PDF document with a crafted embedded font.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3814"
},
{
"id": "CVE-2010-3855",
"summary": "Buffer overflow in the ft_var_readpackedpoints function in truetype/ttgxvar.c in FreeType 2.4.3 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TrueType GX font.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3855"
},
{
"id": "CVE-2011-0226",
"summary": "Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0226"
},
{
"id": "CVE-2011-2895",
"summary": "The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2895"
},
{
"id": "CVE-2012-1126",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a BDF font.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1126"
},
{
"id": "CVE-2012-1127",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1127"
},
{
"id": "CVE-2012-1128",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (NULL pointer dereference and memory corruption) or possibly execute arbitrary code via a crafted TrueType font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1128"
},
{
"id": "CVE-2012-1129",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted SFNT string in a Type 42 font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1129"
},
{
"id": "CVE-2012-1130",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a PCF font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1130"
},
{
"id": "CVE-2012-1131",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, on 64-bit platforms allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors related to the cell table of a font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1131"
},
{
"id": "CVE-2012-1132",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted dictionary data in a Type 1 font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1132"
},
{
"id": "CVE-2012-1133",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1133"
},
{
"id": "CVE-2012-1134",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted private-dictionary data in a Type 1 font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1134"
},
{
"id": "CVE-2012-1135",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the NPUSHB and NPUSHW instructions in a TrueType font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1135"
},
{
"id": "CVE-2012-1136",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font that lacks an ENCODING field.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1136"
},
{
"id": "CVE-2012-1137",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted header in a BDF font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1137"
},
{
"id": "CVE-2012-1138",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the MIRP instruction in a TrueType font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1138"
},
{
"id": "CVE-2012-1139",
"summary": "Array index error in FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid stack read operation and memory corruption) or possibly execute arbitrary code via crafted glyph data in a BDF font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1139"
},
{
"id": "CVE-2012-1140",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted PostScript font object.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1140"
},
{
"id": "CVE-2012-1141",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted ASCII string in a BDF font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1141"
},
{
"id": "CVE-2012-1142",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph-outline data in a font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1142"
},
{
"id": "CVE-2012-1143",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted font.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1143"
},
{
"id": "CVE-2012-1144",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via a crafted TrueType font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1144"
},
{
"id": "CVE-2012-5668",
"summary": "FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to BDF fonts and the improper handling of an \"allocation error\" in the bdf_free_font function.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5668"
},
{
"id": "CVE-2012-5669",
"summary": "The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to BDF fonts and an incorrect calculation that triggers an out-of-bounds read.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5669"
},
{
"id": "CVE-2012-5670",
"summary": "The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) via vectors related to BDF fonts and an ENCODING field with a negative value.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5670"
},
{
"id": "CVE-2014-2240",
"summary": "Stack-based buffer overflow in the cf2_hintmap_build function in cff/cf2hints.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of stem hints in a font file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2240"
},
{
"id": "CVE-2014-2241",
"summary": "The (1) cf2_initLocalRegionBuffer and (2) cf2_initGlobalRegionBuffer functions in cff/cf2ft.c in FreeType before 2.5.3 do not properly check if a subroutine exists, which allows remote attackers to cause a denial of service (assertion failure), as demonstrated by a crafted ttf file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2241"
},
{
"id": "CVE-2014-9656",
"summary": "The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType before 2.5.4 does not properly check for an integer overflow, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted OpenType font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9656"
},
{
"id": "CVE-2014-9657",
"summary": "The tt_face_load_hdmx function in truetype/ttpload.c in FreeType before 2.5.4 does not establish a minimum record size, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9657"
},
{
"id": "CVE-2014-9658",
"summary": "The tt_face_load_kern function in sfnt/ttkern.c in FreeType before 2.5.4 enforces an incorrect minimum table length, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9658"
},
{
"id": "CVE-2014-9659",
"summary": "cff/cf2intrp.c in the CFF CharString interpreter in FreeType before 2.5.4 proceeds with additional hints after the hint mask has been computed, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted OpenType font. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2240.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9659"
},
{
"id": "CVE-2014-9660",
"summary": "The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before 2.5.4 does not properly handle a missing ENDCHAR record, which allows remote attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted BDF font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9660"
},
{
"id": "CVE-2014-9661",
"summary": "type42/t42parse.c in FreeType before 2.5.4 does not consider that scanning can be incomplete without triggering an error, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted Type42 font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9661"
},
{
"id": "CVE-2014-9662",
"summary": "cff/cf2ft.c in FreeType before 2.5.4 does not validate the return values of point-allocation functions, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted OTF font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9662"
},
{
"id": "CVE-2014-9663",
"summary": "The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before 2.5.4 validates a certain length field before that field's value is completely calculated, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted cmap SFNT table.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9663"
},
{
"id": "CVE-2014-9664",
"summary": "FreeType before 2.5.4 does not check for the end of the data during certain parsing actions, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted Type42 font, related to type42/t42parse.c and type1/t1load.c.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9664"
},
{
"id": "CVE-2014-9665",
"summary": "The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 does not restrict the rows and pitch values of PNG data, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact by embedding a PNG file in a .ttf font file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9665"
},
{
"id": "CVE-2014-9666",
"summary": "The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before 2.5.4 proceeds with a count-to-size association without restricting the count value, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted embedded bitmap.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9666"
},
{
"id": "CVE-2014-9667",
"summary": "sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting the values, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted SFNT table.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9667"
},
{
"id": "CVE-2014-9668",
"summary": "The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting length values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Web Open Font Format (WOFF) file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9668"
},
{
"id": "CVE-2014-9669",
"summary": "Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (out-of-bounds read or memory corruption) or possibly have unspecified other impact via a crafted cmap SFNT table.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9669"
},
{
"id": "CVE-2014-9670",
"summary": "Multiple integer signedness errors in the pcf_get_encodings function in pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (integer overflow, NULL pointer dereference, and application crash) via a crafted PCF file that specifies negative values for the first column and first row.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9670"
},
{
"id": "CVE-2014-9671",
"summary": "Off-by-one error in the pcf_get_properties function in pcf/pcfread.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PCF file with a 0xffffffff size value that is improperly incremented.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9671"
},
{
"id": "CVE-2014-9672",
"summary": "Array index error in the parse_fond function in base/ftmac.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information from process memory via a crafted FOND resource in a Mac font file.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9672"
},
{
"id": "CVE-2014-9673",
"summary": "Integer signedness error in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9673"
},
{
"id": "CVE-2014-9674",
"summary": "The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 proceeds with adding to length values without validating the original values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9674"
},
{
"id": "CVE-2014-9675",
"summary": "bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only verifying that an initial substring is present, which allows remote attackers to discover heap pointer values and bypass the ASLR protection mechanism via a crafted BDF font.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9675"
},
{
"id": "CVE-2014-9745",
"summary": "The parse_encoding function in type1/t1load.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (infinite loop) via a \"broken number-with-base\" in a Postscript stream, as demonstrated by 8#garbage.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9745"
},
{
"id": "CVE-2014-9746",
"summary": "The (1) t1_parse_font_matrix function in type1/t1load.c, (2) cid_parse_font_matrix function in cid/cidload.c, (3) t42_parse_font_matrix function in type42/t42parse.c, and (4) ps_parser_load_field function in psaux/psobjs.c in FreeType before 2.5.4 do not check return values, which allows remote attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted font.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9746"
},
{
"id": "CVE-2014-9747",
"summary": "The t42_parse_encoding function in type42/t42parse.c in FreeType before 2.5.4 does not properly update the current position for immediates-only mode, which allows remote attackers to cause a denial of service (infinite loop) via a Type42 font.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9747"
},
{
"id": "CVE-2015-9290",
"summary": "In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c on function T1_Get_Private_Dict where there is no check that the new values of cur and limit are sensible before going to Again.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9290"
},
{
"id": "CVE-2015-9381",
"summary": "FreeType before 2.6.1 has a heap-based buffer over-read in T1_Get_Private_Dict in type1/t1parse.c.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9381"
},
{
"id": "CVE-2015-9382",
"summary": "FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9382"
},
{
"id": "CVE-2015-9383",
"summary": "FreeType before 2.6.2 has a heap-based buffer over-read in tt_cmap14_validate in sfnt/ttcmap.c.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9383"
},
{
"id": "CVE-2016-10244",
"summary": "The parse_charstrings function in type1/t1load.c in FreeType 2 before 2.7 does not ensure that a font contains a glyph name, which allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10244"
},
{
"id": "CVE-2016-10328",
"summary": "FreeType 2 before 2016-12-16 has an out-of-bounds write caused by a heap-based buffer overflow related to the cff_parser_run function in cff/cffparse.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10328"
},
{
"id": "CVE-2017-7857",
"summary": "FreeType 2 before 2017-03-08 has an out-of-bounds write caused by a heap-based buffer overflow related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7857"
},
{
"id": "CVE-2017-7858",
"summary": "FreeType 2 before 2017-03-07 has an out-of-bounds write related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7858"
},
{
"id": "CVE-2017-7864",
"summary": "FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a heap-based buffer overflow related to the tt_size_reset function in truetype/ttobjs.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7864"
},
{
"id": "CVE-2017-8105",
"summary": "FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8105"
},
{
"id": "CVE-2017-8287",
"summary": "FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_contour function in psaux/psobjs.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8287"
},
{
"id": "CVE-2018-6942",
"summary": "An issue was discovered in FreeType 2 through 2.9. A NULL pointer dereference in the Ins_GETVARIATION() function within ttinterp.c could lead to DoS via a crafted font file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6942"
},
{
"id": "CVE-2020-15999",
"summary": "Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15999"
},
{
"id": "CVE-2022-27404",
"summary": "FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27404"
},
{
"id": "CVE-2022-27405",
"summary": "FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27405"
},
{
"id": "CVE-2022-27406",
"summary": "FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27406"
}
]
},
{
"name": "fribidi",
"layer": "meta",
"version": "1.0.13",
"products": [
{
"product": "gnu_fribidi",
"cvesInRecord": "Yes"
},
{
"product": "fribidi",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2010-3444",
"summary": "Buffer overflow in the log2vis_utf8 function in pyfribidi.c in GNU FriBidi 0.19.1, 0.19.2, and possibly other versions, as used in PyFriBidi 0.10.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted Arabic UTF-8 string that causes original 2-byte UTF-8 sequences to be transformed into 3-byte sequences.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3444"
},
{
"id": "CVE-2019-18397",
"summary": "A buffer overflow in the fribidi_get_par_embedding_levels_ex() function in lib/fribidi-bidi.c of GNU FriBidi through 1.0.7 allows an attacker to cause a denial of service or possibly execute arbitrary code by delivering crafted text content to a user, when this content is then rendered by an application that uses FriBidi for text layout calculations. Examples include any GNOME or GTK+ based application that uses Pango for text layout, as this internally uses FriBidi for bidirectional text layout. For example, the attacker can construct a crafted text file to be opened in GEdit, or a crafted IRC message to be viewed in HexChat.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18397"
},
{
"id": "CVE-2022-25308",
"summary": "A stack-based buffer overflow flaw was found in the Fribidi package. This flaw allows an attacker to pass a specially crafted file to the Fribidi application, which leads to a possible memory leak or a denial of service.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25308"
},
{
"id": "CVE-2022-25309",
"summary": "A heap-based buffer overflow flaw was found in the Fribidi package and affects the fribidi_cap_rtl_to_unicode() function of the fribidi-char-sets-cap-rtl.c file. This flaw allows an attacker to pass a specially crafted file to the Fribidi application with the '--caprtl' option, leading to a crash and causing a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25309"
},
{
"id": "CVE-2022-25310",
"summary": "A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bidi_marks() function of the lib/fribidi.c file. This flaw allows an attacker to pass a specially crafted file to Fribidi, leading to a crash and causing a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25310"
}
]
},
{
"name": "fribidi-native",
"layer": "meta",
"version": "1.0.13",
"products": [
{
"product": "gnu_fribidi",
"cvesInRecord": "Yes"
},
{
"product": "fribidi",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2010-3444",
"summary": "Buffer overflow in the log2vis_utf8 function in pyfribidi.c in GNU FriBidi 0.19.1, 0.19.2, and possibly other versions, as used in PyFriBidi 0.10.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted Arabic UTF-8 string that causes original 2-byte UTF-8 sequences to be transformed into 3-byte sequences.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3444"
},
{
"id": "CVE-2019-18397",
"summary": "A buffer overflow in the fribidi_get_par_embedding_levels_ex() function in lib/fribidi-bidi.c of GNU FriBidi through 1.0.7 allows an attacker to cause a denial of service or possibly execute arbitrary code by delivering crafted text content to a user, when this content is then rendered by an application that uses FriBidi for text layout calculations. Examples include any GNOME or GTK+ based application that uses Pango for text layout, as this internally uses FriBidi for bidirectional text layout. For example, the attacker can construct a crafted text file to be opened in GEdit, or a crafted IRC message to be viewed in HexChat.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18397"
},
{
"id": "CVE-2022-25308",
"summary": "A stack-based buffer overflow flaw was found in the Fribidi package. This flaw allows an attacker to pass a specially crafted file to the Fribidi application, which leads to a possible memory leak or a denial of service.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25308"
},
{
"id": "CVE-2022-25309",
"summary": "A heap-based buffer overflow flaw was found in the Fribidi package and affects the fribidi_cap_rtl_to_unicode() function of the fribidi-char-sets-cap-rtl.c file. This flaw allows an attacker to pass a specially crafted file to the Fribidi application with the '--caprtl' option, leading to a crash and causing a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25309"
},
{
"id": "CVE-2022-25310",
"summary": "A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bidi_marks() function of the lib/fribidi.c file. This flaw allows an attacker to pass a specially crafted file to Fribidi, leading to a crash and causing a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25310"
}
]
},
{
"name": "gawk",
"layer": "meta",
"version": "5.3.0",
"products": [
{
"product": "gawk",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2023-4156",
"summary": "A heap out-of-bounds read flaw was found in builtin.c in the gawk package. This issue may lead to a crash and could be used to read sensitive information.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4156"
}
]
},
{
"name": "gcc",
"layer": "meta",
"version": "13.2.0",
"products": [
{
"product": "gcc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-1439",
"summary": "gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1439"
},
{
"id": "CVE-2000-1219",
"summary": "The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-1219"
},
{
"id": "CVE-2002-2439",
"summary": "Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-2439"
},
{
"id": "CVE-2006-1902",
"summary": "fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is \"not correctly interpreting an offset to a pointer as a signed value.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1902"
},
{
"id": "CVE-2008-1367",
"summary": "gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1367"
},
{
"id": "CVE-2008-1685",
"summary": "gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999)",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1685"
},
{
"id": "CVE-2013-4598",
"summary": "The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4598"
},
{
"id": "CVE-2015-5276",
"summary": "The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5276"
},
{
"id": "CVE-2017-11671",
"summary": "Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11671"
},
{
"id": "CVE-2018-12886",
"summary": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12886"
},
{
"id": "CVE-2019-15847",
"summary": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847"
},
{
"id": "CVE-2021-37322",
"summary": "GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37322",
"detail": "cpe-incorrect",
"description": "Is a binutils 2.26 issue, not gcc"
},
{
"id": "CVE-2021-3826",
"summary": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826"
},
{
"id": "CVE-2021-46195",
"summary": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195"
},
{
"id": "CVE-2022-27943",
"summary": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943"
},
{
"id": "CVE-2023-4039",
"summary": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "4.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039",
"detail": "fixed-version",
"description": "Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source"
}
]
},
{
"name": "gcc-cross-aarch64",
"layer": "meta",
"version": "13.2.0",
"products": [
{
"product": "gcc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-1439",
"summary": "gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1439"
},
{
"id": "CVE-2000-1219",
"summary": "The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-1219"
},
{
"id": "CVE-2002-2439",
"summary": "Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-2439"
},
{
"id": "CVE-2006-1902",
"summary": "fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is \"not correctly interpreting an offset to a pointer as a signed value.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1902"
},
{
"id": "CVE-2008-1367",
"summary": "gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1367"
},
{
"id": "CVE-2008-1685",
"summary": "gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999)",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1685"
},
{
"id": "CVE-2013-4598",
"summary": "The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4598"
},
{
"id": "CVE-2015-5276",
"summary": "The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5276"
},
{
"id": "CVE-2017-11671",
"summary": "Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11671"
},
{
"id": "CVE-2018-12886",
"summary": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12886"
},
{
"id": "CVE-2019-15847",
"summary": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847"
},
{
"id": "CVE-2021-37322",
"summary": "GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37322",
"detail": "cpe-incorrect",
"description": "Is a binutils 2.26 issue, not gcc"
},
{
"id": "CVE-2021-3826",
"summary": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826"
},
{
"id": "CVE-2021-46195",
"summary": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195"
},
{
"id": "CVE-2022-27943",
"summary": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943"
},
{
"id": "CVE-2023-4039",
"summary": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "4.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039",
"detail": "fixed-version",
"description": "Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source"
}
]
},
{
"name": "gcc-cross-canadian-aarch64",
"layer": "meta",
"version": "13.2.0",
"products": [
{
"product": "gcc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-1439",
"summary": "gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1439"
},
{
"id": "CVE-2000-1219",
"summary": "The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-1219"
},
{
"id": "CVE-2002-2439",
"summary": "Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-2439"
},
{
"id": "CVE-2006-1902",
"summary": "fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is \"not correctly interpreting an offset to a pointer as a signed value.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1902"
},
{
"id": "CVE-2008-1367",
"summary": "gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1367"
},
{
"id": "CVE-2008-1685",
"summary": "gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999)",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1685"
},
{
"id": "CVE-2013-4598",
"summary": "The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4598"
},
{
"id": "CVE-2015-5276",
"summary": "The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5276"
},
{
"id": "CVE-2017-11671",
"summary": "Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11671"
},
{
"id": "CVE-2018-12886",
"summary": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12886"
},
{
"id": "CVE-2019-15847",
"summary": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847"
},
{
"id": "CVE-2021-37322",
"summary": "GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37322",
"detail": "cpe-incorrect",
"description": "Is a binutils 2.26 issue, not gcc"
},
{
"id": "CVE-2021-3826",
"summary": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826"
},
{
"id": "CVE-2021-46195",
"summary": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195"
},
{
"id": "CVE-2022-27943",
"summary": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943"
},
{
"id": "CVE-2023-4039",
"summary": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "4.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039",
"detail": "fixed-version",
"description": "Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source"
}
]
},
{
"name": "gcc-crosssdk-x86_64-aglsdk-linux",
"layer": "meta",
"version": "13.2.0",
"products": [
{
"product": "gcc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-1439",
"summary": "gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1439"
},
{
"id": "CVE-2000-1219",
"summary": "The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-1219"
},
{
"id": "CVE-2002-2439",
"summary": "Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-2439"
},
{
"id": "CVE-2006-1902",
"summary": "fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is \"not correctly interpreting an offset to a pointer as a signed value.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1902"
},
{
"id": "CVE-2008-1367",
"summary": "gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1367"
},
{
"id": "CVE-2008-1685",
"summary": "gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999)",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1685"
},
{
"id": "CVE-2013-4598",
"summary": "The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4598"
},
{
"id": "CVE-2015-5276",
"summary": "The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5276"
},
{
"id": "CVE-2017-11671",
"summary": "Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11671"
},
{
"id": "CVE-2018-12886",
"summary": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12886"
},
{
"id": "CVE-2019-15847",
"summary": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847"
},
{
"id": "CVE-2021-37322",
"summary": "GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37322",
"detail": "cpe-incorrect",
"description": "Is a binutils 2.26 issue, not gcc"
},
{
"id": "CVE-2021-3826",
"summary": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826"
},
{
"id": "CVE-2021-46195",
"summary": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195"
},
{
"id": "CVE-2022-27943",
"summary": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943"
},
{
"id": "CVE-2023-4039",
"summary": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "4.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039",
"detail": "fixed-version",
"description": "Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source"
}
]
},
{
"name": "gcc-runtime",
"layer": "meta",
"version": "13.2.0",
"products": [
{
"product": "gcc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-1439",
"summary": "gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1439"
},
{
"id": "CVE-2000-1219",
"summary": "The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-1219"
},
{
"id": "CVE-2002-2439",
"summary": "Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-2439"
},
{
"id": "CVE-2006-1902",
"summary": "fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is \"not correctly interpreting an offset to a pointer as a signed value.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1902"
},
{
"id": "CVE-2008-1367",
"summary": "gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1367"
},
{
"id": "CVE-2008-1685",
"summary": "gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999)",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1685"
},
{
"id": "CVE-2013-4598",
"summary": "The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4598"
},
{
"id": "CVE-2015-5276",
"summary": "The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5276"
},
{
"id": "CVE-2017-11671",
"summary": "Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11671"
},
{
"id": "CVE-2018-12886",
"summary": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12886"
},
{
"id": "CVE-2019-15847",
"summary": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847"
},
{
"id": "CVE-2021-37322",
"summary": "GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37322",
"detail": "cpe-incorrect",
"description": "Is a binutils 2.26 issue, not gcc"
},
{
"id": "CVE-2021-3826",
"summary": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826"
},
{
"id": "CVE-2021-46195",
"summary": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195"
},
{
"id": "CVE-2022-27943",
"summary": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943"
},
{
"id": "CVE-2023-4039",
"summary": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "4.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039",
"detail": "fixed-version",
"description": "Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source"
}
]
},
{
"name": "gcc-sanitizers",
"layer": "meta",
"version": "13.2.0",
"products": [
{
"product": "gcc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-1439",
"summary": "gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1439"
},
{
"id": "CVE-2000-1219",
"summary": "The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-1219"
},
{
"id": "CVE-2002-2439",
"summary": "Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-2439"
},
{
"id": "CVE-2006-1902",
"summary": "fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is \"not correctly interpreting an offset to a pointer as a signed value.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1902"
},
{
"id": "CVE-2008-1367",
"summary": "gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1367"
},
{
"id": "CVE-2008-1685",
"summary": "gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999)",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1685"
},
{
"id": "CVE-2013-4598",
"summary": "The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4598"
},
{
"id": "CVE-2015-5276",
"summary": "The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5276"
},
{
"id": "CVE-2017-11671",
"summary": "Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11671"
},
{
"id": "CVE-2018-12886",
"summary": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12886"
},
{
"id": "CVE-2019-15847",
"summary": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847"
},
{
"id": "CVE-2021-37322",
"summary": "GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37322",
"detail": "cpe-incorrect",
"description": "Is a binutils 2.26 issue, not gcc"
},
{
"id": "CVE-2021-3826",
"summary": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826"
},
{
"id": "CVE-2021-46195",
"summary": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195"
},
{
"id": "CVE-2022-27943",
"summary": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943"
},
{
"id": "CVE-2023-4039",
"summary": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "4.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039",
"detail": "fixed-version",
"description": "Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source"
}
]
},
{
"name": "gcc-source-13.2.0",
"layer": "meta",
"version": "13.2.0",
"products": [
{
"product": "gcc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-1439",
"summary": "gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1439"
},
{
"id": "CVE-2000-1219",
"summary": "The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-1219"
},
{
"id": "CVE-2002-2439",
"summary": "Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-2439"
},
{
"id": "CVE-2006-1902",
"summary": "fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is \"not correctly interpreting an offset to a pointer as a signed value.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1902"
},
{
"id": "CVE-2008-1367",
"summary": "gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1367"
},
{
"id": "CVE-2008-1685",
"summary": "gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999)",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1685"
},
{
"id": "CVE-2013-4598",
"summary": "The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4598"
},
{
"id": "CVE-2015-5276",
"summary": "The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5276"
},
{
"id": "CVE-2017-11671",
"summary": "Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11671"
},
{
"id": "CVE-2018-12886",
"summary": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12886"
},
{
"id": "CVE-2019-15847",
"summary": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847"
},
{
"id": "CVE-2021-37322",
"summary": "GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37322",
"detail": "cpe-incorrect",
"description": "Is a binutils 2.26 issue, not gcc"
},
{
"id": "CVE-2021-3826",
"summary": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826"
},
{
"id": "CVE-2021-46195",
"summary": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195"
},
{
"id": "CVE-2022-27943",
"summary": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943"
},
{
"id": "CVE-2023-4039",
"summary": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "4.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039",
"detail": "fixed-version",
"description": "Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source"
},
{
"id": "CVE-2024-0151",
"summary": "Insufficient argument checking in Secure state Entry functions in software using Cortex-M Security Extensions (CMSE), that has been compiled using toolchains that implement 'Arm v8-M Security Extensions Requirements on Development Tools' prior to version 1.4, allows an attacker to pass values to Secure state that are out of range for types smaller than 32-bits. Out of range values might lead to incorrect operations in secure state.",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0151"
}
]
},
{
"name": "gconf",
"layer": "meta",
"version": "3.2.6",
"products": [
{
"product": "gconf",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2006-6698",
"summary": "The GConf daemon (gconfd) in GConf 2.14.0 creates temporary files under directories with names based on the username, even when GCONF_GLOBAL_LOCKS is not set, which allows local users to cause a denial of service by creating the directories ahead of time, which prevents other users from using Gnome.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6698"
}
]
},
{
"name": "gdb",
"layer": "meta",
"version": "14.2",
"products": [
{
"product": "gdb",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2005-1704",
"summary": "Integer overflow in the Binary File Descriptor (BFD) library for gdb before 6.3, binutils, elfutils, and possibly other packages, allows user-assisted attackers to execute arbitrary code via a crafted object file that specifies a large number of section headers, leading to a heap-based buffer overflow.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1704"
},
{
"id": "CVE-2005-1705",
"summary": "gdb before 6.3 searches the current working directory to load the .gdbinit configuration file, which allows local users to execute arbitrary commands as the user running gdb.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1705"
},
{
"id": "CVE-2006-4146",
"summary": "Buffer overflow in the (1) DWARF (dwarfread.c) and (2) DWARF2 (dwarf2read.c) debugging code in GNU Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to execute arbitrary code via a crafted file with a location block (DW_FORM_block) that contains a large number of operations.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4146"
},
{
"id": "CVE-2011-4355",
"summary": "GNU Project Debugger (GDB) before 7.5, when .debug_gdb_scripts is defined, automatically loads certain files from the current working directory, which allows local users to gain privileges via crafted files such as Python scripts.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4355"
},
{
"id": "CVE-2017-9778",
"summary": "GNU Debugger (GDB) 8.0 and earlier fails to detect a negative length field in a DWARF section. A malformed section in an ELF binary or a core file can cause GDB to repeatedly allocate memory until a process limit is reached. This can, for example, impede efforts to analyze malware with GDB.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9778"
},
{
"id": "CVE-2019-1010180",
"summary": "GNU gdb All versions is affected by: Buffer Overflow - Out of bound memory access. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution. The component is: The main gdb module. The attack vector is: Open an ELF for debugging. The fixed version is: Not fixed yet.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010180"
},
{
"id": "CVE-2023-39128",
"summary": "GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a stack overflow via the function ada_decode at /gdb/ada-lang.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39128"
},
{
"id": "CVE-2023-39129",
"summary": "GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap use after free via the function add_pe_exported_sym() at /gdb/coff-pe-read.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39129"
},
{
"id": "CVE-2023-39130",
"summary": "GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap buffer overflow via the function pe_as16() at /gdb/coff-pe-read.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39130"
}
]
},
{
"name": "gdb-cross-canadian-aarch64",
"layer": "meta",
"version": "14.2",
"products": [
{
"product": "gdb",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2005-1704",
"summary": "Integer overflow in the Binary File Descriptor (BFD) library for gdb before 6.3, binutils, elfutils, and possibly other packages, allows user-assisted attackers to execute arbitrary code via a crafted object file that specifies a large number of section headers, leading to a heap-based buffer overflow.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1704"
},
{
"id": "CVE-2005-1705",
"summary": "gdb before 6.3 searches the current working directory to load the .gdbinit configuration file, which allows local users to execute arbitrary commands as the user running gdb.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1705"
},
{
"id": "CVE-2006-4146",
"summary": "Buffer overflow in the (1) DWARF (dwarfread.c) and (2) DWARF2 (dwarf2read.c) debugging code in GNU Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to execute arbitrary code via a crafted file with a location block (DW_FORM_block) that contains a large number of operations.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4146"
},
{
"id": "CVE-2011-4355",
"summary": "GNU Project Debugger (GDB) before 7.5, when .debug_gdb_scripts is defined, automatically loads certain files from the current working directory, which allows local users to gain privileges via crafted files such as Python scripts.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4355"
},
{
"id": "CVE-2017-9778",
"summary": "GNU Debugger (GDB) 8.0 and earlier fails to detect a negative length field in a DWARF section. A malformed section in an ELF binary or a core file can cause GDB to repeatedly allocate memory until a process limit is reached. This can, for example, impede efforts to analyze malware with GDB.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9778"
},
{
"id": "CVE-2019-1010180",
"summary": "GNU gdb All versions is affected by: Buffer Overflow - Out of bound memory access. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution. The component is: The main gdb module. The attack vector is: Open an ELF for debugging. The fixed version is: Not fixed yet.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010180"
},
{
"id": "CVE-2023-39128",
"summary": "GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a stack overflow via the function ada_decode at /gdb/ada-lang.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39128"
},
{
"id": "CVE-2023-39129",
"summary": "GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap use after free via the function add_pe_exported_sym() at /gdb/coff-pe-read.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39129"
},
{
"id": "CVE-2023-39130",
"summary": "GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap buffer overflow via the function pe_as16() at /gdb/coff-pe-read.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39130"
}
]
},
{
"name": "gdbm",
"layer": "meta",
"version": "1.23",
"products": [
{
"product": "gdbm",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "gdbm-native",
"layer": "meta",
"version": "1.23",
"products": [
{
"product": "gdbm",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "gdk-pixbuf",
"layer": "meta",
"version": "2.42.10",
"products": [
{
"product": "gdk-pixbuf",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2011-2485",
"summary": "The gdk_pixbuf__gif_image_load function in gdk-pixbuf/io-gif.c in gdk-pixbuf before 2.23.5 does not properly handle certain return values, which allows remote attackers to cause a denial of service (memory consumption) via a crafted GIF image file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2485"
},
{
"id": "CVE-2011-2897",
"summary": "gdk-pixbuf through 2.31.1 has GIF loader buffer overflow when initializing decompression tables due to an input validation flaw",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2897"
},
{
"id": "CVE-2012-2370",
"summary": "Multiple integer overflows in the read_bitmap_file_data function in io-xbm.c in gdk-pixbuf before 2.26.1 allow remote attackers to cause a denial of service (application crash) via a negative (1) height or (2) width in an XBM file, which triggers a heap-based buffer overflow.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2370"
},
{
"id": "CVE-2015-4491",
"summary": "Integer overflow in the make_filter_table function in pixops/pixops.c in gdk-pixbuf before 2.31.5, as used in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 on Linux, Google Chrome on Linux, and other products, allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow and application crash) via crafted bitmap dimensions that are mishandled during scaling.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4491"
},
{
"id": "CVE-2015-7673",
"summary": "io-tga.c in gdk-pixbuf before 2.32.0 uses heap memory after its allocation failed, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) and possibly execute arbitrary code via a crafted Truevision TGA (TARGA) file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7673"
},
{
"id": "CVE-2015-7674",
"summary": "Integer overflow in the pixops_scale_nearest function in pixops/pixops.c in gdk-pixbuf before 2.32.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted GIF image file, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7674"
},
{
"id": "CVE-2015-8875",
"summary": "Multiple integer overflows in the (1) pixops_composite_nearest, (2) pixops_composite_color_nearest, and (3) pixops_process functions in pixops/pixops.c in gdk-pixbuf before 2.33.1 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted image, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8875"
},
{
"id": "CVE-2016-6352",
"summary": "The OneLine32 function in io-ico.c in gdk-pixbuf before 2.35.3 allows remote attackers to cause a denial of service (out-of-bounds write and crash) via crafted dimensions in an ICO file.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6352"
},
{
"id": "CVE-2017-1000422",
"summary": "Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer overflow in the gif_get_lzw function resulting in memory corruption and potential code execution",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000422"
},
{
"id": "CVE-2017-12447",
"summary": "GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus 3.14.3 on Ubuntu 16.04, allows attackers to cause a denial of service (stack corruption) or possibly have unspecified other impact via a crafted file folder.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12447"
},
{
"id": "CVE-2017-2862",
"summary": "An exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2862"
},
{
"id": "CVE-2017-2870",
"summary": "An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2870"
},
{
"id": "CVE-2017-6311",
"summary": "gdk-pixbuf-thumbnailer.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to printing an error message.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6311"
},
{
"id": "CVE-2017-6312",
"summary": "Integer overflow in io-ico.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (segmentation fault and application crash) via a crafted image entry offset in an ICO file, which triggers an out-of-bounds read, related to compiler optimizations.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6312"
},
{
"id": "CVE-2017-6313",
"summary": "Integer underflow in the load_resources function in io-icns.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (out-of-bounds read and program crash) via a crafted image entry size in an ICO file.",
"scorev2": "5.8",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6313"
},
{
"id": "CVE-2017-6314",
"summary": "The make_available_at_least function in io-tiff.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (infinite loop) via a large TIFF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6314"
},
{
"id": "CVE-2020-29385",
"summary": "GNOME gdk-pixbuf (aka GdkPixbuf) before 2.42.2 allows a denial of service (infinite loop) in lzw.c in the function write_indexes. if c->self_code equals 10, self->code_table[10].extends will assign the value 11 to c. The next execution in the loop will assign self->code_table[11].extends to c, which will give the value of 10. This will make the loop run infinitely. This bug can, for example, be triggered by calling this function with a GIF image with LZW compression that is crafted in a special way.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29385"
},
{
"id": "CVE-2021-20240",
"summary": "A flaw was found in gdk-pixbuf in versions before 2.42.0. An integer wraparound leading to an out of bounds write can occur when a crafted GIF image is loaded. An attacker may cause applications to crash or could potentially execute code on the victim system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"scorev2": "8.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20240"
},
{
"id": "CVE-2021-46829",
"summary": "GNOME GdkPixbuf (aka GDK-PixBuf) before 2.42.8 allows a heap-based buffer overflow when compositing or clearing frames in GIF files, as demonstrated by io-gif-animation.c composite_frame. This overflow is controllable and could be abused for code execution, especially on 32-bit systems.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46829"
}
]
},
{
"name": "gdk-pixbuf-native",
"layer": "meta",
"version": "2.42.10",
"products": [
{
"product": "gdk-pixbuf",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2011-2485",
"summary": "The gdk_pixbuf__gif_image_load function in gdk-pixbuf/io-gif.c in gdk-pixbuf before 2.23.5 does not properly handle certain return values, which allows remote attackers to cause a denial of service (memory consumption) via a crafted GIF image file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2485"
},
{
"id": "CVE-2011-2897",
"summary": "gdk-pixbuf through 2.31.1 has GIF loader buffer overflow when initializing decompression tables due to an input validation flaw",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2897"
},
{
"id": "CVE-2012-2370",
"summary": "Multiple integer overflows in the read_bitmap_file_data function in io-xbm.c in gdk-pixbuf before 2.26.1 allow remote attackers to cause a denial of service (application crash) via a negative (1) height or (2) width in an XBM file, which triggers a heap-based buffer overflow.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2370"
},
{
"id": "CVE-2015-4491",
"summary": "Integer overflow in the make_filter_table function in pixops/pixops.c in gdk-pixbuf before 2.31.5, as used in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 on Linux, Google Chrome on Linux, and other products, allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow and application crash) via crafted bitmap dimensions that are mishandled during scaling.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4491"
},
{
"id": "CVE-2015-7673",
"summary": "io-tga.c in gdk-pixbuf before 2.32.0 uses heap memory after its allocation failed, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) and possibly execute arbitrary code via a crafted Truevision TGA (TARGA) file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7673"
},
{
"id": "CVE-2015-7674",
"summary": "Integer overflow in the pixops_scale_nearest function in pixops/pixops.c in gdk-pixbuf before 2.32.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted GIF image file, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7674"
},
{
"id": "CVE-2015-8875",
"summary": "Multiple integer overflows in the (1) pixops_composite_nearest, (2) pixops_composite_color_nearest, and (3) pixops_process functions in pixops/pixops.c in gdk-pixbuf before 2.33.1 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted image, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8875"
},
{
"id": "CVE-2016-6352",
"summary": "The OneLine32 function in io-ico.c in gdk-pixbuf before 2.35.3 allows remote attackers to cause a denial of service (out-of-bounds write and crash) via crafted dimensions in an ICO file.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6352"
},
{
"id": "CVE-2017-1000422",
"summary": "Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer overflow in the gif_get_lzw function resulting in memory corruption and potential code execution",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000422"
},
{
"id": "CVE-2017-12447",
"summary": "GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus 3.14.3 on Ubuntu 16.04, allows attackers to cause a denial of service (stack corruption) or possibly have unspecified other impact via a crafted file folder.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12447"
},
{
"id": "CVE-2017-2862",
"summary": "An exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2862"
},
{
"id": "CVE-2017-2870",
"summary": "An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2870"
},
{
"id": "CVE-2017-6311",
"summary": "gdk-pixbuf-thumbnailer.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to printing an error message.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6311"
},
{
"id": "CVE-2017-6312",
"summary": "Integer overflow in io-ico.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (segmentation fault and application crash) via a crafted image entry offset in an ICO file, which triggers an out-of-bounds read, related to compiler optimizations.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6312"
},
{
"id": "CVE-2017-6313",
"summary": "Integer underflow in the load_resources function in io-icns.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (out-of-bounds read and program crash) via a crafted image entry size in an ICO file.",
"scorev2": "5.8",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6313"
},
{
"id": "CVE-2017-6314",
"summary": "The make_available_at_least function in io-tiff.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (infinite loop) via a large TIFF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6314"
},
{
"id": "CVE-2020-29385",
"summary": "GNOME gdk-pixbuf (aka GdkPixbuf) before 2.42.2 allows a denial of service (infinite loop) in lzw.c in the function write_indexes. if c->self_code equals 10, self->code_table[10].extends will assign the value 11 to c. The next execution in the loop will assign self->code_table[11].extends to c, which will give the value of 10. This will make the loop run infinitely. This bug can, for example, be triggered by calling this function with a GIF image with LZW compression that is crafted in a special way.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29385"
},
{
"id": "CVE-2021-20240",
"summary": "A flaw was found in gdk-pixbuf in versions before 2.42.0. An integer wraparound leading to an out of bounds write can occur when a crafted GIF image is loaded. An attacker may cause applications to crash or could potentially execute code on the victim system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"scorev2": "8.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20240"
},
{
"id": "CVE-2021-46829",
"summary": "GNOME GdkPixbuf (aka GDK-PixBuf) before 2.42.8 allows a heap-based buffer overflow when compositing or clearing frames in GIF files, as demonstrated by io-gif-animation.c composite_frame. This overflow is controllable and could be abused for code execution, especially on 32-bit systems.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46829"
}
]
},
{
"name": "geoclue",
"layer": "meta-oe",
"version": "2.7.1",
"products": [
{
"product": "geoclue",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "gettext",
"layer": "meta",
"version": "0.22.5",
"products": [
{
"product": "gettext",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0966",
"summary": "The (1) autopoint and (2) gettextize scripts in the GNU gettext package 1.14 and later versions, as used in Trustix Secure Linux 1.5 through 2.1 and other operating systems, allows local users to overwrite files via a symlink attack on temporary files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0966"
},
{
"id": "CVE-2018-18751",
"summary": "An issue was discovered in GNU gettext 0.19.8. There is a double free in default_add_message in read-catalog.c, related to an invalid free in po_gram_parse in po-gram-gen.y, as demonstrated by lt-msgfmt.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18751"
}
]
},
{
"name": "gettext-minimal-native",
"layer": "meta",
"version": "0.22.5",
"products": [
{
"product": "gettext-minimal",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "gettext-native",
"layer": "meta",
"version": "0.22.5",
"products": [
{
"product": "gettext",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0966",
"summary": "The (1) autopoint and (2) gettextize scripts in the GNU gettext package 1.14 and later versions, as used in Trustix Secure Linux 1.5 through 2.1 and other operating systems, allows local users to overwrite files via a symlink attack on temporary files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0966"
},
{
"id": "CVE-2018-18751",
"summary": "An issue was discovered in GNU gettext 0.19.8. There is a double free in default_add_message in read-catalog.c, related to an invalid free in po_gram_parse in po-gram-gen.y, as demonstrated by lt-msgfmt.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18751"
}
]
},
{
"name": "giflib-native",
"layer": "meta-oe",
"version": "5.2.1",
"products": [
{
"product": "giflib",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-7555",
"summary": "Heap-based buffer overflow in giffix.c in giffix in giflib 5.1.1 allows attackers to cause a denial of service (program crash) via crafted image and logical screen width fields in a GIF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7555"
},
{
"id": "CVE-2016-3177",
"summary": "Multiple use-after-free and double-free vulnerabilities in gifcolor.c in GIFLIB 5.1.2 have unspecified impact and attack vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3177"
},
{
"id": "CVE-2016-3977",
"summary": "Heap-based buffer overflow in util/gif2rgb.c in gif2rgb in giflib 5.1.2 allows remote attackers to cause a denial of service (application crash) via the background color index in a GIF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3977"
},
{
"id": "CVE-2018-11489",
"summary": "The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p 0.49.4, has a heap-based buffer overflow because a certain CrntCode array index is not checked. This will lead to a denial of service or possibly unspecified other impact.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11489"
},
{
"id": "CVE-2018-11490",
"summary": "The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p 0.49.4, has a heap-based buffer overflow because a certain \"Private->RunningCode - 2\" array index is not checked. This will lead to a denial of service or possibly unspecified other impact.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11490"
},
{
"id": "CVE-2019-15133",
"summary": "In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15133"
},
{
"id": "CVE-2020-23922",
"summary": "An issue was discovered in giflib through 5.1.4. DumpScreen2RGB in gif2rgb.c has a heap-based buffer over-read.",
"scorev2": "5.8",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-23922"
},
{
"id": "CVE-2021-40633",
"summary": "A memory leak (out-of-memory) in gif2rgb in util/gif2rgb.c in giflib 5.1.4 allows remote attackers trigger an out of memory exception or denial of service via a gif format file.",
"scorev2": "5.1",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-40633"
},
{
"id": "CVE-2022-28506",
"summary": "There is a heap-buffer-overflow in GIFLIB 5.2.1 function DumpScreen2RGB() in gif2rgb.c:298:45.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-28506"
},
{
"id": "CVE-2023-39742",
"summary": "giflib v5.2.1 was discovered to contain a segmentation fault via the component getarg.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39742"
},
{
"id": "CVE-2023-48161",
"summary": "Buffer Overflow vulnerability in GifLib Project GifLib v.5.2.1 allows a local attacker to obtain sensitive information via the DumpSCreen2RGB function in gif2rgb.c",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-48161"
}
]
},
{
"name": "git-native",
"layer": "meta",
"version": "2.44.0",
"products": [
{
"product": "git",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2008-5516",
"summary": "The web interface in git (gitweb) 1.5.x before 1.5.5 allows remote attackers to execute arbitrary commands via shell metacharacters related to git_search.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5516"
},
{
"id": "CVE-2010-2542",
"summary": "Stack-based buffer overflow in the is_git_directory function in setup.c in Git before 1.7.2.1 allows local users to gain privileges via a long gitdir: field in a .git file in a working copy.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2542"
},
{
"id": "CVE-2010-3906",
"summary": "Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) f and (2) fp parameters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3906"
},
{
"id": "CVE-2013-0308",
"summary": "The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0308"
},
{
"id": "CVE-2014-9390",
"summary": "Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9390"
},
{
"id": "CVE-2014-9938",
"summary": "contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9938"
},
{
"id": "CVE-2016-2315",
"summary": "revision.c in git before 2.7.4 uses an incorrect integer data type, which allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, leading to a heap-based buffer overflow.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2315"
},
{
"id": "CVE-2016-2324",
"summary": "Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, which triggers a heap-based buffer overflow.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2324"
},
{
"id": "CVE-2017-1000117",
"summary": "A malicious third-party can give a crafted \"ssh://...\" URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running \"git clone --recurse-submodules\" to trigger the vulnerability.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000117"
},
{
"id": "CVE-2017-14867",
"summary": "Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.",
"scorev2": "9.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14867"
},
{
"id": "CVE-2017-15298",
"summary": "Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb. This can also have an impact of disk consumption; however, an affected process typically would not survive its attempt to build the data structure in memory before writing to disk.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15298"
},
{
"id": "CVE-2018-1000021",
"summary": "GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000021"
},
{
"id": "CVE-2018-11233",
"summary": "In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11233"
},
{
"id": "CVE-2018-11235",
"summary": "In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs \"git clone --recurse-submodules\" because submodule \"names\" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with \"../\" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11235"
},
{
"id": "CVE-2018-17456",
"summary": "Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \"git clone\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17456"
},
{
"id": "CVE-2018-19486",
"summary": "Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19486"
},
{
"id": "CVE-2019-1348",
"summary": "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths.",
"scorev2": "3.6",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1348"
},
{
"id": "CVE-2019-1353",
"summary": "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as \"WSL\") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1353"
},
{
"id": "CVE-2019-1387",
"summary": "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1387"
},
{
"id": "CVE-2019-19604",
"summary": "Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a \"git submodule update\" operation can run commands found in the .gitmodules file of a malicious repository.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19604"
},
{
"id": "CVE-2020-11008",
"summary": "Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external \"credential helper\" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a \"blank\" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching _any_ URL, and will return some unspecified stored password, leaking the password to an attacker's server. The vulnerability can be triggered by feeding a malicious URL to `git clone`. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The root of the problem is in Git itself, which should not be feeding blank input to helpers. However, the ability to exploit the vulnerability in practice depends on which helpers are in use. Credential helpers which are known to trigger the vulnerability: - Git's \"store\" helper - Git's \"cache\" helper - the \"osxkeychain\" helper that ships in Git's \"contrib\" directory Credential helpers which are known to be safe even with vulnerable versions of Git: - Git Credential Manager for Windows Any helper not in this list should be assumed to trigger the vulnerability.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11008"
},
{
"id": "CVE-2020-5260",
"summary": "Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external \"credential helper\" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-5260"
},
{
"id": "CVE-2021-21300",
"summary": "Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is therefore vulnerable. The problem has been patched in the versions published on Tuesday, March 9th, 2021. As a workaound, if symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. _before_ cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources. The earliest impacted version is 2.14.2. The fix versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6.",
"scorev2": "5.1",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-21300"
},
{
"id": "CVE-2021-40330",
"summary": "git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-40330"
},
{
"id": "CVE-2022-23521",
"summary": "Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23521"
},
{
"id": "CVE-2022-24765",
"summary": "Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\\.git\\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\\Users` if the user profile is located in `C:\\Users\\my-user-name`.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-24765"
},
{
"id": "CVE-2022-24975",
"summary": "The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the \"GitBleed\" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk.",
"scorev2": "4.3",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-24975"
},
{
"id": "CVE-2022-29187",
"summary": "Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29187"
},
{
"id": "CVE-2022-39253",
"summary": "Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-39253"
},
{
"id": "CVE-2022-39260",
"summary": "Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-39260"
},
{
"id": "CVE-2022-41903",
"summary": "Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41903"
},
{
"id": "CVE-2022-41953",
"summary": "Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called `aspell.exe` if it was found. Git GUI is implemented as a Tcl/Tk script. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable _always includes the current directory_. Therefore, malicious repositories can ship with an `aspell.exe` in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code. This issue has been addressed in version 2.39.1. Users are advised to upgrade. Users unable to upgrade should avoid using Git GUI for cloning. If that is not a viable option, at least avoid cloning from untrusted sources.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41953"
},
{
"id": "CVE-2023-22490",
"summary": "Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253.\n\nA fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-22490"
},
{
"id": "CVE-2023-23946",
"summary": "Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23946"
},
{
"id": "CVE-2023-25652",
"summary": "Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25652"
},
{
"id": "CVE-2023-29007",
"summary": "Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29007"
}
]
},
{
"name": "glib-2.0",
"layer": "meta",
"version": "1_2.78.6",
"products": [
{
"product": "glib",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2008-4316",
"summary": "Multiple integer overflows in glib/gbase64.c in GLib before 2.20 allow context-dependent attackers to execute arbitrary code via a long string that is converted either (1) from or (2) to a base64 representation.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4316"
},
{
"id": "CVE-2009-3289",
"summary": "The g_file_copy function in glib 2.0 sets the permissions of a target file to the permissions of a symbolic link (777), which allows user-assisted local users to modify files of other users, as demonstrated by using Nautilus to modify the permissions of the user home directory.",
"scorev2": "4.4",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3289"
},
{
"id": "CVE-2012-0039",
"summary": "GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0039"
},
{
"id": "CVE-2018-16428",
"summary": "In GNOME GLib 2.56.1, g_markup_parse_context_end_parse() in gmarkup.c has a NULL pointer dereference.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16428"
},
{
"id": "CVE-2018-16429",
"summary": "GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_parse_context_parse() in gmarkup.c, related to utf8_str().",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16429"
},
{
"id": "CVE-2019-12450",
"summary": "file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12450"
},
{
"id": "CVE-2019-13012",
"summary": "The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it does not properly restrict directory (and file) permissions. Instead, for directories, 0777 permissions are used; for files, default file permissions are used. This is similar to CVE-2019-12450.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13012"
},
{
"id": "CVE-2019-9633",
"summary": "gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent GTask remains alive during the execution of a connection-attempting enumeration, which allows remote attackers to cause a denial of service (g_socket_client_connected_callback mishandling and application crash) via a crafted web site, as demonstrated by GNOME Web (aka Epiphany).",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9633"
},
{
"id": "CVE-2020-35457",
"summary": "GNOME GLib before 2.65.3 has an integer overflow, that might lead to an out-of-bounds write, in g_option_group_add_entries. NOTE: the vendor's position is \"Realistically this is not a security issue. The standard pattern is for callers to provide a static list of option entries in a fixed number of calls to g_option_group_add_entries().\" The researcher states that this pattern is undocumented",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35457"
},
{
"id": "CVE-2020-6750",
"summary": "GSocketClient in GNOME GLib through 2.62.4 may occasionally connect directly to a target address instead of connecting via a proxy server when configured to do so, because the proxy_addr field is mishandled. This bug is timing-dependent and may occur only sporadically depending on network delays. The greatest security relevance is in use cases where a proxy is used to help with privacy/anonymity, even though there is no technical barrier to a direct connection. NOTE: versions before 2.60 are unaffected.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-6750"
},
{
"id": "CVE-2021-27218",
"summary": "An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27218"
},
{
"id": "CVE-2021-27219",
"summary": "An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27219"
},
{
"id": "CVE-2021-28153",
"summary": "An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28153"
},
{
"id": "CVE-2021-3800",
"summary": "A flaw was found in glib before version 2.63.6. Due to random charset alias, pkexec can leak content from files owned by privileged users to unprivileged ones under the right condition.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3800"
},
{
"id": "CVE-2023-29499",
"summary": "A flaw was found in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, leading to denial of service.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29499"
},
{
"id": "CVE-2023-32611",
"summary": "A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32611"
},
{
"id": "CVE-2023-32636",
"summary": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32636"
},
{
"id": "CVE-2023-32643",
"summary": "A flaw was found in GLib. The GVariant deserialization code is vulnerable to a heap buffer overflow introduced by the fix for CVE-2023-32665. This bug does not affect any released version of GLib, but does affect GLib distributors who followed the guidance of GLib developers to backport the initial fix for CVE-2023-32665.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32643"
},
{
"id": "CVE-2023-32665",
"summary": "A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32665"
}
]
},
{
"name": "glib-2.0-native",
"layer": "meta",
"version": "1_2.78.6",
"products": [
{
"product": "glib",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2008-4316",
"summary": "Multiple integer overflows in glib/gbase64.c in GLib before 2.20 allow context-dependent attackers to execute arbitrary code via a long string that is converted either (1) from or (2) to a base64 representation.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4316"
},
{
"id": "CVE-2009-3289",
"summary": "The g_file_copy function in glib 2.0 sets the permissions of a target file to the permissions of a symbolic link (777), which allows user-assisted local users to modify files of other users, as demonstrated by using Nautilus to modify the permissions of the user home directory.",
"scorev2": "4.4",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3289"
},
{
"id": "CVE-2012-0039",
"summary": "GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0039"
},
{
"id": "CVE-2018-16428",
"summary": "In GNOME GLib 2.56.1, g_markup_parse_context_end_parse() in gmarkup.c has a NULL pointer dereference.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16428"
},
{
"id": "CVE-2018-16429",
"summary": "GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_parse_context_parse() in gmarkup.c, related to utf8_str().",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16429"
},
{
"id": "CVE-2019-12450",
"summary": "file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12450"
},
{
"id": "CVE-2019-13012",
"summary": "The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it does not properly restrict directory (and file) permissions. Instead, for directories, 0777 permissions are used; for files, default file permissions are used. This is similar to CVE-2019-12450.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13012"
},
{
"id": "CVE-2019-9633",
"summary": "gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent GTask remains alive during the execution of a connection-attempting enumeration, which allows remote attackers to cause a denial of service (g_socket_client_connected_callback mishandling and application crash) via a crafted web site, as demonstrated by GNOME Web (aka Epiphany).",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9633"
},
{
"id": "CVE-2020-35457",
"summary": "GNOME GLib before 2.65.3 has an integer overflow, that might lead to an out-of-bounds write, in g_option_group_add_entries. NOTE: the vendor's position is \"Realistically this is not a security issue. The standard pattern is for callers to provide a static list of option entries in a fixed number of calls to g_option_group_add_entries().\" The researcher states that this pattern is undocumented",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35457"
},
{
"id": "CVE-2020-6750",
"summary": "GSocketClient in GNOME GLib through 2.62.4 may occasionally connect directly to a target address instead of connecting via a proxy server when configured to do so, because the proxy_addr field is mishandled. This bug is timing-dependent and may occur only sporadically depending on network delays. The greatest security relevance is in use cases where a proxy is used to help with privacy/anonymity, even though there is no technical barrier to a direct connection. NOTE: versions before 2.60 are unaffected.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-6750"
},
{
"id": "CVE-2021-27218",
"summary": "An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27218"
},
{
"id": "CVE-2021-27219",
"summary": "An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27219"
},
{
"id": "CVE-2021-28153",
"summary": "An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28153"
},
{
"id": "CVE-2021-3800",
"summary": "A flaw was found in glib before version 2.63.6. Due to random charset alias, pkexec can leak content from files owned by privileged users to unprivileged ones under the right condition.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3800"
},
{
"id": "CVE-2023-29499",
"summary": "A flaw was found in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, leading to denial of service.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29499"
},
{
"id": "CVE-2023-32611",
"summary": "A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32611"
},
{
"id": "CVE-2023-32636",
"summary": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32636"
},
{
"id": "CVE-2023-32643",
"summary": "A flaw was found in GLib. The GVariant deserialization code is vulnerable to a heap buffer overflow introduced by the fix for CVE-2023-32665. This bug does not affect any released version of GLib, but does affect GLib distributors who followed the guidance of GLib developers to backport the initial fix for CVE-2023-32665.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32643"
},
{
"id": "CVE-2023-32665",
"summary": "A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32665"
}
]
},
{
"name": "glib-networking",
"layer": "meta",
"version": "2.78.1",
"products": [
{
"product": "glib-networking",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2020-13645",
"summary": "In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.",
"scorev2": "6.4",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13645"
}
]
},
{
"name": "glibc",
"layer": "meta",
"version": "2.39+git",
"products": [
{
"product": "glibc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-0199",
"summary": "manual/search.texi in the GNU C Library (aka glibc) before 2.2 lacks a statement about the unspecified tdelete return value upon deletion of a tree's root, which might allow attackers to access a dangling pointer in an application whose developer was unaware of a documentation update from 1999.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0199"
},
{
"id": "CVE-2000-0335",
"summary": "The resolver in glibc 2.1.3 uses predictable IDs, which allows a local attacker to spoof DNS query results.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0335"
},
{
"id": "CVE-2000-0824",
"summary": "The unsetenv function in glibc 2.1.1 does not properly unset an environmental variable if the variable is provided twice to a program, which could allow local users to execute arbitrary commands in setuid programs by specifying their own duplicate environmental variables such as LD_PRELOAD or LD_LIBRARY_PATH.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0824"
},
{
"id": "CVE-2000-0959",
"summary": "glibc2 does not properly clear the LD_DEBUG_OUTPUT and LD_DEBUG environmental variables when a program is spawned from a setuid program, which could allow local users to overwrite files via a symlink attack.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0959"
},
{
"id": "CVE-2002-0684",
"summary": "Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684"
},
{
"id": "CVE-2002-1146",
"summary": "The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, use the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary (\"read buffer overflow\"), allowing remote attackers to cause a denial of service (crash).",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1146"
},
{
"id": "CVE-2002-1265",
"summary": "The Sun RPC functionality in multiple libc implementations does not provide a time-out mechanism when reading data from TCP connections, which allows remote attackers to cause a denial of service (hang).",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1265"
},
{
"id": "CVE-2003-0028",
"summary": "Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0028"
},
{
"id": "CVE-2003-0859",
"summary": "The getifaddrs function in GNU libc (glibc) 2.2.4 and earlier allows local users to cause a denial of service by sending spoofed messages as other users to the kernel netlink interface.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0859"
},
{
"id": "CVE-2004-0968",
"summary": "The catchsegv script in glibc 2.3.2 and earlier allows local users to overwrite files via a symlink attack on temporary files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0968"
},
{
"id": "CVE-2004-1382",
"summary": "The glibcbug script in glibc 2.3.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CVE-2004-0968.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1382"
},
{
"id": "CVE-2004-1453",
"summary": "GNU glibc 2.3.4 before 2.3.4.20040619, 2.3.3 before 2.3.3.20040420, and 2.3.2 before 2.3.2-r10 does not restrict the use of LD_DEBUG for a setuid program, which allows local users to gain sensitive information, such as the list of symbols used by the program.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1453"
},
{
"id": "CVE-2005-3590",
"summary": "The getgrouplist function in the GNU C library (glibc) before version 2.3.5, when invoked with a zero argument, writes to the passed pointer even if the specified array size is zero, leading to a buffer overflow and potentially allowing attackers to corrupt memory.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3590"
},
{
"id": "CVE-2006-7254",
"summary": "The nscd daemon in the GNU C Library (glibc) before version 2.5 does not close incoming client sockets if they cannot be handled by the daemon, allowing local users to carry out a denial of service attack on the daemon.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7254"
},
{
"id": "CVE-2007-3508",
"summary": "Integer overflow in the process_envvars function in elf/rtld.c in glibc before 2.5-rc4 might allow local users to execute arbitrary code via a large LD_HWCAP_MASK environment variable value. NOTE: the glibc maintainers state that they do not believe that this issue is exploitable for code execution",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3508"
},
{
"id": "CVE-2009-4880",
"summary": "Multiple integer overflows in the strfmon implementation in the GNU C Library (aka glibc or libc6) 2.10.1 and earlier allow context-dependent attackers to cause a denial of service (memory consumption or application crash) via a crafted format string, as demonstrated by a crafted first argument to the money_format function in PHP, a related issue to CVE-2008-1391.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4880"
},
{
"id": "CVE-2009-4881",
"summary": "Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in the strfmon implementation in the GNU C Library (aka glibc or libc6) before 2.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted format string, as demonstrated by the %99999999999999999999n string, a related issue to CVE-2008-1391.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4881"
},
{
"id": "CVE-2009-5029",
"summary": "Integer overflow in the __tzfile_read function in glibc before 2.15 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted timezone (TZ) file, as demonstrated using vsftpd.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5029"
},
{
"id": "CVE-2009-5064",
"summary": "ldd in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows local users to gain privileges via a Trojan horse executable file linked with a modified loader that omits certain LD_TRACE_LOADED_OBJECTS checks. NOTE: the GNU C Library vendor states \"This is just nonsense. There are a gazillion other ways to introduce code if people are downloading arbitrary binaries and install them in appropriate directories or set LD_LIBRARY_PATH etc.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5064"
},
{
"id": "CVE-2009-5155",
"summary": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5155"
},
{
"id": "CVE-2010-0015",
"summary": "nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0015"
},
{
"id": "CVE-2010-0296",
"summary": "The encode_name macro in misc/mntent_r.c in the GNU C Library (aka glibc or libc6) 2.11.1 and earlier, as used by ncpmount and mount.cifs, does not properly handle newline characters in mountpoint names, which allows local users to cause a denial of service (mtab corruption), or possibly modify mount options and gain privileges, via a crafted mount request.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0296"
},
{
"id": "CVE-2010-0830",
"summary": "Integer signedness error in the elf_get_dynamic_info function in elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6) 2.0.1 through 2.11.1, when the --verify option is used, allows user-assisted remote attackers to execute arbitrary code via a crafted ELF program with a negative value for a certain d_tag structure member in the ELF header.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0830"
},
{
"id": "CVE-2010-3192",
"summary": "Certain run-time memory protection mechanisms in the GNU C Library (aka glibc or libc6) print argv[0] and backtrace information, which might allow context-dependent attackers to obtain sensitive information from process memory by executing an incorrect program, as demonstrated by a setuid program that contains a stack-based buffer overflow error, related to the __fortify_fail function in debug/fortify_fail.c, and the __stack_chk_fail (aka stack protection) and __chk_fail (aka FORTIFY_SOURCE) implementations.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3192"
},
{
"id": "CVE-2010-3847",
"summary": "elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3847"
},
{
"id": "CVE-2010-3856",
"summary": "ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x before 2.12.2, does not properly restrict use of the LD_AUDIT environment variable to reference dynamic shared objects (DSOs) as audit objects, which allows local users to gain privileges by leveraging an unsafe DSO located in a trusted library directory, as demonstrated by libpcprofile.so.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3856"
},
{
"id": "CVE-2010-4051",
"summary": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4051"
},
{
"id": "CVE-2010-4052",
"summary": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4052"
},
{
"id": "CVE-2010-4756",
"summary": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4756"
},
{
"id": "CVE-2011-0536",
"summary": "Multiple untrusted search path vulnerabilities in elf/dl-object.c in certain modified versions of the GNU C Library (aka glibc or libc6), including glibc-2.5-49.el5_5.6 and glibc-2.12-1.7.el6_0.3 in Red Hat Enterprise Linux, allow local users to gain privileges via a crafted dynamic shared object (DSO) in a subdirectory of the current working directory during execution of a (1) setuid or (2) setgid program that has $ORIGIN in (a) RPATH or (b) RUNPATH within the program itself or a referenced library. NOTE: this issue exists because of an incorrect fix for CVE-2010-3847.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0536"
},
{
"id": "CVE-2011-1071",
"summary": "The GNU C Library (aka glibc or libc6) before 2.12.2 and Embedded GLIBC (EGLIBC) allow context-dependent attackers to execute arbitrary code or cause a denial of service (memory consumption) via a long UTF8 string that is used in an fnmatch call, aka a \"stack extension attack,\" a related issue to CVE-2010-2898, CVE-2010-1917, and CVE-2007-4782, as originally reported for use of this library by Google Chrome.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1071"
},
{
"id": "CVE-2011-1089",
"summary": "The addmntent function in the GNU C Library (aka glibc or libc6) 2.13 and earlier does not report an error status for failed attempts to write to the /etc/mtab file, which makes it easier for local users to trigger corruption of this file, as demonstrated by writes from a process with a small RLIMIT_FSIZE value, a different vulnerability than CVE-2010-0296.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1089"
},
{
"id": "CVE-2011-1095",
"summary": "locale/programs/locale.c in locale in the GNU C Library (aka glibc or libc6) before 2.13 does not quote its output, which might allow local users to gain privileges via a crafted localization environment variable, in conjunction with a program that executes a script that uses the eval function.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1095"
},
{
"id": "CVE-2011-1658",
"summary": "ld.so in the GNU C Library (aka glibc or libc6) 2.13 and earlier expands the $ORIGIN dynamic string token when RPATH is composed entirely of this token, which might allow local users to gain privileges by creating a hard link in an arbitrary directory to a (1) setuid or (2) setgid program with this RPATH value, and then executing the program with a crafted value for the LD_PRELOAD environment variable, a different vulnerability than CVE-2010-3847 and CVE-2011-0536. NOTE: it is not expected that any standard operating-system distribution would ship an applicable setuid or setgid program.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1658"
},
{
"id": "CVE-2011-1659",
"summary": "Integer overflow in posix/fnmatch.c in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long UTF8 string that is used in an fnmatch call with a crafted pattern argument, a different vulnerability than CVE-2011-1071.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1659"
},
{
"id": "CVE-2011-2702",
"summary": "Integer signedness error in Glibc before 2.13 and eglibc before 2.13, when using Supplemental Streaming SIMD Extensions 3 (SSSE3) optimization, allows context-dependent attackers to execute arbitrary code via a negative length parameter to (1) memcpy-ssse3-rep.S, (2) memcpy-ssse3.S, or (3) memset-sse2.S in sysdeps/i386/i686/multiarch/, which triggers an out-of-bounds read, as demonstrated using the memcpy function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2702"
},
{
"id": "CVE-2011-4609",
"summary": "The svc_run function in the RPC implementation in glibc before 2.15 allows remote attackers to cause a denial of service (CPU consumption) via a large number of RPC connections.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4609"
},
{
"id": "CVE-2011-5320",
"summary": "scanf and related functions in glibc before 2.15 allow local users to cause a denial of service (segmentation fault) via a large string of 0s.",
"scorev2": "2.1",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-5320"
},
{
"id": "CVE-2012-0864",
"summary": "Integer overflow in the vfprintf function in stdio-common/vfprintf.c in glibc 2.14 and other versions allows context-dependent attackers to bypass the FORTIFY_SOURCE protection mechanism, conduct format string attacks, and write to arbitrary memory via a large number of arguments.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0864"
},
{
"id": "CVE-2012-3404",
"summary": "The vfprintf function in stdio-common/vfprintf.c in libc in GNU C Library (aka glibc) 2.12 and other versions does not properly calculate a buffer length, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (stack corruption and crash) via a format string that uses positional parameters and many format specifiers.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3404"
},
{
"id": "CVE-2012-3405",
"summary": "The vfprintf function in stdio-common/vfprintf.c in libc in GNU C Library (aka glibc) 2.14 and other versions does not properly calculate a buffer length, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (segmentation fault and crash) via a format string with a large number of format specifiers that triggers \"desynchronization within the buffer size handling,\" a different vulnerability than CVE-2012-3404.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3405"
},
{
"id": "CVE-2012-3406",
"summary": "The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not \"properly restrict the use of\" the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers, a different vulnerability than CVE-2012-3404 and CVE-2012-3405.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3406"
},
{
"id": "CVE-2012-3480",
"summary": "Multiple integer overflows in the (1) strtod, (2) strtof, (3) strtold, (4) strtod_l, and other unspecified \"related functions\" in stdlib in GNU C Library (aka glibc or libc6) 2.16 allow local users to cause a denial of service (application crash) and possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3480"
},
{
"id": "CVE-2012-4412",
"summary": "Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4412"
},
{
"id": "CVE-2012-4424",
"summary": "Stack-based buffer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4424"
},
{
"id": "CVE-2012-6656",
"summary": "iconvdata/ibm930.c in GNU C Library (aka glibc) before 2.16 allows context-dependent attackers to cause a denial of service (out-of-bounds read) via a multibyte character value of \"0xffff\" to the iconv function when converting IBM930 encoded data to UTF-8.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6656"
},
{
"id": "CVE-2013-0242",
"summary": "Buffer overflow in the extend_buffers function in the regular expression matcher (posix/regexec.c) in glibc, possibly 2.17 and earlier, allows context-dependent attackers to cause a denial of service (memory corruption and crash) via crafted multibyte characters.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0242"
},
{
"id": "CVE-2013-1914",
"summary": "Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in GNU C Library (aka glibc or libc6) 2.17 and earlier allows remote attackers to cause a denial of service (crash) via a (1) hostname or (2) IP address that triggers a large number of domain conversion results.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1914"
},
{
"id": "CVE-2013-2207",
"summary": "pt_chown in GNU C Library (aka glibc or libc6) before 2.18 does not properly check permissions for tty files, which allows local users to change the permission on the files and obtain access to arbitrary pseudo-terminals by leveraging a FUSE file system.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2207"
},
{
"id": "CVE-2013-4237",
"summary": "sysdeps/posix/readdir_r.c in the GNU C Library (aka glibc or libc6) 2.18 and earlier allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a crafted (1) NTFS or (2) CIFS image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4237"
},
{
"id": "CVE-2013-4332",
"summary": "Multiple integer overflows in malloc/malloc.c in the GNU C Library (aka glibc or libc6) 2.18 and earlier allow context-dependent attackers to cause a denial of service (heap corruption) via a large value to the (1) pvalloc, (2) valloc, (3) posix_memalign, (4) memalign, or (5) aligned_alloc functions.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4332"
},
{
"id": "CVE-2013-4458",
"summary": "Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in GNU C Library (aka glibc or libc6) 2.18 and earlier allows remote attackers to cause a denial of service (crash) via a (1) hostname or (2) IP address that triggers a large number of AF_INET6 address results. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1914.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4458"
},
{
"id": "CVE-2013-4788",
"summary": "The PTR_MANGLE implementation in the GNU C Library (aka glibc or libc6) 2.4, 2.17, and earlier, and Embedded GLIBC (EGLIBC) does not initialize the random value for the pointer guard, which makes it easier for context-dependent attackers to control execution flow by leveraging a buffer-overflow vulnerability in an application and using the known zero value pointer guard to calculate a pointer address.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4788"
},
{
"id": "CVE-2013-7423",
"summary": "The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7423"
},
{
"id": "CVE-2013-7424",
"summary": "The getaddrinfo function in glibc before 2.15, when compiled with libidn and the AI_IDN flag is used, allows context-dependent attackers to cause a denial of service (invalid free) and possibly execute arbitrary code via unspecified vectors, as demonstrated by an internationalized domain name to ping6.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7424"
},
{
"id": "CVE-2014-0475",
"summary": "Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0475"
},
{
"id": "CVE-2014-4043",
"summary": "The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4043"
},
{
"id": "CVE-2014-5119",
"summary": "Off-by-one error in the __gconv_translit_find function in gconv_trans.c in GNU C Library (aka glibc) allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via vectors related to the CHARSET environment variable and gconv transliteration modules.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5119"
},
{
"id": "CVE-2014-6040",
"summary": "GNU C Library (aka glibc) before 2.20 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via a multibyte character value of \"0xffff\" to the iconv function when converting (1) IBM933, (2) IBM935, (3) IBM937, (4) IBM939, or (5) IBM1364 encoded data to UTF-8.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-6040"
},
{
"id": "CVE-2014-7817",
"summary": "The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing \"$((`...`))\".",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7817"
},
{
"id": "CVE-2014-8121",
"summary": "DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up on a database while iterating over it, which triggers the file pointer to be reset.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8121"
},
{
"id": "CVE-2014-9402",
"summary": "The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9402"
},
{
"id": "CVE-2014-9761",
"summary": "Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6) before 2.23 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long argument to the (1) nan, (2) nanf, or (3) nanl function.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9761"
},
{
"id": "CVE-2014-9984",
"summary": "nscd in the GNU C Library (aka glibc or libc6) before version 2.20 does not correctly compute the size of an internal buffer when processing netgroup requests, possibly leading to an nscd daemon crash or code execution as the user running nscd.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9984"
},
{
"id": "CVE-2015-0235",
"summary": "Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka \"GHOST.\"",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0235"
},
{
"id": "CVE-2015-1472",
"summary": "The ADDW macro in stdio-common/vfscanf.c in the GNU C Library (aka glibc or libc6) before 2.21 does not properly consider data-type size during memory allocation, which allows context-dependent attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long line containing wide characters that are improperly handled in a wscanf call.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1472"
},
{
"id": "CVE-2015-1473",
"summary": "The ADDW macro in stdio-common/vfscanf.c in the GNU C Library (aka glibc or libc6) before 2.21 does not properly consider data-type size during a risk-management decision for use of the alloca function, which might allow context-dependent attackers to cause a denial of service (segmentation violation) or overwrite memory locations beyond the stack boundary via a long line containing wide characters that are improperly handled in a wscanf call.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1473"
},
{
"id": "CVE-2015-1781",
"summary": "Buffer overflow in the gethostbyname_r and other unspecified NSS functions in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response, which triggers a call with a misaligned buffer.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1781"
},
{
"id": "CVE-2015-20109",
"summary": "end_pattern (called from internal_fnmatch) in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash), as demonstrated by use of the fnmatch library function with the **(!() pattern. NOTE: this is not the same as CVE-2015-8984; also, some Linux distributions have fixed CVE-2015-8984 but have not fixed this additional fnmatch issue.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-20109"
},
{
"id": "CVE-2015-5180",
"summary": "res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5180"
},
{
"id": "CVE-2015-5277",
"summary": "The get_contents function in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) before 2.20 might allow local users to cause a denial of service (heap corruption) or gain privileges via a long line in the NSS files database.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5277"
},
{
"id": "CVE-2015-7547",
"summary": "Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing \"dual A/AAAA DNS queries\" and the libnss_dns.so.2 NSS module.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7547"
},
{
"id": "CVE-2015-8776",
"summary": "The strftime function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly obtain sensitive information via an out-of-range time value.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8776"
},
{
"id": "CVE-2015-8777",
"summary": "The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8777"
},
{
"id": "CVE-2015-8778",
"summary": "Integer overflow in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via the size argument to the __hcreate_r function, which triggers out-of-bounds heap-memory access.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8778"
},
{
"id": "CVE-2015-8779",
"summary": "Stack-based buffer overflow in the catopen function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long catalog name.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8779"
},
{
"id": "CVE-2015-8982",
"summary": "Integer overflow in the strxfrm function in the GNU C Library (aka glibc or libc6) before 2.21 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8982"
},
{
"id": "CVE-2015-8983",
"summary": "Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to computing a size in bytes, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8983"
},
{
"id": "CVE-2015-8984",
"summary": "The fnmatch function in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash) via a malformed pattern, which triggers an out-of-bounds read.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8984"
},
{
"id": "CVE-2015-8985",
"summary": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8985"
},
{
"id": "CVE-2016-10228",
"summary": "The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10228"
},
{
"id": "CVE-2016-10739",
"summary": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
"scorev2": "4.6",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10739"
},
{
"id": "CVE-2016-1234",
"summary": "Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1234"
},
{
"id": "CVE-2016-3075",
"summary": "Stack-based buffer overflow in the nss_dns implementation of the getnetbyname function in GNU C Library (aka glibc) before 2.24 allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a long name.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3075"
},
{
"id": "CVE-2016-3706",
"summary": "Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in the GNU C Library (aka glibc or libc6) allows remote attackers to cause a denial of service (crash) via vectors involving hostent conversion. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4458.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3706"
},
{
"id": "CVE-2016-4429",
"summary": "Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4429"
},
{
"id": "CVE-2016-5417",
"summary": "Memory leak in the __res_vinit function in the IPv6 name server management code in libresolv in GNU C Library (aka glibc or libc6) before 2.24 allows remote attackers to cause a denial of service (memory consumption) by leveraging partial initialization of internal resolver data structures.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5417"
},
{
"id": "CVE-2016-6323",
"summary": "The makecontext function in the GNU C Library (aka glibc or libc6) before 2.25 creates execution contexts incompatible with the unwinder on ARM EABI (32-bit) platforms, which might allow context-dependent attackers to cause a denial of service (hang), as demonstrated by applications compiled using gccgo, related to backtrace generation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6323"
},
{
"id": "CVE-2017-1000366",
"summary": "glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000366"
},
{
"id": "CVE-2017-1000408",
"summary": "A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached and amplified through the LD_HWCAP_MASK environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000408"
},
{
"id": "CVE-2017-1000409",
"summary": "A buffer overflow in glibc 2.5 (released on September 29, 2006) and can be triggered through the LD_LIBRARY_PATH environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000409"
},
{
"id": "CVE-2017-12132",
"summary": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12132"
},
{
"id": "CVE-2017-12133",
"summary": "Use-after-free vulnerability in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) before 2.26 allows remote attackers to have unspecified impact via vectors related to error path.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12133"
},
{
"id": "CVE-2017-15670",
"summary": "The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15670"
},
{
"id": "CVE-2017-15671",
"summary": "The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15671"
},
{
"id": "CVE-2017-15804",
"summary": "The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15804"
},
{
"id": "CVE-2017-16997",
"summary": "elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the \"./\" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16997"
},
{
"id": "CVE-2017-17426",
"summary": "The malloc function in the GNU C Library (aka glibc or libc6) 2.26 could return a memory block that is too small if an attempt is made to allocate an object whose size is close to SIZE_MAX, potentially leading to a subsequent heap overflow. This occurs because the per-thread cache (aka tcache) feature enables a code path that lacks an integer overflow check.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17426"
},
{
"id": "CVE-2017-18269",
"summary": "An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18269"
},
{
"id": "CVE-2017-8804",
"summary": "The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779. NOTE: [Information provided from upstream and references",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8804"
},
{
"id": "CVE-2018-1000001",
"summary": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000001"
},
{
"id": "CVE-2018-11236",
"summary": "stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11236"
},
{
"id": "CVE-2018-11237",
"summary": "An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11237"
},
{
"id": "CVE-2018-19591",
"summary": "In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19591"
},
{
"id": "CVE-2018-20796",
"summary": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20796"
},
{
"id": "CVE-2018-6485",
"summary": "An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6485"
},
{
"id": "CVE-2018-6551",
"summary": "The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6551"
},
{
"id": "CVE-2019-1010022",
"summary": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010022",
"detail": "disputed",
"description": "Upstream glibc maintainers dispute there is any issue and have no plans to address it further. this is being treated as a non-security bug and no real threat."
},
{
"id": "CVE-2019-1010023",
"summary": "GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010023",
"detail": "disputed",
"description": "Upstream glibc maintainers dispute there is any issue and have no plans to address it further. this is being treated as a non-security bug and no real threat."
},
{
"id": "CVE-2019-1010024",
"summary": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010024",
"detail": "disputed",
"description": "Upstream glibc maintainers dispute there is any issue and have no plans to address it further. this is being treated as a non-security bug and no real threat."
},
{
"id": "CVE-2019-1010025",
"summary": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010025",
"detail": "disputed",
"description": "Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow easier access for another. 'ASLR bypass itself is not a vulnerability.'"
},
{
"id": "CVE-2019-19126",
"summary": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19126"
},
{
"id": "CVE-2019-25013",
"summary": "The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.",
"scorev2": "7.1",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-25013"
},
{
"id": "CVE-2019-6488",
"summary": "The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6488"
},
{
"id": "CVE-2019-7309",
"summary": "In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7309"
},
{
"id": "CVE-2019-9169",
"summary": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9169"
},
{
"id": "CVE-2019-9192",
"summary": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9192"
},
{
"id": "CVE-2020-10029",
"summary": "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10029"
},
{
"id": "CVE-2020-1751",
"summary": "An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.",
"scorev2": "5.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1751"
},
{
"id": "CVE-2020-1752",
"summary": "A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.",
"scorev2": "3.7",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1752"
},
{
"id": "CVE-2020-27618",
"summary": "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27618"
},
{
"id": "CVE-2020-29562",
"summary": "The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.",
"scorev2": "2.1",
"scorev3": "4.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29562"
},
{
"id": "CVE-2020-29573",
"summary": "sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23 on x86 targets has a stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern, as seen when passing a \\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04 value to sprintf. NOTE: the issue does not affect glibc by default in 2016 or later (i.e., 2.23 or later) because of commits made in 2015 for inlining of C99 math functions through use of GCC built-ins. In other words, the reference to 2.23 is intentional despite the mention of \"Fixed for glibc 2.33\" in the 26649 reference.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29573"
},
{
"id": "CVE-2020-6096",
"summary": "An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-6096"
},
{
"id": "CVE-2021-27645",
"summary": "The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.",
"scorev2": "1.9",
"scorev3": "2.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27645"
},
{
"id": "CVE-2021-3326",
"summary": "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3326"
},
{
"id": "CVE-2021-33574",
"summary": "The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33574"
},
{
"id": "CVE-2021-35942",
"summary": "The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-35942"
},
{
"id": "CVE-2021-38604",
"summary": "In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer dereference. NOTE: this vulnerability was introduced as a side effect of the CVE-2021-33574 fix.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38604"
},
{
"id": "CVE-2021-3998",
"summary": "A flaw was found in glibc. The realpath() function can mistakenly return an unexpected value, potentially leading to information leakage and disclosure of sensitive data.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3998"
},
{
"id": "CVE-2021-3999",
"summary": "A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3999"
},
{
"id": "CVE-2021-43396",
"summary": "In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases. NOTE: the vendor states \"the bug cannot be invoked through user input and requires iconv to be invoked with a NULL inbuf, which ought to require a separate application bug to do so unintentionally. Hence there's no security impact to the bug.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43396"
},
{
"id": "CVE-2022-23218",
"summary": "The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23218"
},
{
"id": "CVE-2022-23219",
"summary": "The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23219"
},
{
"id": "CVE-2022-39046",
"summary": "An issue was discovered in the GNU C Library (glibc) 2.36. When the syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-39046"
},
{
"id": "CVE-2023-0687",
"summary": "A vulnerability was found in GNU C Library 2.38. It has been declared as critical. This vulnerability affects the function __monstartup of the file gmon.c of the component Call Graph Monitor. The manipulation leads to buffer overflow. It is recommended to apply a patch to fix this issue. VDB-220246 is the identifier assigned to this vulnerability. NOTE: The real existence of this vulnerability is still doubted at the moment. The inputs that induce this vulnerability are basically addresses of the running application that is built with gmon enabled. It's basically trusted input or input that needs an actual security flaw to be compromised or controlled.",
"scorev2": "4.0",
"scorev3": "9.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0687"
},
{
"id": "CVE-2023-25139",
"summary": "sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct buffer size. This is unrelated to CWE-676. It may write beyond the bounds of the destination buffer when attempting to write a padded, thousands-separated string representation of a number, if the buffer is allocated the exact size required to represent that number as a string. For example, 1,234,567 (with padding to 13) overflows by two bytes.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25139"
},
{
"id": "CVE-2023-4527",
"summary": "A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4527"
},
{
"id": "CVE-2023-4806",
"summary": "A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4806"
},
{
"id": "CVE-2023-4813",
"summary": "A flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4813"
},
{
"id": "CVE-2023-4911",
"summary": "A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4911",
"detail": "fixed-version",
"description": "Fixed in stable branch updates"
},
{
"id": "CVE-2023-5156",
"summary": "A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5156"
},
{
"id": "CVE-2023-6246",
"summary": "A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6246"
},
{
"id": "CVE-2023-6779",
"summary": "An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6779"
},
{
"id": "CVE-2023-6780",
"summary": "An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6780"
},
{
"id": "CVE-2024-2961",
"summary": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n",
"scorev2": "0.0",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961",
"detail": "cpe-stable-backport",
"description": "fix available in used git hash"
},
{
"id": "CVE-2024-33599",
"summary": "nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow. This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-33599",
"detail": "cpe-stable-backport",
"description": "fix available in used git hash"
},
{
"id": "CVE-2024-33600",
"summary": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-33600",
"detail": "cpe-stable-backport",
"description": "fix available in used git hash"
},
{
"id": "CVE-2024-33601",
"summary": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-33601",
"detail": "cpe-stable-backport",
"description": "fix available in used git hash"
},
{
"id": "CVE-2024-33602",
"summary": "nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n",
"scorev2": "0.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602",
"detail": "cpe-stable-backport",
"description": "fix available in used git hash"
}
]
},
{
"name": "gmp",
"layer": "meta",
"version": "6.3.0",
"products": [
{
"product": "gmp",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2021-43618",
"summary": "GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43618"
}
]
},
{
"name": "gmp-native",
"layer": "meta",
"version": "6.3.0",
"products": [
{
"product": "gmp",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2021-43618",
"summary": "GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43618"
}
]
},
{
"name": "gnome-desktop-testing",
"layer": "meta",
"version": "2021.1",
"products": [
{
"product": "gnome-desktop-testing",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "gnu-config",
"layer": "meta",
"version": "20240101+git",
"products": [
{
"product": "gnu-config",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "gnu-config-native",
"layer": "meta",
"version": "20240101+git",
"products": [
{
"product": "gnu-config",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "gnupg",
"layer": "meta",
"version": "2.4.4",
"products": [
{
"product": "gnupg",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2005-0366",
"summary": "The integrity check feature in OpenPGP, when handling a message that was encrypted using cipher feedback (CFB) mode, allows remote attackers to recover part of the plaintext via a chosen-ciphertext attack when the first 2 bytes of a message block are known, and an oracle or other mechanism is available to determine whether an integrity check failed.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0366"
},
{
"id": "CVE-2006-3082",
"summary": "parse-packet.c in GnuPG (gpg) 1.4.3 and 1.9.20, and earlier versions, allows remote attackers to cause a denial of service (gpg crash) and possibly overwrite memory via a message packet with a large length (long user ID string), which could lead to an integer overflow, as demonstrated using the --no-armor option.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3082"
},
{
"id": "CVE-2006-3746",
"summary": "Integer overflow in parse_comment in GnuPG (gpg) 1.4.4 allows remote attackers to cause a denial of service (segmentation fault) via a crafted message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3746"
},
{
"id": "CVE-2006-6169",
"summary": "Heap-based buffer overflow in the ask_outfile_name function in openfile.c for GnuPG (gpg) 1.4 and 2.0, when running interactively, might allow attackers to execute arbitrary code via messages with \"C-escape\" expansions, which cause the make_printable_string function to return a longer string than expected while constructing a prompt.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6169"
},
{
"id": "CVE-2007-1263",
"summary": "GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1263"
},
{
"id": "CVE-2008-1530",
"summary": "GnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted duplicate keys that are imported from key servers, which triggers \"memory corruption around deduplication of user IDs.\"",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1530"
},
{
"id": "CVE-2010-2547",
"summary": "Use-after-free vulnerability in kbx/keybox-blob.c in GPGSM in GnuPG 2.x through 2.0.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a certificate with a large number of Subject Alternate Names, which is not properly handled in a realloc operation when importing the certificate or verifying its signature.",
"scorev2": "5.1",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2547"
},
{
"id": "CVE-2011-2207",
"summary": "dirmngr before 2.1.0 improperly handles certain system calls, which allows remote attackers to cause a denial of service (DOS) via a specially-crafted certificate.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2207"
},
{
"id": "CVE-2012-6085",
"summary": "The read_block function in g10/import.c in GnuPG 1.4.x before 1.4.13 and 2.0.x through 2.0.19, when importing a key, allows remote attackers to corrupt the public keyring database or cause a denial of service (application crash) via a crafted length field of an OpenPGP packet.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6085"
},
{
"id": "CVE-2013-4242",
"summary": "GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4242"
},
{
"id": "CVE-2013-4351",
"summary": "GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4351"
},
{
"id": "CVE-2013-4402",
"summary": "The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4402"
},
{
"id": "CVE-2013-4576",
"summary": "GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4576"
},
{
"id": "CVE-2014-3591",
"summary": "Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.",
"scorev2": "1.9",
"scorev3": "4.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3591"
},
{
"id": "CVE-2014-4617",
"summary": "The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4617"
},
{
"id": "CVE-2014-9087",
"summary": "Integer underflow in the ksba_oid_to_str function in Libksba before 1.3.2, as used in GnuPG, allows remote attackers to cause a denial of service (crash) via a crafted OID in a (1) S/MIME message or (2) ECC based OpenPGP data, which triggers a buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9087"
},
{
"id": "CVE-2015-0837",
"summary": "The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a \"Last-Level Cache Side-Channel Attack.\"",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0837"
},
{
"id": "CVE-2015-1606",
"summary": "The keyring DB in GnuPG before 2.1.2 does not properly handle invalid packets, which allows remote attackers to cause a denial of service (invalid read and use-after-free) via a crafted keyring file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1606"
},
{
"id": "CVE-2015-1607",
"summary": "kbx/keybox-search.c in GnuPG before 1.4.19, 2.0.x before 2.0.27, and 2.1.x before 2.1.2 does not properly handle bitwise left-shifts, which allows remote attackers to cause a denial of service (invalid read operation) via a crafted keyring file, related to sign extensions and \"memcpy with overlapping ranges.\"",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1607"
},
{
"id": "CVE-2016-6313",
"summary": "The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6313"
},
{
"id": "CVE-2018-1000858",
"summary": "GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000858"
},
{
"id": "CVE-2018-12020",
"summary": "mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the \"--status-fd 2\" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12020"
},
{
"id": "CVE-2018-9234",
"summary": "GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9234"
},
{
"id": "CVE-2019-13050",
"summary": "Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13050"
},
{
"id": "CVE-2019-14855",
"summary": "A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14855"
},
{
"id": "CVE-2020-25125",
"summary": "GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array overflow, leading to a crash or possibly unspecified other impact, when a victim imports an attacker's OpenPGP key, and this key has AEAD preferences. The overflow is caused by a g10/key-check.c error. NOTE: GnuPG 2.3.x is unaffected. GnuPG 2.2.23 is a fixed version.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25125"
},
{
"id": "CVE-2022-3219",
"summary": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.",
"scorev2": "0.0",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219"
},
{
"id": "CVE-2022-34903",
"summary": "GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.",
"scorev2": "5.8",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-34903"
},
{
"id": "CVE-2022-3515",
"summary": "A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3515"
}
]
},
{
"name": "gnutls",
"layer": "meta",
"version": "3.8.4",
"products": [
{
"product": "gnutls",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-2531",
"summary": "X.509 Certificate Signature Verification in Gnu transport layer security library (GnuTLS) 1.0.16 allows remote attackers to cause a denial of service (CPU consumption) via certificates containing long chains and signed with large RSA keys.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2531"
},
{
"id": "CVE-2005-1431",
"summary": "The \"record packet parsing\" in GnuTLS 1.2 before 1.2.3 and 1.0 before 1.0.25 allows remote attackers to cause a denial of service, possibly related to padding bytes in gnutils_cipher.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1431"
},
{
"id": "CVE-2006-4790",
"summary": "verify.c in GnuTLS before 1.4.4, when using an RSA key with exponent 3, does not properly handle excess data in the digestAlgorithm.parameters field when generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents GnuTLS from correctly verifying X.509 and other certificates that use PKCS, a variant of CVE-2006-4339.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4790"
},
{
"id": "CVE-2006-7239",
"summary": "The _gnutls_x509_oid2mac_algorithm function in lib/gnutls_algorithms.c in GnuTLS before 1.4.2 allows remote attackers to cause a denial of service (crash) via a crafted X.509 certificate that uses a hash algorithm that is not supported by GnuTLS, which triggers a NULL pointer dereference.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7239"
},
{
"id": "CVE-2008-1948",
"summary": "The _gnutls_server_name_recv_params function in lib/ext_server_name.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 does not properly calculate the number of Server Names in a TLS 1.0 Client Hello message during extension handling, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a zero value for the length of Server Names, which leads to a buffer overflow in session resumption data in the pack_security_parameters function, aka GNUTLS-SA-2008-1-1.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1948"
},
{
"id": "CVE-2008-1949",
"summary": "The _gnutls_recv_client_kx_message function in lib/gnutls_kx.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to process Client Hello messages within a TLS message after one has already been processed, which allows remote attackers to cause a denial of service (NULL dereference and crash) via a TLS message containing multiple Client Hello messages, aka GNUTLS-SA-2008-1-2.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1949"
},
{
"id": "CVE-2008-1950",
"summary": "Integer signedness error in the _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in libgnutls in GnuTLS before 2.2.4 allows remote attackers to cause a denial of service (buffer over-read and crash) via a certain integer value in the Random field in an encrypted Client Hello message within a TLS record with an invalid Record Length, which leads to an invalid cipher padding length, aka GNUTLS-SA-2008-1-3.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1950"
},
{
"id": "CVE-2008-2377",
"summary": "Use-after-free vulnerability in the _gnutls_handshake_hash_buffers_clear function in lib/gnutls_handshake.c in libgnutls in GnuTLS 2.3.5 through 2.4.0 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via TLS transmission of data that is improperly used when the peer calls gnutls_handshake within a normal session, leading to attempted access to a deallocated libgcrypt handle.",
"scorev2": "7.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2377"
},
{
"id": "CVE-2008-4989",
"summary": "The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4989"
},
{
"id": "CVE-2009-1415",
"summary": "lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not properly handle invalid DSA signatures, which allows remote attackers to cause a denial of service (application crash) and possibly have unspecified other impact via a malformed DSA key that triggers a (1) free of an uninitialized pointer or (2) double free.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1415"
},
{
"id": "CVE-2009-1416",
"summary": "lib/gnutls_pk.c in libgnutls in GnuTLS 2.5.0 through 2.6.5 generates RSA keys stored in DSA structures, instead of the intended DSA keys, which might allow remote attackers to spoof signatures on certificates or have unspecified other impact by leveraging an invalid DSA key.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1416"
},
{
"id": "CVE-2009-1417",
"summary": "gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet valid or (2) no longer valid, related to lack of time checks in the _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1417"
},
{
"id": "CVE-2009-2409",
"summary": "The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2409"
},
{
"id": "CVE-2009-2730",
"summary": "libgnutls in GnuTLS before 2.8.2 does not properly handle a '\\0' character in a domain name in the subject's (1) Common Name (CN) or (2) Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2730"
},
{
"id": "CVE-2009-3555",
"summary": "The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a \"plaintext injection\" attack, aka the \"Project Mogul\" issue.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3555"
},
{
"id": "CVE-2009-5138",
"summary": "GnuTLS before 2.7.6, when the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag is not enabled, treats version 1 X.509 certificates as intermediate CAs, which allows remote attackers to bypass intended restrictions by leveraging a X.509 V1 certificate from a trusted CA to issue new certificates, a different vulnerability than CVE-2014-1959.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5138"
},
{
"id": "CVE-2010-0731",
"summary": "The gnutls_x509_crt_get_serial function in the GnuTLS library before 1.2.1, when running on big-endian, 64-bit platforms, calls the asn1_read_value with a pointer to the wrong data type and the wrong length value, which allows remote attackers to bypass the certificate revocation list (CRL) check and cause a stack-based buffer overflow via a crafted X.509 certificate, related to extraction of a serial number.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0731"
},
{
"id": "CVE-2011-4128",
"summary": "Buffer overflow in the gnutls_session_get_data function in lib/gnutls_session.c in GnuTLS 2.12.x before 2.12.14 and 3.x before 3.0.7, when used on a client that performs nonstandard session resumption, allows remote TLS servers to cause a denial of service (application crash) via a large SessionTicket.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4128"
},
{
"id": "CVE-2012-0390",
"summary": "The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain error-handling code only if there is a specific relationship between a padding length and the ciphertext size, which makes it easier for remote attackers to recover partial plaintext via a timing side-channel attack, a related issue to CVE-2011-4108.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0390"
},
{
"id": "CVE-2012-1569",
"summary": "The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1569"
},
{
"id": "CVE-2012-1573",
"summary": "gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3.0.15 does not properly handle data encrypted with a block cipher, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) via a crafted record, as demonstrated by a crafted GenericBlockCipher structure.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1573"
},
{
"id": "CVE-2012-1663",
"summary": "Double free vulnerability in libgnutls in GnuTLS before 3.0.14 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted certificate list.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1663"
},
{
"id": "CVE-2013-1619",
"summary": "The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1619"
},
{
"id": "CVE-2013-2116",
"summary": "The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS 2.12.23 allows remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length. NOTE: this might be due to an incorrect fix for CVE-2013-0169.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2116"
},
{
"id": "CVE-2013-4466",
"summary": "Buffer overflow in the dane_query_tlsa function in the DANE library (libdane) in GnuTLS 3.1.x before 3.1.15 and 3.2.x before 3.2.5 allows remote servers to cause a denial of service (memory corruption) via a response with more than four DANE entries.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4466"
},
{
"id": "CVE-2013-4487",
"summary": "Off-by-one error in the dane_raw_tlsa in the DANE library (libdane) in GnuTLS 3.1.x before 3.1.16 and 3.2.x before 3.2.6 allows remote servers to cause a denial of service (memory corruption) via a response with more than four DANE entries. NOTE: this issue is due to an incomplete fix for CVE-2013-4466.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4487"
},
{
"id": "CVE-2014-0092",
"summary": "lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0092"
},
{
"id": "CVE-2014-1959",
"summary": "lib/x509/verify.c in GnuTLS before 3.1.21 and 3.2.x before 3.2.11 treats version 1 X.509 certificates as intermediate CAs, which allows remote attackers to bypass intended restrictions by leveraging a X.509 V1 certificate from a trusted CA to issue new certificates.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1959"
},
{
"id": "CVE-2014-3465",
"summary": "The gnutls_x509_dn_oid_name function in lib/x509/common.c in GnuTLS 3.0 before 3.1.20 and 3.2.x before 3.2.10 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted X.509 certificate, related to a missing LDAP description for an OID when printing the DN.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3465"
},
{
"id": "CVE-2014-3466",
"summary": "Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows remote servers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a long session id in a ServerHello message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3466"
},
{
"id": "CVE-2014-3467",
"summary": "Multiple unspecified vulnerabilities in the DER decoder in GNU Libtasn1 before 3.6, as used in GnuTLS, allow remote attackers to cause a denial of service (out-of-bounds read) via crafted ASN.1 data.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3467"
},
{
"id": "CVE-2014-3468",
"summary": "The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN.1 data.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3468"
},
{
"id": "CVE-2014-3469",
"summary": "The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1 before 3.6 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via a NULL value in an ivalue argument.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3469"
},
{
"id": "CVE-2014-8155",
"summary": "GnuTLS before 2.9.10 does not verify the activation and expiration dates of CA certificates, which allows man-in-the-middle attackers to spoof servers via a certificate issued by a CA certificate that is (1) not yet valid or (2) no longer valid.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8155"
},
{
"id": "CVE-2014-8564",
"summary": "The _gnutls_ecc_ansi_x963_export function in gnutls_ecc.c in GnuTLS 3.x before 3.1.28, 3.2.x before 3.2.20, and 3.3.x before 3.3.10 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) Elliptic Curve Cryptography (ECC) certificate or (2) certificate signing requests (CSR), related to generating key IDs.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8564"
},
{
"id": "CVE-2015-0282",
"summary": "GnuTLS before 3.1.0 does not verify that the RSA PKCS #1 signature algorithm matches the signature algorithm in the certificate, which allows remote attackers to conduct downgrade attacks via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0282"
},
{
"id": "CVE-2015-0294",
"summary": "GnuTLS before 3.3.13 does not validate that the signature algorithms match when importing a certificate.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0294"
},
{
"id": "CVE-2015-3308",
"summary": "Double free vulnerability in lib/x509/x509_ext.c in GnuTLS before 3.3.14 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted CRL distribution point.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3308"
},
{
"id": "CVE-2015-6251",
"summary": "Double free vulnerability in GnuTLS before 3.3.17 and 3.4.x before 3.4.4 allows remote attackers to cause a denial of service via a long DistinguishedName (DN) entry in a certificate.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6251"
},
{
"id": "CVE-2015-8313",
"summary": "GnuTLS incorrectly validates the first byte of padding in CBC modes",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8313"
},
{
"id": "CVE-2016-4456",
"summary": "The \"GNUTLS_KEYLOGFILE\" environment variable in gnutls 3.4.12 allows remote attackers to overwrite and corrupt arbitrary files in the filesystem.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4456"
},
{
"id": "CVE-2016-7444",
"summary": "The gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS before 3.4.15 and 3.5.x before 3.5.4 does not verify the serial length of an OCSP response, which might allow remote attackers to bypass an intended certificate validation mechanism via vectors involving trailing bytes left by gnutls_malloc.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7444"
},
{
"id": "CVE-2017-5334",
"summary": "Double free vulnerability in the gnutls_x509_ext_import_proxy function in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allows remote attackers to have unspecified impact via crafted policy language information in an X.509 certificate with a Proxy Certificate Information extension.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5334"
},
{
"id": "CVE-2017-5335",
"summary": "The stream reading functions in lib/opencdk/read-packet.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to cause a denial of service (out-of-memory error and crash) via a crafted OpenPGP certificate.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5335"
},
{
"id": "CVE-2017-5336",
"summary": "Stack-based buffer overflow in the cdk_pk_get_keyid function in lib/opencdk/pubkey.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allows remote attackers to have unspecified impact via a crafted OpenPGP certificate.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5336"
},
{
"id": "CVE-2017-5337",
"summary": "Multiple heap-based buffer overflows in the read_attribute function in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to have unspecified impact via a crafted OpenPGP certificate.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5337"
},
{
"id": "CVE-2017-7507",
"summary": "GnuTLS version 3.5.12 and earlier is vulnerable to a NULL pointer dereference while decoding a status response TLS extension with valid contents. This could lead to a crash of the GnuTLS server application.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7507"
},
{
"id": "CVE-2017-7869",
"summary": "GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer overflow and heap-based buffer overflow related to the cdk_pkt_read function in opencdk/read-packet.c. This issue (which is a subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7869"
},
{
"id": "CVE-2018-10844",
"summary": "It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10844"
},
{
"id": "CVE-2018-10845",
"summary": "It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10845"
},
{
"id": "CVE-2018-10846",
"summary": "A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of \"Just in Time\" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets.",
"scorev2": "1.9",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10846"
},
{
"id": "CVE-2018-16868",
"summary": "A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
"scorev2": "3.3",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16868"
},
{
"id": "CVE-2019-3829",
"summary": "A vulnerability was found in gnutls versions from 3.5.8 before 3.6.7. A memory corruption (double free) vulnerability in the certificate verification API. Any client or server application that verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3829"
},
{
"id": "CVE-2019-3836",
"summary": "It was discovered in gnutls before version 3.6.7 upstream that there is an uninitialized pointer access in gnutls versions 3.6.3 or later which can be triggered by certain post-handshake messages.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3836"
},
{
"id": "CVE-2020-11501",
"summary": "GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06 commit. The DTLS client always uses 32 '\\0' bytes instead of a random value, and thus contributes no randomness to a DTLS negotiation. This breaks the security guarantees of the DTLS protocol.",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11501"
},
{
"id": "CVE-2020-13777",
"summary": "GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13777"
},
{
"id": "CVE-2020-24659",
"summary": "An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24659"
},
{
"id": "CVE-2021-20231",
"summary": "A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20231"
},
{
"id": "CVE-2021-20232",
"summary": "A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20232"
},
{
"id": "CVE-2021-4209",
"summary": "A NULL pointer dereference flaw was found in GnuTLS. As Nettle's hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. This flaw leads to a denial of service after authentication in rare circumstances.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4209"
},
{
"id": "CVE-2022-2509",
"summary": "A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2509"
},
{
"id": "CVE-2023-0361",
"summary": "A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.",
"scorev2": "0.0",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0361"
},
{
"id": "CVE-2023-5981",
"summary": "A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5981"
},
{
"id": "CVE-2024-0553",
"summary": "A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0553"
},
{
"id": "CVE-2024-0567",
"summary": "A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0567"
}
]
},
{
"name": "gnutls-native",
"layer": "meta",
"version": "3.8.4",
"products": [
{
"product": "gnutls",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-2531",
"summary": "X.509 Certificate Signature Verification in Gnu transport layer security library (GnuTLS) 1.0.16 allows remote attackers to cause a denial of service (CPU consumption) via certificates containing long chains and signed with large RSA keys.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2531"
},
{
"id": "CVE-2005-1431",
"summary": "The \"record packet parsing\" in GnuTLS 1.2 before 1.2.3 and 1.0 before 1.0.25 allows remote attackers to cause a denial of service, possibly related to padding bytes in gnutils_cipher.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1431"
},
{
"id": "CVE-2006-4790",
"summary": "verify.c in GnuTLS before 1.4.4, when using an RSA key with exponent 3, does not properly handle excess data in the digestAlgorithm.parameters field when generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents GnuTLS from correctly verifying X.509 and other certificates that use PKCS, a variant of CVE-2006-4339.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4790"
},
{
"id": "CVE-2006-7239",
"summary": "The _gnutls_x509_oid2mac_algorithm function in lib/gnutls_algorithms.c in GnuTLS before 1.4.2 allows remote attackers to cause a denial of service (crash) via a crafted X.509 certificate that uses a hash algorithm that is not supported by GnuTLS, which triggers a NULL pointer dereference.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7239"
},
{
"id": "CVE-2008-1948",
"summary": "The _gnutls_server_name_recv_params function in lib/ext_server_name.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 does not properly calculate the number of Server Names in a TLS 1.0 Client Hello message during extension handling, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a zero value for the length of Server Names, which leads to a buffer overflow in session resumption data in the pack_security_parameters function, aka GNUTLS-SA-2008-1-1.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1948"
},
{
"id": "CVE-2008-1949",
"summary": "The _gnutls_recv_client_kx_message function in lib/gnutls_kx.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to process Client Hello messages within a TLS message after one has already been processed, which allows remote attackers to cause a denial of service (NULL dereference and crash) via a TLS message containing multiple Client Hello messages, aka GNUTLS-SA-2008-1-2.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1949"
},
{
"id": "CVE-2008-1950",
"summary": "Integer signedness error in the _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in libgnutls in GnuTLS before 2.2.4 allows remote attackers to cause a denial of service (buffer over-read and crash) via a certain integer value in the Random field in an encrypted Client Hello message within a TLS record with an invalid Record Length, which leads to an invalid cipher padding length, aka GNUTLS-SA-2008-1-3.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1950"
},
{
"id": "CVE-2008-2377",
"summary": "Use-after-free vulnerability in the _gnutls_handshake_hash_buffers_clear function in lib/gnutls_handshake.c in libgnutls in GnuTLS 2.3.5 through 2.4.0 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via TLS transmission of data that is improperly used when the peer calls gnutls_handshake within a normal session, leading to attempted access to a deallocated libgcrypt handle.",
"scorev2": "7.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2377"
},
{
"id": "CVE-2008-4989",
"summary": "The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4989"
},
{
"id": "CVE-2009-1415",
"summary": "lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not properly handle invalid DSA signatures, which allows remote attackers to cause a denial of service (application crash) and possibly have unspecified other impact via a malformed DSA key that triggers a (1) free of an uninitialized pointer or (2) double free.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1415"
},
{
"id": "CVE-2009-1416",
"summary": "lib/gnutls_pk.c in libgnutls in GnuTLS 2.5.0 through 2.6.5 generates RSA keys stored in DSA structures, instead of the intended DSA keys, which might allow remote attackers to spoof signatures on certificates or have unspecified other impact by leveraging an invalid DSA key.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1416"
},
{
"id": "CVE-2009-1417",
"summary": "gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet valid or (2) no longer valid, related to lack of time checks in the _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1417"
},
{
"id": "CVE-2009-2409",
"summary": "The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2409"
},
{
"id": "CVE-2009-2730",
"summary": "libgnutls in GnuTLS before 2.8.2 does not properly handle a '\\0' character in a domain name in the subject's (1) Common Name (CN) or (2) Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2730"
},
{
"id": "CVE-2009-3555",
"summary": "The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a \"plaintext injection\" attack, aka the \"Project Mogul\" issue.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3555"
},
{
"id": "CVE-2009-5138",
"summary": "GnuTLS before 2.7.6, when the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag is not enabled, treats version 1 X.509 certificates as intermediate CAs, which allows remote attackers to bypass intended restrictions by leveraging a X.509 V1 certificate from a trusted CA to issue new certificates, a different vulnerability than CVE-2014-1959.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5138"
},
{
"id": "CVE-2010-0731",
"summary": "The gnutls_x509_crt_get_serial function in the GnuTLS library before 1.2.1, when running on big-endian, 64-bit platforms, calls the asn1_read_value with a pointer to the wrong data type and the wrong length value, which allows remote attackers to bypass the certificate revocation list (CRL) check and cause a stack-based buffer overflow via a crafted X.509 certificate, related to extraction of a serial number.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0731"
},
{
"id": "CVE-2011-4128",
"summary": "Buffer overflow in the gnutls_session_get_data function in lib/gnutls_session.c in GnuTLS 2.12.x before 2.12.14 and 3.x before 3.0.7, when used on a client that performs nonstandard session resumption, allows remote TLS servers to cause a denial of service (application crash) via a large SessionTicket.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4128"
},
{
"id": "CVE-2012-0390",
"summary": "The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain error-handling code only if there is a specific relationship between a padding length and the ciphertext size, which makes it easier for remote attackers to recover partial plaintext via a timing side-channel attack, a related issue to CVE-2011-4108.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0390"
},
{
"id": "CVE-2012-1569",
"summary": "The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1569"
},
{
"id": "CVE-2012-1573",
"summary": "gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3.0.15 does not properly handle data encrypted with a block cipher, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) via a crafted record, as demonstrated by a crafted GenericBlockCipher structure.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1573"
},
{
"id": "CVE-2012-1663",
"summary": "Double free vulnerability in libgnutls in GnuTLS before 3.0.14 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted certificate list.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1663"
},
{
"id": "CVE-2013-1619",
"summary": "The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1619"
},
{
"id": "CVE-2013-2116",
"summary": "The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS 2.12.23 allows remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length. NOTE: this might be due to an incorrect fix for CVE-2013-0169.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2116"
},
{
"id": "CVE-2013-4466",
"summary": "Buffer overflow in the dane_query_tlsa function in the DANE library (libdane) in GnuTLS 3.1.x before 3.1.15 and 3.2.x before 3.2.5 allows remote servers to cause a denial of service (memory corruption) via a response with more than four DANE entries.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4466"
},
{
"id": "CVE-2013-4487",
"summary": "Off-by-one error in the dane_raw_tlsa in the DANE library (libdane) in GnuTLS 3.1.x before 3.1.16 and 3.2.x before 3.2.6 allows remote servers to cause a denial of service (memory corruption) via a response with more than four DANE entries. NOTE: this issue is due to an incomplete fix for CVE-2013-4466.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4487"
},
{
"id": "CVE-2014-0092",
"summary": "lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0092"
},
{
"id": "CVE-2014-1959",
"summary": "lib/x509/verify.c in GnuTLS before 3.1.21 and 3.2.x before 3.2.11 treats version 1 X.509 certificates as intermediate CAs, which allows remote attackers to bypass intended restrictions by leveraging a X.509 V1 certificate from a trusted CA to issue new certificates.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1959"
},
{
"id": "CVE-2014-3465",
"summary": "The gnutls_x509_dn_oid_name function in lib/x509/common.c in GnuTLS 3.0 before 3.1.20 and 3.2.x before 3.2.10 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted X.509 certificate, related to a missing LDAP description for an OID when printing the DN.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3465"
},
{
"id": "CVE-2014-3466",
"summary": "Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows remote servers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a long session id in a ServerHello message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3466"
},
{
"id": "CVE-2014-3467",
"summary": "Multiple unspecified vulnerabilities in the DER decoder in GNU Libtasn1 before 3.6, as used in GnuTLS, allow remote attackers to cause a denial of service (out-of-bounds read) via crafted ASN.1 data.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3467"
},
{
"id": "CVE-2014-3468",
"summary": "The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN.1 data.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3468"
},
{
"id": "CVE-2014-3469",
"summary": "The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1 before 3.6 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via a NULL value in an ivalue argument.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3469"
},
{
"id": "CVE-2014-8155",
"summary": "GnuTLS before 2.9.10 does not verify the activation and expiration dates of CA certificates, which allows man-in-the-middle attackers to spoof servers via a certificate issued by a CA certificate that is (1) not yet valid or (2) no longer valid.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8155"
},
{
"id": "CVE-2014-8564",
"summary": "The _gnutls_ecc_ansi_x963_export function in gnutls_ecc.c in GnuTLS 3.x before 3.1.28, 3.2.x before 3.2.20, and 3.3.x before 3.3.10 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) Elliptic Curve Cryptography (ECC) certificate or (2) certificate signing requests (CSR), related to generating key IDs.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8564"
},
{
"id": "CVE-2015-0282",
"summary": "GnuTLS before 3.1.0 does not verify that the RSA PKCS #1 signature algorithm matches the signature algorithm in the certificate, which allows remote attackers to conduct downgrade attacks via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0282"
},
{
"id": "CVE-2015-0294",
"summary": "GnuTLS before 3.3.13 does not validate that the signature algorithms match when importing a certificate.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0294"
},
{
"id": "CVE-2015-3308",
"summary": "Double free vulnerability in lib/x509/x509_ext.c in GnuTLS before 3.3.14 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted CRL distribution point.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3308"
},
{
"id": "CVE-2015-6251",
"summary": "Double free vulnerability in GnuTLS before 3.3.17 and 3.4.x before 3.4.4 allows remote attackers to cause a denial of service via a long DistinguishedName (DN) entry in a certificate.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6251"
},
{
"id": "CVE-2015-8313",
"summary": "GnuTLS incorrectly validates the first byte of padding in CBC modes",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8313"
},
{
"id": "CVE-2016-4456",
"summary": "The \"GNUTLS_KEYLOGFILE\" environment variable in gnutls 3.4.12 allows remote attackers to overwrite and corrupt arbitrary files in the filesystem.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4456"
},
{
"id": "CVE-2016-7444",
"summary": "The gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS before 3.4.15 and 3.5.x before 3.5.4 does not verify the serial length of an OCSP response, which might allow remote attackers to bypass an intended certificate validation mechanism via vectors involving trailing bytes left by gnutls_malloc.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7444"
},
{
"id": "CVE-2017-5334",
"summary": "Double free vulnerability in the gnutls_x509_ext_import_proxy function in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allows remote attackers to have unspecified impact via crafted policy language information in an X.509 certificate with a Proxy Certificate Information extension.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5334"
},
{
"id": "CVE-2017-5335",
"summary": "The stream reading functions in lib/opencdk/read-packet.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to cause a denial of service (out-of-memory error and crash) via a crafted OpenPGP certificate.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5335"
},
{
"id": "CVE-2017-5336",
"summary": "Stack-based buffer overflow in the cdk_pk_get_keyid function in lib/opencdk/pubkey.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allows remote attackers to have unspecified impact via a crafted OpenPGP certificate.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5336"
},
{
"id": "CVE-2017-5337",
"summary": "Multiple heap-based buffer overflows in the read_attribute function in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to have unspecified impact via a crafted OpenPGP certificate.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5337"
},
{
"id": "CVE-2017-7507",
"summary": "GnuTLS version 3.5.12 and earlier is vulnerable to a NULL pointer dereference while decoding a status response TLS extension with valid contents. This could lead to a crash of the GnuTLS server application.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7507"
},
{
"id": "CVE-2017-7869",
"summary": "GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer overflow and heap-based buffer overflow related to the cdk_pkt_read function in opencdk/read-packet.c. This issue (which is a subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7869"
},
{
"id": "CVE-2018-10844",
"summary": "It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10844"
},
{
"id": "CVE-2018-10845",
"summary": "It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10845"
},
{
"id": "CVE-2018-10846",
"summary": "A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of \"Just in Time\" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets.",
"scorev2": "1.9",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10846"
},
{
"id": "CVE-2018-16868",
"summary": "A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
"scorev2": "3.3",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16868"
},
{
"id": "CVE-2019-3829",
"summary": "A vulnerability was found in gnutls versions from 3.5.8 before 3.6.7. A memory corruption (double free) vulnerability in the certificate verification API. Any client or server application that verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3829"
},
{
"id": "CVE-2019-3836",
"summary": "It was discovered in gnutls before version 3.6.7 upstream that there is an uninitialized pointer access in gnutls versions 3.6.3 or later which can be triggered by certain post-handshake messages.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3836"
},
{
"id": "CVE-2020-11501",
"summary": "GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06 commit. The DTLS client always uses 32 '\\0' bytes instead of a random value, and thus contributes no randomness to a DTLS negotiation. This breaks the security guarantees of the DTLS protocol.",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11501"
},
{
"id": "CVE-2020-13777",
"summary": "GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13777"
},
{
"id": "CVE-2020-24659",
"summary": "An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24659"
},
{
"id": "CVE-2021-20231",
"summary": "A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20231"
},
{
"id": "CVE-2021-20232",
"summary": "A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20232"
},
{
"id": "CVE-2021-4209",
"summary": "A NULL pointer dereference flaw was found in GnuTLS. As Nettle's hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. This flaw leads to a denial of service after authentication in rare circumstances.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4209"
},
{
"id": "CVE-2022-2509",
"summary": "A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2509"
},
{
"id": "CVE-2023-0361",
"summary": "A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.",
"scorev2": "0.0",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0361"
},
{
"id": "CVE-2023-5981",
"summary": "A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5981"
},
{
"id": "CVE-2024-0553",
"summary": "A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0553"
},
{
"id": "CVE-2024-0567",
"summary": "A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0567"
}
]
},
{
"name": "gobject-introspection",
"layer": "meta",
"version": "1.78.1",
"products": [
{
"product": "gobject-introspection",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "gobject-introspection-native",
"layer": "meta",
"version": "1.78.1",
"products": [
{
"product": "gobject-introspection",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "googlebenchmark",
"layer": "meta-oe",
"version": "1.8.3",
"products": [
{
"product": "googlebenchmark",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "googletest",
"layer": "meta-oe",
"version": "1.14.0",
"products": [
{
"product": "googletest",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "gperf-native",
"layer": "meta",
"version": "3.1",
"products": [
{
"product": "gperf",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "gpgme",
"layer": "meta",
"version": "1.23.2",
"products": [
{
"product": "gpgme",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-1263",
"summary": "GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1263"
},
{
"id": "CVE-2014-3564",
"summary": "Multiple heap-based buffer overflows in the status_handler function in (1) engine-gpgsm.c and (2) engine-uiserver.c in GPGME before 1.5.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to \"different line lengths in a specific order.\"",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3564"
},
{
"id": "CVE-2020-8945",
"summary": "The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.",
"scorev2": "5.1",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945"
}
]
},
{
"name": "gpgme-native",
"layer": "meta",
"version": "1.23.2",
"products": [
{
"product": "gpgme",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-1263",
"summary": "GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1263"
},
{
"id": "CVE-2014-3564",
"summary": "Multiple heap-based buffer overflows in the status_handler function in (1) engine-gpgsm.c and (2) engine-uiserver.c in GPGME before 1.5.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to \"different line lengths in a specific order.\"",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3564"
},
{
"id": "CVE-2020-8945",
"summary": "The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.",
"scorev2": "5.1",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8945"
}
]
},
{
"name": "gpsd",
"layer": "meta-oe",
"version": "3.24",
"products": [
{
"product": "gpsd",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-2038",
"summary": "The NMEA0183 driver in gpsd before 3.9 allows remote attackers to cause a denial of service (daemon termination) and possibly execute arbitrary code via a GPS packet with a malformed $GPGGA interpreted sentence that lacks certain fields and a terminator. NOTE: a separate issue in the AIS driver was also reported, but it might not be a vulnerability.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2038"
},
{
"id": "CVE-2018-17937",
"summary": "gpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open source project, allow a stack-based buffer overflow, which may allow remote attackers to execute arbitrary code on embedded platforms via traffic on Port 2947/TCP or crafted JSON inputs.",
"scorev2": "5.8",
"scorev3": "8.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17937"
},
{
"id": "CVE-2023-43628",
"summary": "An integer underflow vulnerability exists in the NTRIP Stream Parsing functionality of GPSd 3.25.1~dev. A specially crafted network packet can lead to memory corruption. An attacker can send a malicious packet to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43628"
}
]
},
{
"name": "gpsd-machine-conf",
"layer": "meta-oe",
"version": "1.0",
"products": [
{
"product": "gpsd-machine-conf",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "grep",
"layer": "meta",
"version": "3.11",
"products": [
{
"product": "grep",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2012-5667",
"summary": "Multiple integer overflows in GNU Grep before 2.11 might allow context-dependent attackers to execute arbitrary code via vectors involving a long input line that triggers a heap-based buffer overflow.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5667"
},
{
"id": "CVE-2015-1345",
"summary": "The bmexec_trans function in kwset.c in grep 2.19 through 2.21 allows local users to cause a denial of service (out-of-bounds heap read and crash) via crafted input when using the -F option.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1345"
}
]
},
{
"name": "groff-native",
"layer": "meta",
"version": "1.23.0",
"products": [
{
"product": "groff",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2000-0803",
"summary": "GNU Groff uses the current working directory to find a device description file, which allows a local user to gain additional privileges by including a malicious postpro directive in the description file, which is executed when another user runs groff.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0803"
},
{
"id": "CVE-2001-1022",
"summary": "Format string vulnerability in pic utility in groff 1.16.1 and other versions, and jgroff before 1.15, allows remote attackers to bypass the -S option and execute arbitrary commands via format string specifiers in the plot command.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1022"
},
{
"id": "CVE-2002-0003",
"summary": "Buffer overflow in the preprocessor in groff 1.16 and earlier allows remote attackers to gain privileges via lpd in the LPRng printing system.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0003"
},
{
"id": "CVE-2004-0969",
"summary": "The groffer script in the Groff package 1.18 and later versions, as used in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0969"
},
{
"id": "CVE-2009-5044",
"summary": "contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 allows local users to overwrite arbitrary files via a symlink attack on a pdf#####.tmp temporary file.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5044"
},
{
"id": "CVE-2009-5078",
"summary": "contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 launches the Ghostscript program without the -dSAFER option, which allows remote attackers to create, overwrite, rename, or delete arbitrary files via a crafted document.",
"scorev2": "6.4",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5078"
},
{
"id": "CVE-2009-5079",
"summary": "The (1) gendef.sh, (2) doc/fixinfo.sh, and (3) contrib/gdiffmk/tests/runtests.in scripts in GNU troff (aka groff) 1.21 and earlier allow local users to overwrite arbitrary files via a symlink attack on a gro#####.tmp or /tmp/##### temporary file.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5079"
},
{
"id": "CVE-2009-5080",
"summary": "The (1) contrib/eqn2graph/eqn2graph.sh, (2) contrib/grap2graph/grap2graph.sh, and (3) contrib/pic2graph/pic2graph.sh scripts in GNU troff (aka groff) 1.21 and earlier do not properly handle certain failed attempts to create temporary directories, which might allow local users to overwrite arbitrary files via a symlink attack on a file in a temporary directory, a different vulnerability than CVE-2004-1296.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5080"
},
{
"id": "CVE-2009-5081",
"summary": "The (1) config.guess, (2) contrib/groffer/perl/groffer.pl, and (3) contrib/groffer/perl/roff2.pl scripts in GNU troff (aka groff) 1.21 and earlier use an insufficient number of X characters in the template argument to the tempfile function, which makes it easier for local users to overwrite arbitrary files via a symlink attack on a temporary file, a different vulnerability than CVE-2004-0969.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5081"
},
{
"id": "CVE-2009-5082",
"summary": "The (1) configure and (2) config.guess scripts in GNU troff (aka groff) 1.20.1 on Openwall GNU/*/Linux (aka Owl) improperly create temporary files upon a failure of the mktemp function, which makes it easier for local users to overwrite arbitrary files via a symlink attack on a temporary file.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5082"
}
]
},
{
"name": "grpc",
"layer": "meta-oe",
"version": "1.60.1",
"products": [
{
"product": "grpc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2017-7860",
"summary": "Google gRPC before 2017-02-22 has an out-of-bounds write caused by a heap-based buffer overflow related to the parse_unix function in core/ext/client_channel/parse_address.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7860"
},
{
"id": "CVE-2017-7861",
"summary": "Google gRPC before 2017-02-22 has an out-of-bounds write related to the gpr_free function in core/lib/support/alloc.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7861"
},
{
"id": "CVE-2017-8359",
"summary": "Google gRPC before 2017-03-29 has an out-of-bounds write caused by a heap-based use-after-free related to the grpc_call_destroy function in core/lib/surface/call.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8359"
},
{
"id": "CVE-2017-9431",
"summary": "Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomgr/error.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9431"
},
{
"id": "CVE-2020-7768",
"summary": "The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.",
"scorev2": "5.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-7768"
},
{
"id": "CVE-2023-1428",
"summary": "There exists an vulnerability causing an abort() to be called in gRPC.\u00a0\nThe following headers cause gRPC's C++ implementation to abort() when called via http2:\n\nte: x (x != trailers)\n\n:scheme: x (x != http, https)\n\ngrpclb_client_stats: x (x == anything)\n\nOn top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit\u00a02485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1428"
},
{
"id": "CVE-2023-32731",
"summary": "When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in\u00a0 https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 \n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32731"
},
{
"id": "CVE-2023-32732",
"summary": "gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in\u00a0 https://github.com/grpc/grpc/pull/32309 https://www.google.com/url \n",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32732"
},
{
"id": "CVE-2023-33953",
"summary": "gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/\u00a0Three vectors were found that allow the following DOS attacks:\n\n- Unbounded memory buffering in the HPACK parser\n- Unbounded CPU consumption in the HPACK parser\n\nThe unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.\n\nThe unbounded memory buffering bugs:\n\n- The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.\n- HPACK varints have an encoding quirk whereby an infinite number of 0\u2019s can be added at the start of an integer. gRPC\u2019s hpack parser needed to read all of them before concluding a parse.\n- gRPC\u2019s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc\u2026",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33953"
},
{
"id": "CVE-2023-44487",
"summary": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487"
},
{
"id": "CVE-2023-4785",
"summary": "Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.\u00a0",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4785"
}
]
},
{
"name": "grpc-native",
"layer": "meta-oe",
"version": "1.60.1",
"products": [
{
"product": "grpc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2017-7860",
"summary": "Google gRPC before 2017-02-22 has an out-of-bounds write caused by a heap-based buffer overflow related to the parse_unix function in core/ext/client_channel/parse_address.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7860"
},
{
"id": "CVE-2017-7861",
"summary": "Google gRPC before 2017-02-22 has an out-of-bounds write related to the gpr_free function in core/lib/support/alloc.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7861"
},
{
"id": "CVE-2017-8359",
"summary": "Google gRPC before 2017-03-29 has an out-of-bounds write caused by a heap-based use-after-free related to the grpc_call_destroy function in core/lib/surface/call.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8359"
},
{
"id": "CVE-2017-9431",
"summary": "Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomgr/error.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9431"
},
{
"id": "CVE-2020-7768",
"summary": "The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.",
"scorev2": "5.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-7768"
},
{
"id": "CVE-2023-1428",
"summary": "There exists an vulnerability causing an abort() to be called in gRPC.\u00a0\nThe following headers cause gRPC's C++ implementation to abort() when called via http2:\n\nte: x (x != trailers)\n\n:scheme: x (x != http, https)\n\ngrpclb_client_stats: x (x == anything)\n\nOn top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit\u00a02485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1428"
},
{
"id": "CVE-2023-32731",
"summary": "When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in\u00a0 https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 \n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32731"
},
{
"id": "CVE-2023-32732",
"summary": "gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in\u00a0 https://github.com/grpc/grpc/pull/32309 https://www.google.com/url \n",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32732"
},
{
"id": "CVE-2023-33953",
"summary": "gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/\u00a0Three vectors were found that allow the following DOS attacks:\n\n- Unbounded memory buffering in the HPACK parser\n- Unbounded CPU consumption in the HPACK parser\n\nThe unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.\n\nThe unbounded memory buffering bugs:\n\n- The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.\n- HPACK varints have an encoding quirk whereby an infinite number of 0\u2019s can be added at the start of an integer. gRPC\u2019s hpack parser needed to read all of them before concluding a parse.\n- gRPC\u2019s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc\u2026",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33953"
},
{
"id": "CVE-2023-44487",
"summary": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487"
},
{
"id": "CVE-2023-4785",
"summary": "Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.\u00a0",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4785"
}
]
},
{
"name": "gstreamer1.0",
"layer": "meta",
"version": "1.22.11",
"products": [
{
"product": "gstreamer",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2009-0586",
"summary": "Integer overflow in the gst_vorbis_tag_add_coverart function (gst-libs/gst/tag/gstvorbistag.c) in vorbistag in gst-plugins-base (aka gstreamer-plugins-base) before 0.10.23 in GStreamer allows context-dependent attackers to execute arbitrary code via a crafted COVERART tag that is converted from a base64 representation, which triggers a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0586"
},
{
"id": "CVE-2015-0797",
"summary": "GStreamer before 1.4.5, as used in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 on Linux, allows remote attackers to cause a denial of service (buffer over-read and application crash) or possibly execute arbitrary code via crafted H.264 video data in an m4v file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0797"
},
{
"id": "CVE-2016-10198",
"summary": "The gst_aac_parse_sink_setcaps function in gst/audioparsers/gstaacparse.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted audio file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10198"
},
{
"id": "CVE-2016-10199",
"summary": "The qtdemux_tag_add_str_full function in gst/isomp4/qtdemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted tag value.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10199"
},
{
"id": "CVE-2016-9445",
"summary": "Integer overflow in the vmnc decoder in the gstreamer allows remote attackers to cause a denial of service (crash) via large width and height values, which triggers a buffer overflow.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9445"
},
{
"id": "CVE-2016-9446",
"summary": "The vmnc decoder in the gstreamer does not initialize the render canvas, which allows remote attackers to obtain sensitive information as demonstrated by thumbnailing a simple 1 frame vmnc movie that does not draw to the allocated render canvas.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9446"
},
{
"id": "CVE-2016-9447",
"summary": "The ROM mappings in the NSF decoder in gstreamer 0.10.x allow remote attackers to cause a denial of service (out-of-bounds read or write) and possibly execute arbitrary code via a crafted NSF music file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9447"
},
{
"id": "CVE-2016-9634",
"summary": "Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via the start_line parameter.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9634"
},
{
"id": "CVE-2016-9635",
"summary": "Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by providing a 'skip count' that goes beyond initialized buffer.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9635"
},
{
"id": "CVE-2016-9636",
"summary": "Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by providing a 'write count' that goes beyond the initialized buffer.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9636"
},
{
"id": "CVE-2016-9807",
"summary": "The flx_decode_chunks function in gst/flx/gstflxdec.c in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted FLIC file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9807"
},
{
"id": "CVE-2016-9808",
"summary": "The FLIC decoder in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (out-of-bounds write and crash) via a crafted series of skip and count pairs.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9808"
},
{
"id": "CVE-2016-9809",
"summary": "Off-by-one error in the gst_h264_parse_set_caps function in GStreamer before 1.10.2 allows remote attackers to have unspecified impact via a crafted file, which triggers an out-of-bounds read.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9809"
},
{
"id": "CVE-2016-9810",
"summary": "The gst_decode_chain_free_internal function in the flxdex decoder in gst-plugins-good in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (invalid memory read and crash) via an invalid file, which triggers an incorrect unref call.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9810"
},
{
"id": "CVE-2016-9811",
"summary": "The windows_icon_typefind function in gst-plugins-base in GStreamer before 1.10.2, when G_SLICE is set to always-malloc, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted ico file.",
"scorev2": "4.3",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9811"
},
{
"id": "CVE-2016-9812",
"summary": "The gst_mpegts_section_new function in the mpegts decoder in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a too small section.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9812"
},
{
"id": "CVE-2016-9813",
"summary": "The _parse_pat function in the mpegts parser in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9813"
},
{
"id": "CVE-2017-5837",
"summary": "The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (floating point exception and crash) via a crafted video file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5837"
},
{
"id": "CVE-2017-5838",
"summary": "The gst_date_time_new_from_iso8601_string function in gst/gstdatetime.c in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a malformed datetime string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5838"
},
{
"id": "CVE-2017-5839",
"summary": "The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 does not properly limit recursion, which allows remote attackers to cause a denial of service (stack overflow and crash) via vectors involving nested WAVEFORMATEX.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5839"
},
{
"id": "CVE-2017-5840",
"summary": "The qtdemux_parse_samples function in gst/isomp4/qtdemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving the current stts index.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5840"
},
{
"id": "CVE-2017-5841",
"summary": "The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving ncdt tags.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5841"
},
{
"id": "CVE-2017-5842",
"summary": "The html_context_handle_element function in gst/subparse/samiparse.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted SMI file, as demonstrated by OneNote_Manager.smi.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5842"
},
{
"id": "CVE-2017-5843",
"summary": "Multiple use-after-free vulnerabilities in the (1) gst_mini_object_unref, (2) gst_tag_list_unref, and (3) gst_mxf_demux_update_essence_tracks functions in GStreamer before 1.10.3 allow remote attackers to cause a denial of service (crash) via vectors involving stream tags, as demonstrated by 02785736.mxf.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5843"
},
{
"id": "CVE-2017-5844",
"summary": "The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (floating point exception and crash) via a crafted ASF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5844"
},
{
"id": "CVE-2017-5845",
"summary": "The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via a ncdt sub-tag that \"goes behind\" the surrounding tag.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5845"
},
{
"id": "CVE-2017-5846",
"summary": "The gst_asf_demux_process_ext_stream_props function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors related to the number of languages in a video file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5846"
},
{
"id": "CVE-2017-5847",
"summary": "The gst_asf_demux_process_ext_content_desc function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving extended content descriptors.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5847"
},
{
"id": "CVE-2017-5848",
"summary": "The gst_ps_demux_parse_psm function in gst/mpegdemux/gstmpegdemux.c in gst-plugins-bad in GStreamer allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors involving PSM parsing.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5848"
},
{
"id": "CVE-2019-9928",
"summary": "GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server, potentially allowing remote code execution.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9928"
},
{
"id": "CVE-2021-3497",
"summary": "GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3497"
},
{
"id": "CVE-2021-3498",
"summary": "GStreamer before 1.18.4 might cause heap corruption when parsing certain malformed Matroska files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3498"
},
{
"id": "CVE-2021-3522",
"summary": "GStreamer before 1.18.4 may perform an out-of-bounds read when handling certain ID3v2 tags.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3522"
},
{
"id": "CVE-2022-1920",
"summary": "Integer overflow in matroskademux element in gst_matroska_demux_add_wvpk_header function which allows a heap overwrite while parsing matroska files. Potential for arbitrary code execution through heap overwrite.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1920"
},
{
"id": "CVE-2022-1921",
"summary": "Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1921"
},
{
"id": "CVE-2022-1922",
"summary": "DOS / potential heap overwrite in mkv demuxing using zlib decompression. Integer overflow in matroskademux element in gst_matroska_decompress_data function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1922"
},
{
"id": "CVE-2022-1923",
"summary": "DOS / potential heap overwrite in mkv demuxing using bzip decompression. Integer overflow in matroskademux element in bzip decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1923"
},
{
"id": "CVE-2022-1924",
"summary": "DOS / potential heap overwrite in mkv demuxing using lzo decompression. Integer overflow in matroskademux element in lzo decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1924"
},
{
"id": "CVE-2022-1925",
"summary": "DOS / potential heap overwrite in mkv demuxing using HEADERSTRIP decompression. Integer overflow in matroskaparse element in gst_matroska_decompress_data function which causes a heap overflow. Due to restrictions on chunk sizes in the matroskademux element, the overflow can't be triggered, however the matroskaparse element has no size checks.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1925"
},
{
"id": "CVE-2022-2122",
"summary": "DOS / potential heap overwrite in qtdemux using zlib decompression. Integer overflow in qtdemux element in qtdemux_inflate function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2122"
}
]
},
{
"name": "gstreamer1.0-plugins-bad",
"layer": "meta",
"version": "1.22.11",
"products": [
{
"product": "gstreamer1.0-plugins-bad",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "gstreamer1.0-plugins-base",
"layer": "meta",
"version": "1.22.11",
"products": [
{
"product": "gst-plugins-base",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "gstreamer1.0-plugins-good",
"layer": "meta",
"version": "1.22.11",
"products": [
{
"product": "gstreamer1.0-plugins-good",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "gtk+3-native",
"layer": "meta",
"version": "3.24.41",
"products": [
{
"product": "gtk",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2001-0084",
"summary": "GTK+ library allows local users to specify arbitrary modules via the GTK_MODULES environmental variable, which could allow local users to gain privileges if GTK+ is used by a setuid/setgid program.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0084"
},
{
"id": "CVE-2004-0753",
"summary": "The BMP image processor for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0753"
},
{
"id": "CVE-2004-0782",
"summary": "Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687).",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0782"
},
{
"id": "CVE-2004-0783",
"summary": "Stack-based buffer overflow in xpm_extract_color (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, may allow remote attackers to execute arbitrary code via a certain color string. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0688).",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0783"
},
{
"id": "CVE-2004-0788",
"summary": "Integer overflow in the ICO image decoder for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted ICO file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0788"
},
{
"id": "CVE-2005-0372",
"summary": "Directory traversal vulnerability in gftp before 2.0.18 for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0372"
},
{
"id": "CVE-2005-0891",
"summary": "Double free vulnerability in gtk 2 (gtk2) before 2.2.4 allows remote attackers to cause a denial of service (crash) via a crafted BMP image.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0891"
},
{
"id": "CVE-2005-2975",
"summary": "io-xpm.c in the gdk-pixbuf XPM image rendering library in GTK+ before 2.8.7 allows attackers to cause a denial of service (infinite loop) via a crafted XPM image with a large number of colors.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2975"
},
{
"id": "CVE-2005-2976",
"summary": "Integer overflow in io-xpm.c in gdk-pixbuf 0.22.0 in GTK+ before 2.8.7 allows attackers to cause a denial of service (crash) or execute arbitrary code via an XPM file with large height, width, and colour values, a different vulnerability than CVE-2005-3186.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2976"
},
{
"id": "CVE-2007-0010",
"summary": "The GdkPixbufLoader function in GIMP ToolKit (GTK+) in GTK 2 (gtk2) before 2.4.13 allows context-dependent attackers to cause a denial of service (crash) via a malformed image file.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0010"
},
{
"id": "CVE-2010-0732",
"summary": "gdk/gdkwindow.c in GTK+ before 2.18.5, as used in gnome-screensaver before 2.28.1, performs implicit paints on windows of type GDK_WINDOW_FOREIGN, which triggers an X error in certain circumstances and consequently allows physically proximate attackers to bypass screen locking and access an unattended workstation by pressing the Enter key many times.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0732"
},
{
"id": "CVE-2010-4831",
"summary": "Untrusted search path vulnerability in gdk/win32/gdkinput-win32.c in GTK+ before 2.21.8 allows local users to gain privileges via a Trojan horse Wintab32.dll file in the current working directory.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4831"
},
{
"id": "CVE-2010-4833",
"summary": "Untrusted search path vulnerability in modules/engines/ms-windows/xp_theme.c in GTK+ before 2.24.0 allows local users to gain privileges via a Trojan horse uxtheme.dll file in the current working directory, a different vulnerability than CVE-2010-4831.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4833"
},
{
"id": "CVE-2012-0828",
"summary": "Heap-based buffer overflow in Xchat-WDK before 1499-4 (2012-01-18) xchat 2.8.6 on Maemo architecture could allow remote attackers to cause a denial of service (xchat client crash) or execute arbitrary code via a UTF-8 line from server containing characters outside of the Basic Multilingual Plane (BMP).",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0828"
},
{
"id": "CVE-2014-1949",
"summary": "GTK+ 3.10.9 and earlier, as used in cinnamon-screensaver, gnome-screensaver, and other applications, allows physically proximate attackers to bypass the lock screen by pressing the menu button.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1949"
}
]
},
{
"name": "gtk-doc",
"layer": "meta",
"version": "1.33.2",
"products": [
{
"product": "gtk-doc",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "gtk-doc-native",
"layer": "meta",
"version": "1.33.2",
"products": [
{
"product": "gtk-doc",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "harfbuzz",
"layer": "meta",
"version": "8.3.0",
"products": [
{
"product": "harfbuzz",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-8947",
"summary": "hb-ot-layout-gpos-table.hh in HarfBuzz before 1.0.5 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted data, a different vulnerability than CVE-2016-2052.",
"scorev2": "7.5",
"scorev3": "7.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8947"
},
{
"id": "CVE-2015-9274",
"summary": "HarfBuzz before 1.0.4 allows remote attackers to cause a denial of service (invalid read of two bytes and application crash) because of GPOS and GSUB table mishandling, related to hb-ot-layout-gpos-table.hh, hb-ot-layout-gsub-table.hh, and hb-ot-layout-gsubgpos-private.hh.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9274"
},
{
"id": "CVE-2016-2052",
"summary": "Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6, as used in Google Chrome before 48.0.2564.82, allow attackers to cause a denial of service or possibly have other impact via crafted data, as demonstrated by a buffer over-read resulting from an inverted length check in hb-ot-font.cc, a different issue than CVE-2015-8947.",
"scorev2": "6.8",
"scorev3": "7.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2052"
},
{
"id": "CVE-2021-45931",
"summary": "HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertible_t::set (called from hb_sparseset_t::set and hb_set_copy).",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45931"
},
{
"id": "CVE-2022-33068",
"summary": "An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33068"
},
{
"id": "CVE-2023-25193",
"summary": "hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25193"
}
]
},
{
"name": "harfbuzz-native",
"layer": "meta",
"version": "8.3.0",
"products": [
{
"product": "harfbuzz",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-8947",
"summary": "hb-ot-layout-gpos-table.hh in HarfBuzz before 1.0.5 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted data, a different vulnerability than CVE-2016-2052.",
"scorev2": "7.5",
"scorev3": "7.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8947"
},
{
"id": "CVE-2015-9274",
"summary": "HarfBuzz before 1.0.4 allows remote attackers to cause a denial of service (invalid read of two bytes and application crash) because of GPOS and GSUB table mishandling, related to hb-ot-layout-gpos-table.hh, hb-ot-layout-gsub-table.hh, and hb-ot-layout-gsubgpos-private.hh.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9274"
},
{
"id": "CVE-2016-2052",
"summary": "Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6, as used in Google Chrome before 48.0.2564.82, allow attackers to cause a denial of service or possibly have other impact via crafted data, as demonstrated by a buffer over-read resulting from an inverted length check in hb-ot-font.cc, a different issue than CVE-2015-8947.",
"scorev2": "6.8",
"scorev3": "7.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2052"
},
{
"id": "CVE-2021-45931",
"summary": "HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertible_t::set (called from hb_sparseset_t::set and hb_set_copy).",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45931"
},
{
"id": "CVE-2022-33068",
"summary": "An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33068"
},
{
"id": "CVE-2023-25193",
"summary": "hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25193"
}
]
},
{
"name": "help2man-native",
"layer": "meta",
"version": "1.49.3",
"products": [
{
"product": "help2man",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "hicolor-icon-theme-native",
"layer": "meta",
"version": "0.17",
"products": [
{
"product": "hicolor-icon-theme",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "homescreen",
"layer": "meta-agl-demo",
"version": "1.0+git",
"products": [
{
"product": "homescreen",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "hts-engine",
"layer": "meta-agl-demo",
"version": "1.10",
"products": [
{
"product": "hts-engine",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "hts-engine-native",
"layer": "meta-agl-demo",
"version": "1.10",
"products": [
{
"product": "hts-engine",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "hvac",
"layer": "meta-agl-demo",
"version": "2.0+git",
"products": [
{
"product": "hvac",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "icu",
"layer": "meta",
"version": "74-2",
"products": [
{
"product": "international_components_for_unicode",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-4770",
"summary": "libicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts to process backreferences to the nonexistent capture group zero (aka \\0), which might allow context-dependent attackers to read from, or write to, out-of-bounds memory locations, related to corruption of REStackFrames.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4770"
},
{
"id": "CVE-2007-4771",
"summary": "Heap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack. NOTE: some of these details are obtained from third party information.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4771"
},
{
"id": "CVE-2011-4599",
"summary": "Stack-based buffer overflow in the _canonicalize function in common/uloc.c in International Components for Unicode (ICU) before 49.1 allows remote attackers to execute arbitrary code via a crafted locale ID that is not properly handled during variant canonicalization.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4599"
},
{
"id": "CVE-2014-7923",
"summary": "The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a look-behind expression.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7923"
},
{
"id": "CVE-2014-7926",
"summary": "The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a zero-length quantifier.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7926"
},
{
"id": "CVE-2014-7940",
"summary": "The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7940"
},
{
"id": "CVE-2014-8146",
"summary": "The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 does not properly track directionally isolated pieces of text, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8146"
},
{
"id": "CVE-2014-8147",
"summary": "The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8147"
},
{
"id": "CVE-2014-9654",
"summary": "The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91, calculates certain values without ensuring that they can be represented in a 24-bit field, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted string, a related issue to CVE-2014-7923.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9654"
},
{
"id": "CVE-2014-9911",
"summary": "Stack-based buffer overflow in the ures_getByKeyWithFallback function in common/uresbund.cpp in International Components for Unicode (ICU) before 54.1 for C/C++ allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted uloc_getDisplayName call.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9911"
},
{
"id": "CVE-2015-5922",
"summary": "Unspecified vulnerability in International Components for Unicode (ICU) before 53.1.0, as used in Apple OS X before 10.11 and watchOS before 2, has unknown impact and attack vectors.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5922"
},
{
"id": "CVE-2016-6293",
"summary": "The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6293"
},
{
"id": "CVE-2016-7415",
"summary": "Stack-based buffer overflow in the Locale class in common/locid.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long locale string.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7415"
},
{
"id": "CVE-2017-14952",
"summary": "Double free in i18n/zonemeta.cpp in International Components for Unicode (ICU) for C/C++ through 59.1 allows remote attackers to execute arbitrary code via a crafted string, aka a \"redundant UVector entry clean up function call\" issue.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14952"
},
{
"id": "CVE-2017-15396",
"summary": "A stack buffer overflow in NumberingSystem in International Components for Unicode (ICU) for C/C++ before 60.2, as used in V8 in Google Chrome prior to 62.0.3202.75 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15396"
},
{
"id": "CVE-2017-15422",
"summary": "Integer overflow in international date handling in International Components for Unicode (ICU) for C/C++ before 60.1, as used in V8 in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15422"
},
{
"id": "CVE-2017-17484",
"summary": "The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17484"
},
{
"id": "CVE-2017-7867",
"summary": "International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7867"
},
{
"id": "CVE-2017-7868",
"summary": "International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7868"
},
{
"id": "CVE-2018-18928",
"summary": "International Components for Unicode (ICU) for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18928"
},
{
"id": "CVE-2020-10531",
"summary": "An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10531"
},
{
"id": "CVE-2020-21913",
"summary": "International Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-21913"
}
]
},
{
"name": "icu-native",
"layer": "meta",
"version": "74-2",
"products": [
{
"product": "international_components_for_unicode",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-4770",
"summary": "libicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts to process backreferences to the nonexistent capture group zero (aka \\0), which might allow context-dependent attackers to read from, or write to, out-of-bounds memory locations, related to corruption of REStackFrames.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4770"
},
{
"id": "CVE-2007-4771",
"summary": "Heap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack. NOTE: some of these details are obtained from third party information.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4771"
},
{
"id": "CVE-2011-4599",
"summary": "Stack-based buffer overflow in the _canonicalize function in common/uloc.c in International Components for Unicode (ICU) before 49.1 allows remote attackers to execute arbitrary code via a crafted locale ID that is not properly handled during variant canonicalization.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4599"
},
{
"id": "CVE-2014-7923",
"summary": "The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a look-behind expression.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7923"
},
{
"id": "CVE-2014-7926",
"summary": "The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a zero-length quantifier.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7926"
},
{
"id": "CVE-2014-7940",
"summary": "The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7940"
},
{
"id": "CVE-2014-8146",
"summary": "The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 does not properly track directionally isolated pieces of text, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8146"
},
{
"id": "CVE-2014-8147",
"summary": "The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8147"
},
{
"id": "CVE-2014-9654",
"summary": "The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91, calculates certain values without ensuring that they can be represented in a 24-bit field, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted string, a related issue to CVE-2014-7923.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9654"
},
{
"id": "CVE-2014-9911",
"summary": "Stack-based buffer overflow in the ures_getByKeyWithFallback function in common/uresbund.cpp in International Components for Unicode (ICU) before 54.1 for C/C++ allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted uloc_getDisplayName call.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9911"
},
{
"id": "CVE-2015-5922",
"summary": "Unspecified vulnerability in International Components for Unicode (ICU) before 53.1.0, as used in Apple OS X before 10.11 and watchOS before 2, has unknown impact and attack vectors.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5922"
},
{
"id": "CVE-2016-6293",
"summary": "The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6293"
},
{
"id": "CVE-2016-7415",
"summary": "Stack-based buffer overflow in the Locale class in common/locid.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long locale string.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7415"
},
{
"id": "CVE-2017-14952",
"summary": "Double free in i18n/zonemeta.cpp in International Components for Unicode (ICU) for C/C++ through 59.1 allows remote attackers to execute arbitrary code via a crafted string, aka a \"redundant UVector entry clean up function call\" issue.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14952"
},
{
"id": "CVE-2017-15396",
"summary": "A stack buffer overflow in NumberingSystem in International Components for Unicode (ICU) for C/C++ before 60.2, as used in V8 in Google Chrome prior to 62.0.3202.75 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15396"
},
{
"id": "CVE-2017-15422",
"summary": "Integer overflow in international date handling in International Components for Unicode (ICU) for C/C++ before 60.1, as used in V8 in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15422"
},
{
"id": "CVE-2017-17484",
"summary": "The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17484"
},
{
"id": "CVE-2017-7867",
"summary": "International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7867"
},
{
"id": "CVE-2017-7868",
"summary": "International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7868"
},
{
"id": "CVE-2018-18928",
"summary": "International Components for Unicode (ICU) for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18928"
},
{
"id": "CVE-2020-10531",
"summary": "An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10531"
},
{
"id": "CVE-2020-21913",
"summary": "International Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-21913"
}
]
},
{
"name": "iniparser",
"layer": "meta-oe",
"version": "4.1+git",
"products": [
{
"product": "iniparser",
"cvesInRecord": "No"
}
],
"issue": [
{
"id": "CVE-2023-33461",
"summary": "iniparser v4.1 is vulnerable to NULL Pointer Dereference in function iniparser_getlongint which misses check NULL for function iniparser_getstring's return.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33461"
}
]
},
{
"name": "init-system-helpers",
"layer": "meta",
"version": "1.66",
"products": [
{
"product": "init-system-helpers",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "initramfs-netboot",
"layer": "meta-netboot",
"version": "1.0",
"products": [
{
"product": "initramfs-netboot",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "initscripts",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "initscripts",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2008-3524",
"summary": "rc.sysinit in initscripts before 8.76.3-1 on Fedora 9 and other Linux platforms allows local users to delete arbitrary files via a symlink attack on a file or directory under (1) /var/lock or (2) /var/run.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3524"
},
{
"id": "CVE-2008-4832",
"summary": "rc.sysinit in initscripts 8.12-8.21 and 8.56.15-0.1 on rPath allows local users to delete arbitrary files via a symlink attack on a directory under (1) /var/lock or (2) /var/run. NOTE: this issue exists because of a race condition in an incorrect fix for CVE-2008-3524. NOTE: exploitation may require an unusual scenario in which rc.sysinit is executed other than at boot time.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4832"
}
]
},
{
"name": "intltool-native",
"layer": "meta",
"version": "0.51.0",
"products": [
{
"product": "intltool",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "iproute2",
"layer": "meta",
"version": "6.7.0",
"products": [
{
"product": "iproute2",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2012-1088",
"summary": "iproute2 before 3.3.0 allows local users to overwrite arbitrary files via a symlink attack on a temporary file used by (1) configure or (2) examples/dhcp-client-script.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1088"
},
{
"id": "CVE-2019-20795",
"summary": "iproute2 before 5.1.0 has a use-after-free in get_netnsid_from_name in ip/ipnetns.c. NOTE: security relevance may be limited to certain uses of setuid that, although not a default, are sometimes a configuration option offered to end users. Even when setuid is used, other factors (such as C library configuration) may block exploitability.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20795"
}
]
},
{
"name": "iptables",
"layer": "meta",
"version": "1.8.10",
"products": [
{
"product": "iptables",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2001-1387",
"summary": "iptables-save in iptables before 1.2.4 records the \"--reject-with icmp-host-prohibited\" rule as \"--reject-with tcp-reset,\" which causes iptables to generate different responses than specified by the administrator, possibly leading to an information leak.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1387"
},
{
"id": "CVE-2001-1388",
"summary": "iptables before 1.2.4 does not accurately convert rate limits that are specified on the command line, which could allow attackers or users to generate more or less traffic than intended by the administrator.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1388"
},
{
"id": "CVE-2012-2663",
"summary": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2663"
},
{
"id": "CVE-2019-11360",
"summary": "A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.",
"scorev2": "3.5",
"scorev3": "4.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11360"
}
]
},
{
"name": "iso-codes",
"layer": "meta",
"version": "4.16.0",
"products": [
{
"product": "iso-codes",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "itstool-native",
"layer": "meta",
"version": "2.0.7",
"products": [
{
"product": "itstool",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "iw",
"layer": "meta",
"version": "6.7",
"products": [
{
"product": "iw",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "json-c",
"layer": "meta",
"version": "0.17",
"products": [
{
"product": "json-c",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-6370",
"summary": "Buffer overflow in the printbuf APIs in json-c before 0.12 allows remote attackers to cause a denial of service via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6370"
},
{
"id": "CVE-2013-6371",
"summary": "The hash functionality in json-c before 0.12 allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted JSON data, involving collisions.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6371"
},
{
"id": "CVE-2020-12762",
"summary": "json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12762"
},
{
"id": "CVE-2021-32292",
"summary": "An issue was discovered in json-c from 20200420 (post 0.14 unreleased code) through 0.15-20200726. A stack-buffer-overflow exists in the auxiliary sample program json_parse which is located in the function parseit.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-32292"
}
]
},
{
"name": "json-c-native",
"layer": "meta",
"version": "0.17",
"products": [
{
"product": "json-c",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-6370",
"summary": "Buffer overflow in the printbuf APIs in json-c before 0.12 allows remote attackers to cause a denial of service via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6370"
},
{
"id": "CVE-2013-6371",
"summary": "The hash functionality in json-c before 0.12 allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted JSON data, involving collisions.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6371"
},
{
"id": "CVE-2020-12762",
"summary": "json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12762"
},
{
"id": "CVE-2021-32292",
"summary": "An issue was discovered in json-c from 20200420 (post 0.14 unreleased code) through 0.15-20200726. A stack-buffer-overflow exists in the auxiliary sample program json_parse which is located in the function parseit.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-32292"
}
]
},
{
"name": "json-glib",
"layer": "meta",
"version": "1.8.0",
"products": [
{
"product": "json-glib",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "kbd",
"layer": "meta",
"version": "2.6.4",
"products": [
{
"product": "kbd",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2011-0460",
"summary": "The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.",
"scorev2": "6.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0460"
}
]
},
{
"name": "kern-tools-native",
"layer": "meta",
"version": "0.3+git",
"products": [
{
"product": "kern-tools",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "kernel-devsrc",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "kernel-devsrc",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "keyutils",
"layer": "meta-oe",
"version": "1.6.3",
"products": [
{
"product": "keyutils",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "kmod",
"layer": "meta",
"version": "31",
"products": [
{
"product": "kmod",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "kmod-native",
"layer": "meta",
"version": "31",
"products": [
{
"product": "kmod",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "kuksa-can-provider",
"layer": "meta-agl-kuksa-val",
"version": "0.4.3+git",
"products": [
{
"product": "kuksa-can-provider",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "kuksa-can-provider-conf-agl",
"layer": "meta-agl-demo",
"version": "1.0",
"products": [
{
"product": "kuksa-can-provider-conf-agl",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "kuksa-certificates-agl",
"layer": "meta-agl-demo",
"version": "1.0",
"products": [
{
"product": "kuksa-certificates-agl",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "kuksa-client",
"layer": "meta-agl-kuksa-val",
"version": "0.4.3",
"products": [
{
"product": "kuksa-client",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "kuksa-databroker",
"layer": "meta-agl-kuksa-val",
"version": "0.4.5+git",
"products": [
{
"product": "kuksa-databroker",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "kuksa-databroker-agl",
"layer": "meta-agl-demo",
"version": "1.0",
"products": [
{
"product": "kuksa-databroker-agl",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "lame",
"layer": "meta",
"version": "3.100",
"products": [
{
"product": "lame",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-9099",
"summary": "The lame_init_params function in lame.c in libmp3lame.a in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted audio file with a negative sample rate.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9099"
},
{
"id": "CVE-2015-9100",
"summary": "The fill_buffer_resample function in util.c in libmp3lame.a in LAME 3.99.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted audio file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9100"
},
{
"id": "CVE-2015-9101",
"summary": "The fill_buffer_resample function in util.c in libmp3lame.a in LAME 3.98.4, 3.98.2, 3.98, 3.99, 3.99.1, 3.99.2, 3.99.3, 3.99.4 and 3.99.5 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9101"
},
{
"id": "CVE-2017-11720",
"summary": "There is a division-by-zero vulnerability in LAME 3.99.5, caused by a malformed input file.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11720"
},
{
"id": "CVE-2017-13712",
"summary": "NULL Pointer Dereference in the id3v2AddAudioDuration function in libmp3lame/id3tag.c in LAME 3.99.5 allows attackers to perform Denial of Service by triggering a NULL first argument.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13712"
},
{
"id": "CVE-2017-15018",
"summary": "LAME 3.99.5, 3.99.4, 3.99.3, 3.99.2, 3.99.1, 3.99, 3.98.4, 3.98.2 and 3.98 have a heap-based buffer over-read when handling a malformed file in k_34_4 in vbrquantize.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15018"
},
{
"id": "CVE-2017-15019",
"summary": "LAME 3.99.5 has a NULL Pointer Dereference in the hip_decode_init function within libmp3lame/mpglib_interface.c via a malformed mpg file, because of an incorrect calloc call.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15019"
},
{
"id": "CVE-2017-15045",
"summary": "LAME 3.99, 3.99.1, 3.99.2, 3.99.3, 3.99.4, 3.99.5, 3.98.4, 3.98.2 and 3.98 has a heap-based buffer over-read in fill_buffer in libmp3lame/util.c, related to lame_encode_buffer_sample_t in libmp3lame/lame.c, a different vulnerability than CVE-2017-9410.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15045"
},
{
"id": "CVE-2017-15046",
"summary": "LAME 3.99.5, 3.99.4, 3.98.4, 3.98.2, 3.98 and 3.97 have a stack-based buffer overflow in unpack_read_samples in frontend/get_audio.c, a different vulnerability than CVE-2017-9412.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15046"
},
{
"id": "CVE-2017-8419",
"summary": "LAME through 3.99.5 relies on the signed integer data type for values in a WAV or AIFF header, which allows remote attackers to cause a denial of service (stack-based buffer overflow or heap-based buffer overflow) or possibly have unspecified other impact via a crafted file, as demonstrated by mishandling of num_channels.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8419"
},
{
"id": "CVE-2017-9412",
"summary": "The unpack_read_samples function in frontend/get_audio.c in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted wav file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9412"
},
{
"id": "CVE-2017-9869",
"summary": "The II_step_one function in layer2.c in mpglib, as used in libmpgdecoder.a in LAME 3.99.5 and other products, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9869"
},
{
"id": "CVE-2017-9870",
"summary": "The III_i_stereo function in layer3.c in mpglib, as used in libmpgdecoder.a in LAME 3.99.5 and other products, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file that is mishandled in the code for the \"block_type == 2\" case, a similar issue to CVE-2017-11126.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9870"
},
{
"id": "CVE-2017-9871",
"summary": "The III_i_stereo function in layer3.c in mpglib, as used in libmpgdecoder.a in LAME 3.99.5 and other products, allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9871"
},
{
"id": "CVE-2017-9872",
"summary": "The III_dequantize_sample function in layer3.c in mpglib, as used in libmpgdecoder.a in LAME 3.99.5 and other products, allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9872"
}
]
},
{
"name": "launcher",
"layer": "meta-agl-demo",
"version": "1.0+git",
"products": [
{
"product": "launcher",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2018-17707",
"summary": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Epic Games Launcher versions prior to 8.2.2. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handler for the com.epicgames.launcher protocol. A crafted URI with the com.epicgames.launcher protocol can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-7241.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17707"
},
{
"id": "CVE-2019-7411",
"summary": "Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher plugin 1.0.8 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: (1) Title, (2) Favicon, (3) Meta Description, (4) Subscribe Form (Name field label, Last name field label, Email field label), (5) Contact Form (Name field label and Email field label), and (6) Social Links (Facebook Page URL, Twitter Page URL, Instagram Page URL, YouTube Page URL, Linkedin Page URL, Google+ Page URL, RSS URL).",
"scorev2": "3.5",
"scorev3": "5.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7411"
},
{
"id": "CVE-2021-36829",
"summary": "Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in MyThemeShop Launcher: Coming Soon & Maintenance Mode plugin <= 1.0.11 at WordPress.",
"scorev2": "0.0",
"scorev3": "4.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-36829"
},
{
"id": "CVE-2023-27650",
"summary": "An issue found in APUS Group Launcher v.3.10.73 and v.3.10.88 allows a remote attacker to execute arbitrary code via the FONT_FILE parameter.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-27650"
}
]
},
{
"name": "ldconfig-native",
"layer": "meta",
"version": "2.12.1",
"products": [
{
"product": "ldconfig",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "less",
"layer": "meta",
"version": "643",
"products": [
{
"product": "less",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-2264",
"summary": "Format string bug in the open_altfile function in filename.c for GNU less 382, 381, and 358 might allow local users to cause a denial of service or possibly execute arbitrary code via format strings in the LESSOPEN environment variable. NOTE: since less is not setuid or setgid, then this is not a vulnerability unless there are plausible scenarios under which privilege boundaries could be crossed",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2264"
},
{
"id": "CVE-2014-9488",
"summary": "The is_utf8_well_formed function in GNU less before 475 allows remote attackers to have unspecified impact via malformed UTF-8 characters, which triggers an out-of-bounds read.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9488"
},
{
"id": "CVE-2022-46663",
"summary": "In GNU Less before 609, crafted data can result in \"less -R\" not filtering ANSI escape sequences sent to the terminal.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-46663"
}
]
},
{
"name": "libaio",
"layer": "meta",
"version": "0.3.113",
"products": [
{
"product": "libaio",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libarchive",
"layer": "meta",
"version": "3.7.4",
"products": [
{
"product": "libarchive",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-3641",
"summary": "archive_read_support_format_tar.c in libarchive before 2.2.4 does not properly compute the length of a certain buffer when processing a malformed pax extension header, which allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted (1) PAX or (2) TAR archive that triggers a buffer overflow.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3641"
},
{
"id": "CVE-2007-3644",
"summary": "archive_read_support_format_tar.c in libarchive before 2.2.4 allows user-assisted remote attackers to cause a denial of service (infinite loop) via (1) an end-of-file condition within a pax extension header or (2) a malformed pax extension header in an (a) PAX or a (b) TAR archive.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3644"
},
{
"id": "CVE-2007-3645",
"summary": "archive_read_support_format_tar.c in libarchive before 2.2.4 allows user-assisted remote attackers to cause a denial of service (crash) via (1) an end-of-file condition within a tar header that follows a pax extension header or (2) a malformed pax extension header in an (a) PAX or a (b) TAR archive, which results in a NULL pointer dereference, a different issue than CVE-2007-3644.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3645"
},
{
"id": "CVE-2010-4666",
"summary": "Buffer overflow in libarchive 3.0 pre-release code allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted CAB file, which is not properly handled during the reading of Huffman code data within LZX compressed data.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4666"
},
{
"id": "CVE-2011-1777",
"summary": "Multiple buffer overflows in the (1) heap_add_entry and (2) relocate_dir functions in archive_read_support_format_iso9660.c in libarchive through 2.8.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ISO9660 image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1777"
},
{
"id": "CVE-2011-1778",
"summary": "Buffer overflow in libarchive through 2.8.5 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TAR archive.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1778"
},
{
"id": "CVE-2011-1779",
"summary": "Multiple use-after-free vulnerabilities in libarchive 2.8.4 and 2.8.5 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted (1) TAR archive or (2) ISO9660 image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1779"
},
{
"id": "CVE-2013-0211",
"summary": "Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an improper conversion between unsigned and signed types, leading to a buffer overflow.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0211"
},
{
"id": "CVE-2015-2304",
"summary": "Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2304"
},
{
"id": "CVE-2015-8915",
"summary": "bsdcpio in libarchive before 3.2.0 allows remote attackers to cause a denial of service (invalid read and crash) via crafted cpio file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8915"
},
{
"id": "CVE-2015-8916",
"summary": "bsdtar in libarchive before 3.2.0 returns a success code without filling the entry when the header is a \"split file in multivolume RAR,\" which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted rar file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8916"
},
{
"id": "CVE-2015-8917",
"summary": "bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an invalid character in the name of a cab file.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8917"
},
{
"id": "CVE-2015-8918",
"summary": "The archive_string_append function in archive_string.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted cab files, related to \"overlapping memcpy.\"",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8918"
},
{
"id": "CVE-2015-8919",
"summary": "The lha_read_file_extended_header function in archive_read_support_format_lha.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds heap) via a crafted (1) lzh or (2) lha file.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8919"
},
{
"id": "CVE-2015-8920",
"summary": "The _ar_read_header function in archive_read_support_format_ar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds stack read) via a crafted ar file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8920"
},
{
"id": "CVE-2015-8921",
"summary": "The ae_strtofflags function in archive_entry.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mtree file.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8921"
},
{
"id": "CVE-2015-8922",
"summary": "The read_CodersInfo function in archive_read_support_format_7zip.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted 7z file, related to the _7z_folder struct.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8922"
},
{
"id": "CVE-2015-8923",
"summary": "The process_extra function in libarchive before 3.2.0 uses the size field and a signed number in an offset, which allows remote attackers to cause a denial of service (crash) via a crafted zip file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8923"
},
{
"id": "CVE-2015-8924",
"summary": "The archive_read_format_tar_read_header function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tar file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8924"
},
{
"id": "CVE-2015-8925",
"summary": "The readline function in archive_read_support_format_mtree.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (invalid read) via a crafted mtree file, related to newline parsing.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8925"
},
{
"id": "CVE-2015-8926",
"summary": "The archive_read_format_rar_read_data function in archive_read_support_format_rar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted rar archive.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8926"
},
{
"id": "CVE-2015-8927",
"summary": "The trad_enc_decrypt_update function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds heap read and crash) via a crafted zip file, related to reading the password.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8927"
},
{
"id": "CVE-2015-8928",
"summary": "The process_add_entry function in archive_read_support_format_mtree.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mtree file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8928"
},
{
"id": "CVE-2015-8929",
"summary": "Memory leak in the __archive_read_get_extract function in archive_read_extract2.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service via a tar file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8929"
},
{
"id": "CVE-2015-8930",
"summary": "bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (infinite loop) via an ISO with a directory that is a member of itself.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8930"
},
{
"id": "CVE-2015-8931",
"summary": "Multiple integer overflows in the (1) get_time_t_max and (2) get_time_t_min functions in archive_read_support_format_mtree.c in libarchive before 3.2.0 allow remote attackers to have unspecified impact via a crafted mtree file, which triggers undefined behavior.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8931"
},
{
"id": "CVE-2015-8932",
"summary": "The compress_bidder_init function in archive_read_support_filter_compress.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file, which triggers an invalid left shift.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8932"
},
{
"id": "CVE-2015-8933",
"summary": "Integer overflow in the archive_read_format_tar_skip function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8933"
},
{
"id": "CVE-2015-8934",
"summary": "The copy_from_lzss_window function in archive_read_support_format_rar.c in libarchive 3.2.0 and earlier allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted rar file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8934"
},
{
"id": "CVE-2016-10209",
"summary": "The archive_wstring_append_from_mbs function in archive_string.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10209"
},
{
"id": "CVE-2016-10349",
"summary": "The archive_le32dec function in archive_endian.h in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10349"
},
{
"id": "CVE-2016-10350",
"summary": "The archive_read_format_cab_read_header function in archive_read_support_format_cab.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10350"
},
{
"id": "CVE-2016-1541",
"summary": "Heap-based buffer overflow in the zip_read_mac_metadata function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to execute arbitrary code via crafted entry-size values in a ZIP archive.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1541"
},
{
"id": "CVE-2016-4300",
"summary": "Integer overflow in the read_SubStreamsInfo function in archive_read_support_format_7zip.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a 7zip file with a large number of substreams, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4300"
},
{
"id": "CVE-2016-4301",
"summary": "Stack-based buffer overflow in the parse_device function in archive_read_support_format_mtree.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a crafted mtree file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4301"
},
{
"id": "CVE-2016-4302",
"summary": "Heap-based buffer overflow in the parse_codes function in archive_read_support_format_rar.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a RAR file with a zero-sized dictionary.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4302"
},
{
"id": "CVE-2016-4809",
"summary": "The archive_read_format_cpio_read_header function in archive_read_support_format_cpio.c in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) via a CPIO archive with a large symlink.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4809"
},
{
"id": "CVE-2016-5418",
"summary": "The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to write to arbitrary files via a crafted archive file.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5418"
},
{
"id": "CVE-2016-5844",
"summary": "Integer overflow in the ISO parser in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) via a crafted ISO file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5844"
},
{
"id": "CVE-2016-6250",
"summary": "Integer overflow in the ISO9660 writer in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors related to verifying filename lengths when writing an ISO9660 archive, which trigger a buffer overflow.",
"scorev2": "7.5",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6250"
},
{
"id": "CVE-2016-7166",
"summary": "libarchive before 3.2.0 does not limit the number of recursive decompressions, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted gzip file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7166"
},
{
"id": "CVE-2016-8687",
"summary": "Stack-based buffer overflow in the safe_fprintf function in tar/util.c in libarchive 3.2.1 allows remote attackers to cause a denial of service via a crafted non-printable multibyte character in a filename.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8687"
},
{
"id": "CVE-2016-8688",
"summary": "The mtree bidder in libarchive 3.2.1 does not keep track of line sizes when extending the read-ahead, which allows remote attackers to cause a denial of service (crash) via a crafted file, which triggers an invalid read in the (1) detect_form or (2) bid_entry function in libarchive/archive_read_support_format_mtree.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8688"
},
{
"id": "CVE-2016-8689",
"summary": "The read_Header function in archive_read_support_format_7zip.c in libarchive 3.2.1 allows remote attackers to cause a denial of service (out-of-bounds read) via multiple EmptyStream attributes in a header in a 7zip archive.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8689"
},
{
"id": "CVE-2017-14166",
"summary": "libarchive 3.3.2 allows remote attackers to cause a denial of service (xml_data heap-based buffer over-read and application crash) via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archive_read_support_format_xar.c.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14166"
},
{
"id": "CVE-2017-14501",
"summary": "An out-of-bounds read flaw exists in parse_file_info in archive_read_support_format_iso9660.c in libarchive 3.3.2 when extracting a specially crafted iso9660 iso file, related to archive_read_format_iso9660_read_header.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14501"
},
{
"id": "CVE-2017-14502",
"summary": "read_header in archive_read_support_format_rar.c in libarchive 3.3.2 suffers from an off-by-one error for UTF-16 names in RAR archives, leading to an out-of-bounds read in archive_read_format_rar_read_header.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14502"
},
{
"id": "CVE-2017-14503",
"summary": "libarchive 3.3.2 suffers from an out-of-bounds read within lha_read_data_none() in archive_read_support_format_lha.c when extracting a specially crafted lha archive, related to lha_crc16.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14503"
},
{
"id": "CVE-2017-5601",
"summary": "An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5601"
},
{
"id": "CVE-2018-1000877",
"summary": "libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-415: Double Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c, parse_codes(), realloc(rar->lzss.window, new_size) with new_size = 0 that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted RAR archive.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000877"
},
{
"id": "CVE-2018-1000878",
"summary": "libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-416: Use After Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c that can result in Crash/DoS - it is unknown if RCE is possible. This attack appear to be exploitable via the victim must open a specially crafted RAR archive.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000878"
},
{
"id": "CVE-2018-1000879",
"summary": "libarchive version commit 379867ecb330b3a952fb7bfa7bffb7bbd5547205 onwards (release v3.3.0 onwards) contains a CWE-476: NULL Pointer Dereference vulnerability in ACL parser - libarchive/archive_acl.c, archive_acl_from_text_l() that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted archive file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000879"
},
{
"id": "CVE-2018-1000880",
"summary": "libarchive version commit 9693801580c0cf7c70e862d305270a16b52826a7 onwards (release v3.2.0 onwards) contains a CWE-20: Improper Input Validation vulnerability in WARC parser - libarchive/archive_read_support_format_warc.c, _warc_read() that can result in DoS - quasi-infinite run time and disk usage from tiny file. This attack appear to be exploitable via the victim must open a specially crafted WARC file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000880"
},
{
"id": "CVE-2019-1000019",
"summary": "libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards (release v3.0.2 onwards) contains a CWE-125: Out-of-bounds Read vulnerability in 7zip decompression, archive_read_support_format_7zip.c, header_bytes() that can result in a crash (denial of service). This attack appears to be exploitable via the victim opening a specially crafted 7zip file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1000019"
},
{
"id": "CVE-2019-1000020",
"summary": "libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attack appears to be exploitable via the victim opening a specially crafted ISO9660 file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1000020"
},
{
"id": "CVE-2019-11463",
"summary": "A memory leak in archive_read_format_zip_cleanup in archive_read_support_format_zip.c in libarchive 3.3.4-dev allows remote attackers to cause a denial of service via a crafted ZIP file because of a HAVE_LZMA_H typo. NOTE: this only affects users who downloaded the development code from GitHub. Users of the product's official releases are unaffected.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11463"
},
{
"id": "CVE-2019-18408",
"summary": "archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0 has a use-after-free in a certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18408"
},
{
"id": "CVE-2019-19221",
"summary": "In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call. For example, bsdtar crashes via a crafted archive.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19221"
},
{
"id": "CVE-2020-21674",
"summary": "Heap-based buffer overflow in archive_string_append_from_wcs() (archive_string.c) in libarchive-3.4.1dev allows remote attackers to cause a denial of service (out-of-bounds write in heap memory resulting into a crash) via a crafted archive file. NOTE: this only affects users who downloaded the development code from GitHub. Users of the product's official releases are unaffected.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-21674"
},
{
"id": "CVE-2020-9308",
"summary": "archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-9308"
},
{
"id": "CVE-2021-23177",
"summary": "An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to change the ACL of a file on the system and gain more privileges.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23177"
},
{
"id": "CVE-2021-31566",
"summary": "An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to gain more privileges in a system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-31566"
},
{
"id": "CVE-2021-36976",
"summary": "libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-36976"
},
{
"id": "CVE-2022-26280",
"summary": "Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init.",
"scorev2": "5.8",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26280"
},
{
"id": "CVE-2022-36227",
"summary": "In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: \"In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.\"",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-36227"
},
{
"id": "CVE-2023-30571",
"summary": "Libarchive through 3.6.2 can cause directories to have world-writable permissions. The umask() call inside archive_write_disk_posix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask 0 setting. Such a race condition could lead to implicit directory creation with permissions 0777 (without the sticky bit), which means that any low-privileged local user can delete and rename files inside those directories.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-30571",
"detail": "upstream-wontfix",
"description": "upstream has documented that reported function is not thread-safe"
}
]
},
{
"name": "libarchive-native",
"layer": "meta",
"version": "3.7.4",
"products": [
{
"product": "libarchive",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-3641",
"summary": "archive_read_support_format_tar.c in libarchive before 2.2.4 does not properly compute the length of a certain buffer when processing a malformed pax extension header, which allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted (1) PAX or (2) TAR archive that triggers a buffer overflow.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3641"
},
{
"id": "CVE-2007-3644",
"summary": "archive_read_support_format_tar.c in libarchive before 2.2.4 allows user-assisted remote attackers to cause a denial of service (infinite loop) via (1) an end-of-file condition within a pax extension header or (2) a malformed pax extension header in an (a) PAX or a (b) TAR archive.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3644"
},
{
"id": "CVE-2007-3645",
"summary": "archive_read_support_format_tar.c in libarchive before 2.2.4 allows user-assisted remote attackers to cause a denial of service (crash) via (1) an end-of-file condition within a tar header that follows a pax extension header or (2) a malformed pax extension header in an (a) PAX or a (b) TAR archive, which results in a NULL pointer dereference, a different issue than CVE-2007-3644.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3645"
},
{
"id": "CVE-2010-4666",
"summary": "Buffer overflow in libarchive 3.0 pre-release code allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted CAB file, which is not properly handled during the reading of Huffman code data within LZX compressed data.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4666"
},
{
"id": "CVE-2011-1777",
"summary": "Multiple buffer overflows in the (1) heap_add_entry and (2) relocate_dir functions in archive_read_support_format_iso9660.c in libarchive through 2.8.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ISO9660 image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1777"
},
{
"id": "CVE-2011-1778",
"summary": "Buffer overflow in libarchive through 2.8.5 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TAR archive.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1778"
},
{
"id": "CVE-2011-1779",
"summary": "Multiple use-after-free vulnerabilities in libarchive 2.8.4 and 2.8.5 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted (1) TAR archive or (2) ISO9660 image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1779"
},
{
"id": "CVE-2013-0211",
"summary": "Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an improper conversion between unsigned and signed types, leading to a buffer overflow.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0211"
},
{
"id": "CVE-2015-2304",
"summary": "Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2304"
},
{
"id": "CVE-2015-8915",
"summary": "bsdcpio in libarchive before 3.2.0 allows remote attackers to cause a denial of service (invalid read and crash) via crafted cpio file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8915"
},
{
"id": "CVE-2015-8916",
"summary": "bsdtar in libarchive before 3.2.0 returns a success code without filling the entry when the header is a \"split file in multivolume RAR,\" which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted rar file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8916"
},
{
"id": "CVE-2015-8917",
"summary": "bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an invalid character in the name of a cab file.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8917"
},
{
"id": "CVE-2015-8918",
"summary": "The archive_string_append function in archive_string.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted cab files, related to \"overlapping memcpy.\"",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8918"
},
{
"id": "CVE-2015-8919",
"summary": "The lha_read_file_extended_header function in archive_read_support_format_lha.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds heap) via a crafted (1) lzh or (2) lha file.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8919"
},
{
"id": "CVE-2015-8920",
"summary": "The _ar_read_header function in archive_read_support_format_ar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds stack read) via a crafted ar file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8920"
},
{
"id": "CVE-2015-8921",
"summary": "The ae_strtofflags function in archive_entry.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mtree file.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8921"
},
{
"id": "CVE-2015-8922",
"summary": "The read_CodersInfo function in archive_read_support_format_7zip.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted 7z file, related to the _7z_folder struct.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8922"
},
{
"id": "CVE-2015-8923",
"summary": "The process_extra function in libarchive before 3.2.0 uses the size field and a signed number in an offset, which allows remote attackers to cause a denial of service (crash) via a crafted zip file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8923"
},
{
"id": "CVE-2015-8924",
"summary": "The archive_read_format_tar_read_header function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tar file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8924"
},
{
"id": "CVE-2015-8925",
"summary": "The readline function in archive_read_support_format_mtree.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (invalid read) via a crafted mtree file, related to newline parsing.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8925"
},
{
"id": "CVE-2015-8926",
"summary": "The archive_read_format_rar_read_data function in archive_read_support_format_rar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted rar archive.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8926"
},
{
"id": "CVE-2015-8927",
"summary": "The trad_enc_decrypt_update function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds heap read and crash) via a crafted zip file, related to reading the password.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8927"
},
{
"id": "CVE-2015-8928",
"summary": "The process_add_entry function in archive_read_support_format_mtree.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mtree file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8928"
},
{
"id": "CVE-2015-8929",
"summary": "Memory leak in the __archive_read_get_extract function in archive_read_extract2.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service via a tar file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8929"
},
{
"id": "CVE-2015-8930",
"summary": "bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (infinite loop) via an ISO with a directory that is a member of itself.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8930"
},
{
"id": "CVE-2015-8931",
"summary": "Multiple integer overflows in the (1) get_time_t_max and (2) get_time_t_min functions in archive_read_support_format_mtree.c in libarchive before 3.2.0 allow remote attackers to have unspecified impact via a crafted mtree file, which triggers undefined behavior.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8931"
},
{
"id": "CVE-2015-8932",
"summary": "The compress_bidder_init function in archive_read_support_filter_compress.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file, which triggers an invalid left shift.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8932"
},
{
"id": "CVE-2015-8933",
"summary": "Integer overflow in the archive_read_format_tar_skip function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8933"
},
{
"id": "CVE-2015-8934",
"summary": "The copy_from_lzss_window function in archive_read_support_format_rar.c in libarchive 3.2.0 and earlier allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted rar file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8934"
},
{
"id": "CVE-2016-10209",
"summary": "The archive_wstring_append_from_mbs function in archive_string.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10209"
},
{
"id": "CVE-2016-10349",
"summary": "The archive_le32dec function in archive_endian.h in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10349"
},
{
"id": "CVE-2016-10350",
"summary": "The archive_read_format_cab_read_header function in archive_read_support_format_cab.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10350"
},
{
"id": "CVE-2016-1541",
"summary": "Heap-based buffer overflow in the zip_read_mac_metadata function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to execute arbitrary code via crafted entry-size values in a ZIP archive.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1541"
},
{
"id": "CVE-2016-4300",
"summary": "Integer overflow in the read_SubStreamsInfo function in archive_read_support_format_7zip.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a 7zip file with a large number of substreams, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4300"
},
{
"id": "CVE-2016-4301",
"summary": "Stack-based buffer overflow in the parse_device function in archive_read_support_format_mtree.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a crafted mtree file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4301"
},
{
"id": "CVE-2016-4302",
"summary": "Heap-based buffer overflow in the parse_codes function in archive_read_support_format_rar.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a RAR file with a zero-sized dictionary.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4302"
},
{
"id": "CVE-2016-4809",
"summary": "The archive_read_format_cpio_read_header function in archive_read_support_format_cpio.c in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) via a CPIO archive with a large symlink.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4809"
},
{
"id": "CVE-2016-5418",
"summary": "The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to write to arbitrary files via a crafted archive file.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5418"
},
{
"id": "CVE-2016-5844",
"summary": "Integer overflow in the ISO parser in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) via a crafted ISO file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5844"
},
{
"id": "CVE-2016-6250",
"summary": "Integer overflow in the ISO9660 writer in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors related to verifying filename lengths when writing an ISO9660 archive, which trigger a buffer overflow.",
"scorev2": "7.5",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6250"
},
{
"id": "CVE-2016-7166",
"summary": "libarchive before 3.2.0 does not limit the number of recursive decompressions, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted gzip file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7166"
},
{
"id": "CVE-2016-8687",
"summary": "Stack-based buffer overflow in the safe_fprintf function in tar/util.c in libarchive 3.2.1 allows remote attackers to cause a denial of service via a crafted non-printable multibyte character in a filename.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8687"
},
{
"id": "CVE-2016-8688",
"summary": "The mtree bidder in libarchive 3.2.1 does not keep track of line sizes when extending the read-ahead, which allows remote attackers to cause a denial of service (crash) via a crafted file, which triggers an invalid read in the (1) detect_form or (2) bid_entry function in libarchive/archive_read_support_format_mtree.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8688"
},
{
"id": "CVE-2016-8689",
"summary": "The read_Header function in archive_read_support_format_7zip.c in libarchive 3.2.1 allows remote attackers to cause a denial of service (out-of-bounds read) via multiple EmptyStream attributes in a header in a 7zip archive.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8689"
},
{
"id": "CVE-2017-14166",
"summary": "libarchive 3.3.2 allows remote attackers to cause a denial of service (xml_data heap-based buffer over-read and application crash) via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archive_read_support_format_xar.c.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14166"
},
{
"id": "CVE-2017-14501",
"summary": "An out-of-bounds read flaw exists in parse_file_info in archive_read_support_format_iso9660.c in libarchive 3.3.2 when extracting a specially crafted iso9660 iso file, related to archive_read_format_iso9660_read_header.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14501"
},
{
"id": "CVE-2017-14502",
"summary": "read_header in archive_read_support_format_rar.c in libarchive 3.3.2 suffers from an off-by-one error for UTF-16 names in RAR archives, leading to an out-of-bounds read in archive_read_format_rar_read_header.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14502"
},
{
"id": "CVE-2017-14503",
"summary": "libarchive 3.3.2 suffers from an out-of-bounds read within lha_read_data_none() in archive_read_support_format_lha.c when extracting a specially crafted lha archive, related to lha_crc16.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14503"
},
{
"id": "CVE-2017-5601",
"summary": "An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5601"
},
{
"id": "CVE-2018-1000877",
"summary": "libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-415: Double Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c, parse_codes(), realloc(rar->lzss.window, new_size) with new_size = 0 that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted RAR archive.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000877"
},
{
"id": "CVE-2018-1000878",
"summary": "libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-416: Use After Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c that can result in Crash/DoS - it is unknown if RCE is possible. This attack appear to be exploitable via the victim must open a specially crafted RAR archive.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000878"
},
{
"id": "CVE-2018-1000879",
"summary": "libarchive version commit 379867ecb330b3a952fb7bfa7bffb7bbd5547205 onwards (release v3.3.0 onwards) contains a CWE-476: NULL Pointer Dereference vulnerability in ACL parser - libarchive/archive_acl.c, archive_acl_from_text_l() that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted archive file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000879"
},
{
"id": "CVE-2018-1000880",
"summary": "libarchive version commit 9693801580c0cf7c70e862d305270a16b52826a7 onwards (release v3.2.0 onwards) contains a CWE-20: Improper Input Validation vulnerability in WARC parser - libarchive/archive_read_support_format_warc.c, _warc_read() that can result in DoS - quasi-infinite run time and disk usage from tiny file. This attack appear to be exploitable via the victim must open a specially crafted WARC file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000880"
},
{
"id": "CVE-2019-1000019",
"summary": "libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards (release v3.0.2 onwards) contains a CWE-125: Out-of-bounds Read vulnerability in 7zip decompression, archive_read_support_format_7zip.c, header_bytes() that can result in a crash (denial of service). This attack appears to be exploitable via the victim opening a specially crafted 7zip file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1000019"
},
{
"id": "CVE-2019-1000020",
"summary": "libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attack appears to be exploitable via the victim opening a specially crafted ISO9660 file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1000020"
},
{
"id": "CVE-2019-11463",
"summary": "A memory leak in archive_read_format_zip_cleanup in archive_read_support_format_zip.c in libarchive 3.3.4-dev allows remote attackers to cause a denial of service via a crafted ZIP file because of a HAVE_LZMA_H typo. NOTE: this only affects users who downloaded the development code from GitHub. Users of the product's official releases are unaffected.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11463"
},
{
"id": "CVE-2019-18408",
"summary": "archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0 has a use-after-free in a certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18408"
},
{
"id": "CVE-2019-19221",
"summary": "In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call. For example, bsdtar crashes via a crafted archive.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19221"
},
{
"id": "CVE-2020-21674",
"summary": "Heap-based buffer overflow in archive_string_append_from_wcs() (archive_string.c) in libarchive-3.4.1dev allows remote attackers to cause a denial of service (out-of-bounds write in heap memory resulting into a crash) via a crafted archive file. NOTE: this only affects users who downloaded the development code from GitHub. Users of the product's official releases are unaffected.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-21674"
},
{
"id": "CVE-2020-9308",
"summary": "archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-9308"
},
{
"id": "CVE-2021-23177",
"summary": "An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to change the ACL of a file on the system and gain more privileges.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23177"
},
{
"id": "CVE-2021-31566",
"summary": "An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to gain more privileges in a system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-31566"
},
{
"id": "CVE-2021-36976",
"summary": "libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-36976"
},
{
"id": "CVE-2022-26280",
"summary": "Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init.",
"scorev2": "5.8",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26280"
},
{
"id": "CVE-2022-36227",
"summary": "In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: \"In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.\"",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-36227"
},
{
"id": "CVE-2023-30571",
"summary": "Libarchive through 3.6.2 can cause directories to have world-writable permissions. The umask() call inside archive_write_disk_posix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask 0 setting. Such a race condition could lead to implicit directory creation with permissions 0777 (without the sticky bit), which means that any low-privileged local user can delete and rename files inside those directories.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-30571",
"detail": "upstream-wontfix",
"description": "upstream has documented that reported function is not thread-safe"
}
]
},
{
"name": "libassuan",
"layer": "meta",
"version": "2.5.6",
"products": [
{
"product": "libassuan",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libassuan-native",
"layer": "meta",
"version": "2.5.6",
"products": [
{
"product": "libassuan",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libatasmart",
"layer": "meta-oe",
"version": "0.19",
"products": [
{
"product": "libatasmart",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libatomic-ops",
"layer": "meta",
"version": "7.8.2",
"products": [
{
"product": "libatomic-ops",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libblockdev",
"layer": "meta-oe",
"version": "3.1.1",
"products": [
{
"product": "libblockdev",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libbsd-native",
"layer": "meta",
"version": "0.12.1",
"products": [
{
"product": "libbsd",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2016-2090",
"summary": "Off-by-one vulnerability in the fgetwln function in libbsd before 0.8.2 allows attackers to have unspecified impact via unknown vectors, which trigger a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2090"
},
{
"id": "CVE-2019-20367",
"summary": "nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the string table (strtab).",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20367"
}
]
},
{
"name": "libbytesize",
"layer": "meta-oe",
"version": "2.10",
"products": [
{
"product": "libbytesize",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libcap",
"layer": "meta",
"version": "2.69",
"products": [
{
"product": "libcap",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2011-4099",
"summary": "The capsh program in libcap before 2.22 does not change the current working directory when the --chroot option is specified, which allows local users to bypass the chroot restrictions via unspecified vectors.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4099"
},
{
"id": "CVE-2023-2602",
"summary": "A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory.",
"scorev2": "0.0",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2602"
},
{
"id": "CVE-2023-2603",
"summary": "A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2603"
}
]
},
{
"name": "libcap-native",
"layer": "meta",
"version": "2.69",
"products": [
{
"product": "libcap",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2011-4099",
"summary": "The capsh program in libcap before 2.22 does not change the current working directory when the --chroot option is specified, which allows local users to bypass the chroot restrictions via unspecified vectors.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4099"
},
{
"id": "CVE-2023-2602",
"summary": "A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory.",
"scorev2": "0.0",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2602"
},
{
"id": "CVE-2023-2603",
"summary": "A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2603"
}
]
},
{
"name": "libcap-ng",
"layer": "meta",
"version": "0.8.4",
"products": [
{
"product": "libcap-ng",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libcap-ng-native",
"layer": "meta",
"version": "0.8.4",
"products": [
{
"product": "libcap-ng",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libcheck",
"layer": "meta",
"version": "0.15.2",
"products": [
{
"product": "libcheck",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libcheck-native",
"layer": "meta",
"version": "0.15.2",
"products": [
{
"product": "libcheck",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libcomps",
"layer": "meta",
"version": "0.1.20",
"products": [
{
"product": "libcomps",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2019-3817",
"summary": "A use-after-free flaw has been discovered in libcomps before version 0.1.10 in the way ObjMRTrees are merged. An attacker, who is able to make an application read a crafted comps XML file, may be able to crash the application or execute malicious code.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3817"
}
]
},
{
"name": "libcomps-native",
"layer": "meta",
"version": "0.1.20",
"products": [
{
"product": "libcomps",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2019-3817",
"summary": "A use-after-free flaw has been discovered in libcomps before version 0.1.10 in the way ObjMRTrees are merged. An attacker, who is able to make an application read a crafted comps XML file, may be able to crash the application or execute malicious code.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3817"
}
]
},
{
"name": "libdaemon",
"layer": "meta",
"version": "0.14",
"products": [
{
"product": "libdaemon",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libdevmapper",
"layer": "meta-oe",
"version": "2.03.22",
"products": [
{
"product": "libdevmapper",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libdnf",
"layer": "meta",
"version": "0.73.1",
"products": [
{
"product": "libdnf",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2021-3445",
"summary": "A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "5.1",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3445"
}
]
},
{
"name": "libdnf-native",
"layer": "meta",
"version": "0.73.1",
"products": [
{
"product": "libdnf",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2021-3445",
"summary": "A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "5.1",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3445"
}
]
},
{
"name": "libdrm",
"layer": "meta",
"version": "2.4.120",
"products": [
{
"product": "libdrm",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libedit",
"layer": "meta",
"version": "20230828-3.1",
"products": [
{
"product": "libedit",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libedit-native",
"layer": "meta",
"version": "20230828-3.1",
"products": [
{
"product": "libedit",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "liberation-fonts",
"layer": "meta",
"version": "1_2.1.5",
"products": [
{
"product": "liberation-fonts",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libevdev",
"layer": "meta",
"version": "1.13.1",
"products": [
{
"product": "libevdev",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libffi",
"layer": "meta",
"version": "3.4.6",
"products": [
{
"product": "libffi",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2017-1000376",
"summary": "libffi requests an executable stack allowing attackers to more easily trigger arbitrary code execution by overwriting the stack. Please note that libffi is used by a number of other libraries. It was previously stated that this affects libffi version 3.2.1 but this appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems was vulnerable, and upstream is believed to have fixed this issue in version 3.1.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000376"
}
]
},
{
"name": "libffi-native",
"layer": "meta",
"version": "3.4.6",
"products": [
{
"product": "libffi",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2017-1000376",
"summary": "libffi requests an executable stack allowing attackers to more easily trigger arbitrary code execution by overwriting the stack. Please note that libffi is used by a number of other libraries. It was previously stated that this affects libffi version 3.2.1 but this appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems was vulnerable, and upstream is believed to have fixed this issue in version 3.1.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000376"
}
]
},
{
"name": "libgcc",
"layer": "meta",
"version": "13.2.0",
"products": [
{
"product": "gcc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-1439",
"summary": "gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1439"
},
{
"id": "CVE-2000-1219",
"summary": "The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-1219"
},
{
"id": "CVE-2002-2439",
"summary": "Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-2439"
},
{
"id": "CVE-2006-1902",
"summary": "fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is \"not correctly interpreting an offset to a pointer as a signed value.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1902"
},
{
"id": "CVE-2008-1367",
"summary": "gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1367"
},
{
"id": "CVE-2008-1685",
"summary": "gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999)",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1685"
},
{
"id": "CVE-2013-4598",
"summary": "The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4598"
},
{
"id": "CVE-2015-5276",
"summary": "The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5276"
},
{
"id": "CVE-2017-11671",
"summary": "Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11671"
},
{
"id": "CVE-2018-12886",
"summary": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12886"
},
{
"id": "CVE-2019-15847",
"summary": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847"
},
{
"id": "CVE-2021-37322",
"summary": "GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37322",
"detail": "cpe-incorrect",
"description": "Is a binutils 2.26 issue, not gcc"
},
{
"id": "CVE-2021-3826",
"summary": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826"
},
{
"id": "CVE-2021-46195",
"summary": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195"
},
{
"id": "CVE-2022-27943",
"summary": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943"
},
{
"id": "CVE-2023-4039",
"summary": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "4.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039",
"detail": "fixed-version",
"description": "Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source"
}
]
},
{
"name": "libgcc-initial",
"layer": "meta",
"version": "13.2.0",
"products": [
{
"product": "gcc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-1439",
"summary": "gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1439"
},
{
"id": "CVE-2000-1219",
"summary": "The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-1219"
},
{
"id": "CVE-2002-2439",
"summary": "Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-2439"
},
{
"id": "CVE-2006-1902",
"summary": "fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is \"not correctly interpreting an offset to a pointer as a signed value.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1902"
},
{
"id": "CVE-2008-1367",
"summary": "gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1367"
},
{
"id": "CVE-2008-1685",
"summary": "gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999)",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1685"
},
{
"id": "CVE-2013-4598",
"summary": "The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4598"
},
{
"id": "CVE-2015-5276",
"summary": "The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5276"
},
{
"id": "CVE-2017-11671",
"summary": "Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11671"
},
{
"id": "CVE-2018-12886",
"summary": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12886"
},
{
"id": "CVE-2019-15847",
"summary": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847"
},
{
"id": "CVE-2021-37322",
"summary": "GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37322",
"detail": "cpe-incorrect",
"description": "Is a binutils 2.26 issue, not gcc"
},
{
"id": "CVE-2021-3826",
"summary": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826"
},
{
"id": "CVE-2021-46195",
"summary": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195"
},
{
"id": "CVE-2022-27943",
"summary": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943"
},
{
"id": "CVE-2023-4039",
"summary": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "4.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039",
"detail": "fixed-version",
"description": "Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source"
}
]
},
{
"name": "libgcrypt",
"layer": "meta",
"version": "1.10.3",
"products": [
{
"product": "libgcrypt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-4242",
"summary": "GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4242"
},
{
"id": "CVE-2014-3591",
"summary": "Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.",
"scorev2": "1.9",
"scorev3": "4.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3591"
},
{
"id": "CVE-2014-5270",
"summary": "Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5270"
},
{
"id": "CVE-2015-0837",
"summary": "The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a \"Last-Level Cache Side-Channel Attack.\"",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0837"
},
{
"id": "CVE-2015-7511",
"summary": "Libgcrypt before 1.6.5 does not properly perform elliptic-point curve multiplication during decryption, which makes it easier for physically proximate attackers to extract ECDH keys by measuring electromagnetic emanations.",
"scorev2": "1.9",
"scorev3": "2.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7511"
},
{
"id": "CVE-2016-6313",
"summary": "The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6313"
},
{
"id": "CVE-2017-0379",
"summary": "Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attacks, which makes it easier for attackers to discover a secret key, related to cipher/ecc.c and mpi/ec.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0379"
},
{
"id": "CVE-2017-7526",
"summary": "libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used.",
"scorev2": "4.3",
"scorev3": "6.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7526"
},
{
"id": "CVE-2017-9526",
"summary": "In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9526"
},
{
"id": "CVE-2018-0495",
"summary": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0495"
},
{
"id": "CVE-2018-6829",
"summary": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829"
},
{
"id": "CVE-2019-12904",
"summary": "In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) NOTE: the vendor's position is that the issue report cannot be validated because there is no description of an attack",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12904"
},
{
"id": "CVE-2021-3345",
"summary": "_gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1 or later.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3345"
},
{
"id": "CVE-2021-33560",
"summary": "Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33560"
},
{
"id": "CVE-2021-40528",
"summary": "The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.",
"scorev2": "2.6",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-40528"
}
]
},
{
"name": "libgcrypt-native",
"layer": "meta",
"version": "1.10.3",
"products": [
{
"product": "libgcrypt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-4242",
"summary": "GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4242"
},
{
"id": "CVE-2014-3591",
"summary": "Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.",
"scorev2": "1.9",
"scorev3": "4.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3591"
},
{
"id": "CVE-2014-5270",
"summary": "Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5270"
},
{
"id": "CVE-2015-0837",
"summary": "The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a \"Last-Level Cache Side-Channel Attack.\"",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0837"
},
{
"id": "CVE-2015-7511",
"summary": "Libgcrypt before 1.6.5 does not properly perform elliptic-point curve multiplication during decryption, which makes it easier for physically proximate attackers to extract ECDH keys by measuring electromagnetic emanations.",
"scorev2": "1.9",
"scorev3": "2.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7511"
},
{
"id": "CVE-2016-6313",
"summary": "The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6313"
},
{
"id": "CVE-2017-0379",
"summary": "Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attacks, which makes it easier for attackers to discover a secret key, related to cipher/ecc.c and mpi/ec.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0379"
},
{
"id": "CVE-2017-7526",
"summary": "libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used.",
"scorev2": "4.3",
"scorev3": "6.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7526"
},
{
"id": "CVE-2017-9526",
"summary": "In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9526"
},
{
"id": "CVE-2018-0495",
"summary": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0495"
},
{
"id": "CVE-2018-6829",
"summary": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829"
},
{
"id": "CVE-2019-12904",
"summary": "In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) NOTE: the vendor's position is that the issue report cannot be validated because there is no description of an attack",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12904"
},
{
"id": "CVE-2021-3345",
"summary": "_gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1 or later.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3345"
},
{
"id": "CVE-2021-33560",
"summary": "Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33560"
},
{
"id": "CVE-2021-40528",
"summary": "The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.",
"scorev2": "2.6",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-40528"
}
]
},
{
"name": "libgpg-error",
"layer": "meta",
"version": "1.48",
"products": [
{
"product": "libgpg-error",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libgpg-error-native",
"layer": "meta",
"version": "1.48",
"products": [
{
"product": "libgpg-error",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libgudev",
"layer": "meta",
"version": "238",
"products": [
{
"product": "libgudev",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libical",
"layer": "meta",
"version": "3.0.17",
"products": [
{
"product": "libical",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2016-5823",
"summary": "The icalproperty_new_clone function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (use-after-free) via a crafted ics file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5823"
},
{
"id": "CVE-2016-5824",
"summary": "libical 1.0 allows remote attackers to cause a denial of service (use-after-free) via a crafted ics file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5824"
},
{
"id": "CVE-2016-5825",
"summary": "The icalparser_parse_string function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted ics file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5825"
},
{
"id": "CVE-2016-5826",
"summary": "The parser_get_next_char function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (out-of-bounds heap read) by crafting a string to the icalparser_parse_string function.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5826"
},
{
"id": "CVE-2016-5827",
"summary": "The icaltime_from_string function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted string to the icalparser_parse_string function.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5827"
},
{
"id": "CVE-2016-9584",
"summary": "libical allows remote attackers to cause a denial of service (use-after-free) and possibly read heap memory via a crafted ics file.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9584"
}
]
},
{
"name": "libical-native",
"layer": "meta",
"version": "3.0.17",
"products": [
{
"product": "libical",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2016-5823",
"summary": "The icalproperty_new_clone function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (use-after-free) via a crafted ics file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5823"
},
{
"id": "CVE-2016-5824",
"summary": "libical 1.0 allows remote attackers to cause a denial of service (use-after-free) via a crafted ics file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5824"
},
{
"id": "CVE-2016-5825",
"summary": "The icalparser_parse_string function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted ics file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5825"
},
{
"id": "CVE-2016-5826",
"summary": "The parser_get_next_char function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (out-of-bounds heap read) by crafting a string to the icalparser_parse_string function.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5826"
},
{
"id": "CVE-2016-5827",
"summary": "The icaltime_from_string function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted string to the icalparser_parse_string function.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5827"
},
{
"id": "CVE-2016-9584",
"summary": "libical allows remote attackers to cause a denial of service (use-after-free) and possibly read heap memory via a crafted ics file.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9584"
}
]
},
{
"name": "libid3tag",
"layer": "meta-oe",
"version": "0.15.1b",
"products": [
{
"product": "libid3tag",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-2779",
"summary": "id3_utf16_deserialize() in utf16.c in libid3tag through 0.15.1b misparses ID3v2 tags encoded in UTF-16 with an odd number of bytes, triggering an endless loop allocating memory until an OOM condition is reached, leading to denial-of-service (DoS).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2779"
},
{
"id": "CVE-2008-2109",
"summary": "field.c in the libid3tag 0.15.0b library allows context-dependent attackers to cause a denial of service (CPU consumption) via an ID3_FIELD_TYPE_STRINGLIST field that ends in '\\0', which triggers an infinite loop.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2109"
},
{
"id": "CVE-2017-11550",
"summary": "The id3_ucs4_length function in ucs4.c in libid3tag 0.15.1b allows remote attackers to cause a denial of service (NULL Pointer Dereference and application crash) via a crafted mp3 file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11550"
},
{
"id": "CVE-2017-11551",
"summary": "The id3_field_parse function in field.c in libid3tag 0.15.1b allows remote attackers to cause a denial of service (OOM) via a crafted MP3 file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11551"
}
]
},
{
"name": "libidn2",
"layer": "meta",
"version": "2.3.7",
"products": [
{
"product": "libidn2",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2017-14061",
"summary": "Integer overflow in the _isBidi function in bidi.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14061"
},
{
"id": "CVE-2017-14062",
"summary": "Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14062"
},
{
"id": "CVE-2019-12290",
"summary": "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12290"
},
{
"id": "CVE-2019-18224",
"summary": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18224"
}
]
},
{
"name": "libidn2-native",
"layer": "meta",
"version": "2.3.7",
"products": [
{
"product": "libidn2",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2017-14061",
"summary": "Integer overflow in the _isBidi function in bidi.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14061"
},
{
"id": "CVE-2017-14062",
"summary": "Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14062"
},
{
"id": "CVE-2019-12290",
"summary": "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12290"
},
{
"id": "CVE-2019-18224",
"summary": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18224"
}
]
},
{
"name": "libinput",
"layer": "meta",
"version": "1.25.0",
"products": [
{
"product": "libinput",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2022-1215",
"summary": "A format string vulnerability was found in libinput",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1215"
}
]
},
{
"name": "libjitterentropy",
"layer": "meta",
"version": "3.4.1",
"products": [
{
"product": "libjitterentropy",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libjpeg-turbo",
"layer": "meta",
"version": "1_3.0.1",
"products": [
{
"product": "libjpeg-turbo",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2012-2806",
"summary": "Heap-based buffer overflow in the get_sos function in jdmarker.c in libjpeg-turbo 1.2.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large component count in the header of a JPEG image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2806"
},
{
"id": "CVE-2013-6629",
"summary": "The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6629"
},
{
"id": "CVE-2014-9092",
"summary": "libjpeg-turbo before 1.3.1 allows remote attackers to cause a denial of service (crash) via a crafted JPEG file, related to the Exif marker.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9092"
},
{
"id": "CVE-2016-3616",
"summary": "The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3616"
},
{
"id": "CVE-2017-15232",
"summary": "libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15232"
},
{
"id": "CVE-2017-9614",
"summary": "The fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted jpg file. NOTE: Maintainer asserts the issue is due to a bug in downstream code caused by misuse of the libjpeg API",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9614"
},
{
"id": "CVE-2018-1152",
"summary": "libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1152"
},
{
"id": "CVE-2018-14498",
"summary": "get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14498"
},
{
"id": "CVE-2018-19664",
"summary": "libjpeg-turbo 2.0.1 has a heap-based buffer over-read in the put_pixel_rows function in wrbmp.c, as demonstrated by djpeg.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19664"
},
{
"id": "CVE-2018-20330",
"summary": "The tjLoadImage function in libjpeg-turbo 2.0.1 has an integer overflow with a resultant heap-based buffer overflow via a BMP image because multiplication of pitch and height is mishandled, as demonstrated by tjbench.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20330"
},
{
"id": "CVE-2019-13960",
"summary": "In libjpeg-turbo 2.0.2, a large amount of memory can be used during processing of an invalid progressive JPEG image containing incorrect width and height values in the image header. NOTE: the vendor's expectation, for use cases in which this memory usage would be a denial of service, is that the application should interpret libjpeg warnings as fatal errors (aborting decompression) and/or set limits on resource consumption or image sizes",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13960"
},
{
"id": "CVE-2020-13790",
"summary": "libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.",
"scorev2": "5.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13790"
},
{
"id": "CVE-2020-17541",
"summary": "Libjpeg-turbo all version have a stack-based buffer overflow in the \"transform\" component. A remote attacker can send a malformed jpeg file to the service and cause arbitrary code execution or denial of service of the target service.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17541"
},
{
"id": "CVE-2020-35538",
"summary": "A crafted input file could cause a null pointer dereference in jcopy_sample_rows() when processed by libjpeg-turbo.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35538"
},
{
"id": "CVE-2021-20205",
"summary": "Libjpeg-turbo versions 2.0.91 and 2.0.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted GIF image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20205"
},
{
"id": "CVE-2021-29390",
"summary": "libjpeg-turbo version 2.0.90 has a heap-based buffer over-read (2 bytes) in decompress_smooth_data in jdcoefct.c.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29390"
},
{
"id": "CVE-2021-46822",
"summary": "The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46822"
},
{
"id": "CVE-2023-2804",
"summary": "A heap-based buffer overflow issue was discovered in libjpeg-turbo in h2v2_merged_upsample_internal() function of jdmrgext.c file. The vulnerability can only be exploited with 12-bit data precision for which the range of the sample data type exceeds the valid sample range, hence, an attacker could craft a 12-bit lossless JPEG image that contains out-of-range 12-bit samples. An application attempting to decompress such image using merged upsampling would lead to segmentation fault or buffer overflows, causing an application to crash.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2804"
}
]
},
{
"name": "libjpeg-turbo-native",
"layer": "meta",
"version": "1_3.0.1",
"products": [
{
"product": "libjpeg-turbo",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2012-2806",
"summary": "Heap-based buffer overflow in the get_sos function in jdmarker.c in libjpeg-turbo 1.2.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large component count in the header of a JPEG image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2806"
},
{
"id": "CVE-2013-6629",
"summary": "The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6629"
},
{
"id": "CVE-2014-9092",
"summary": "libjpeg-turbo before 1.3.1 allows remote attackers to cause a denial of service (crash) via a crafted JPEG file, related to the Exif marker.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9092"
},
{
"id": "CVE-2016-3616",
"summary": "The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3616"
},
{
"id": "CVE-2017-15232",
"summary": "libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15232"
},
{
"id": "CVE-2017-9614",
"summary": "The fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted jpg file. NOTE: Maintainer asserts the issue is due to a bug in downstream code caused by misuse of the libjpeg API",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9614"
},
{
"id": "CVE-2018-1152",
"summary": "libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1152"
},
{
"id": "CVE-2018-14498",
"summary": "get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14498"
},
{
"id": "CVE-2018-19664",
"summary": "libjpeg-turbo 2.0.1 has a heap-based buffer over-read in the put_pixel_rows function in wrbmp.c, as demonstrated by djpeg.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19664"
},
{
"id": "CVE-2018-20330",
"summary": "The tjLoadImage function in libjpeg-turbo 2.0.1 has an integer overflow with a resultant heap-based buffer overflow via a BMP image because multiplication of pitch and height is mishandled, as demonstrated by tjbench.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20330"
},
{
"id": "CVE-2019-13960",
"summary": "In libjpeg-turbo 2.0.2, a large amount of memory can be used during processing of an invalid progressive JPEG image containing incorrect width and height values in the image header. NOTE: the vendor's expectation, for use cases in which this memory usage would be a denial of service, is that the application should interpret libjpeg warnings as fatal errors (aborting decompression) and/or set limits on resource consumption or image sizes",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13960"
},
{
"id": "CVE-2020-13790",
"summary": "libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.",
"scorev2": "5.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13790"
},
{
"id": "CVE-2020-17541",
"summary": "Libjpeg-turbo all version have a stack-based buffer overflow in the \"transform\" component. A remote attacker can send a malformed jpeg file to the service and cause arbitrary code execution or denial of service of the target service.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17541"
},
{
"id": "CVE-2020-35538",
"summary": "A crafted input file could cause a null pointer dereference in jcopy_sample_rows() when processed by libjpeg-turbo.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35538"
},
{
"id": "CVE-2021-20205",
"summary": "Libjpeg-turbo versions 2.0.91 and 2.0.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted GIF image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20205"
},
{
"id": "CVE-2021-29390",
"summary": "libjpeg-turbo version 2.0.90 has a heap-based buffer over-read (2 bytes) in decompress_smooth_data in jdcoefct.c.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29390"
},
{
"id": "CVE-2021-46822",
"summary": "The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46822"
},
{
"id": "CVE-2023-2804",
"summary": "A heap-based buffer overflow issue was discovered in libjpeg-turbo in h2v2_merged_upsample_internal() function of jdmrgext.c file. The vulnerability can only be exploited with 12-bit data precision for which the range of the sample data type exceeds the valid sample range, hence, an attacker could craft a 12-bit lossless JPEG image that contains out-of-range 12-bit samples. An application attempting to decompress such image using merged upsampling would lead to segmentation fault or buffer overflows, causing an application to crash.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2804"
}
]
},
{
"name": "libksba",
"layer": "meta",
"version": "1.6.6",
"products": [
{
"product": "libksba",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2014-9087",
"summary": "Integer underflow in the ksba_oid_to_str function in Libksba before 1.3.2, as used in GnuPG, allows remote attackers to cause a denial of service (crash) via a crafted OID in a (1) S/MIME message or (2) ECC based OpenPGP data, which triggers a buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9087"
},
{
"id": "CVE-2016-4353",
"summary": "ber-decoder.c in Libksba before 1.3.3 does not properly handle decoder stack overflows, which allows remote attackers to cause a denial of service (abort) via crafted BER data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4353"
},
{
"id": "CVE-2016-4354",
"summary": "ber-decoder.c in Libksba before 1.3.3 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (crash) via crafted BER data, which leads to a buffer overflow.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4354"
},
{
"id": "CVE-2016-4355",
"summary": "Multiple integer overflows in ber-decoder.c in Libksba before 1.3.3 allow remote attackers to cause a denial of service (crash) via crafted BER data, which leads to a buffer overflow.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4355"
},
{
"id": "CVE-2016-4356",
"summary": "The append_utf8_value function in the DN decoder (dn.c) in Libksba before 1.3.3 allows remote attackers to cause a denial of service (out-of-bounds read) by clearing the high bit of the byte after invalid utf-8 encoded data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4356"
},
{
"id": "CVE-2016-4574",
"summary": "Off-by-one error in the append_utf8_value function in the DN decoder (dn.c) in Libksba before 1.3.4 allows remote attackers to cause a denial of service (out-of-bounds read) via invalid utf-8 encoded data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-4356.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4574"
},
{
"id": "CVE-2016-4579",
"summary": "Libksba before 1.3.4 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via unspecified vectors, related to the \"returned length of the object from _ksba_ber_parse_tl.\"",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4579"
},
{
"id": "CVE-2022-3515",
"summary": "A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3515"
},
{
"id": "CVE-2022-47629",
"summary": "Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47629"
}
]
},
{
"name": "libmbim",
"layer": "meta-oe",
"version": "1.30.0",
"products": [
{
"product": "libmbim",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libmd-native",
"layer": "meta",
"version": "1.1.0",
"products": [
{
"product": "libmd",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libmicrohttpd",
"layer": "meta",
"version": "1.0.1",
"products": [
{
"product": "libmicrohttpd",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-7038",
"summary": "The MHD_http_unescape function in libmicrohttpd before 0.9.32 might allow remote attackers to obtain sensitive information or cause a denial of service (crash) via unspecified vectors that trigger an out-of-bounds read.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7038"
},
{
"id": "CVE-2013-7039",
"summary": "Stack-based buffer overflow in the MHD_digest_auth_check function in libmicrohttpd before 0.9.32, when MHD_OPTION_CONNECTION_MEMORY_LIMIT is set to a large value, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long URI in an authentication header.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7039"
},
{
"id": "CVE-2021-3466",
"summary": "A flaw was found in libmicrohttpd. A missing bounds check in the post_process_urlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Only version 0.9.70 is vulnerable.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3466"
},
{
"id": "CVE-2023-27371",
"summary": "GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHD_create_post_processor() method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\\0' bytes in a multipart/form-data boundary field, which - assuming a specific heap layout - will result in an out-of-bounds read and a crash in the find_boundary() function.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-27371"
}
]
},
{
"name": "libmicrohttpd-native",
"layer": "meta",
"version": "1.0.1",
"products": [
{
"product": "libmicrohttpd",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-7038",
"summary": "The MHD_http_unescape function in libmicrohttpd before 0.9.32 might allow remote attackers to obtain sensitive information or cause a denial of service (crash) via unspecified vectors that trigger an out-of-bounds read.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7038"
},
{
"id": "CVE-2013-7039",
"summary": "Stack-based buffer overflow in the MHD_digest_auth_check function in libmicrohttpd before 0.9.32, when MHD_OPTION_CONNECTION_MEMORY_LIMIT is set to a large value, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long URI in an authentication header.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7039"
},
{
"id": "CVE-2021-3466",
"summary": "A flaw was found in libmicrohttpd. A missing bounds check in the post_process_urlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Only version 0.9.70 is vulnerable.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3466"
},
{
"id": "CVE-2023-27371",
"summary": "GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHD_create_post_processor() method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\\0' bytes in a multipart/form-data boundary field, which - assuming a specific heap layout - will result in an out-of-bounds read and a crash in the find_boundary() function.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-27371"
}
]
},
{
"name": "libmnl",
"layer": "meta",
"version": "1.0.5",
"products": [
{
"product": "libmnl",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libmodulemd",
"layer": "meta",
"version": "2.15.0",
"products": [
{
"product": "libmodulemd",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libmodulemd-native",
"layer": "meta",
"version": "2.15.0",
"products": [
{
"product": "libmodulemd",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libmpc",
"layer": "meta",
"version": "1.3.1",
"products": [
{
"product": "libmpc",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libmpc-native",
"layer": "meta",
"version": "1.3.1",
"products": [
{
"product": "libmpc",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libmpdclient",
"layer": "meta-multimedia",
"version": "2.20",
"products": [
{
"product": "libmpdclient",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libnewt",
"layer": "meta",
"version": "0.52.24",
"products": [
{
"product": "libnewt",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libnl",
"layer": "meta",
"version": "1_3.9.0",
"products": [
{
"product": "libnl",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libnsl2",
"layer": "meta",
"version": "2.0.1",
"products": [
{
"product": "libnsl2",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libnsl2-native",
"layer": "meta",
"version": "2.0.1",
"products": [
{
"product": "libnsl2",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libnss-mdns",
"layer": "meta",
"version": "0.15.1",
"products": [
{
"product": "libnss-mdns",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libnvme",
"layer": "meta-oe",
"version": "1.8",
"products": [
{
"product": "libnvme",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libogg",
"layer": "meta",
"version": "1.3.5",
"products": [
{
"product": "libogg",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libopus",
"layer": "meta-oe",
"version": "1.5.2",
"products": [
{
"product": "opus",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-0899",
"summary": "Integer overflow in the padding implementation in the opus_packet_parse_impl function in src/opus_decoder.c in Opus before 1.0.2, as used in Google Chrome before 25.0.1364.97 on Windows and Linux and before 25.0.1364.99 on Mac OS X and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a long packet.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0899"
}
]
},
{
"name": "libpam",
"layer": "meta",
"version": "1.5.3",
"products": [
{
"product": "linux-pam",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2009-0579",
"summary": "Linux-PAM before 1.0.4 does not enforce the minimum password age (MINDAYS) as specified in /etc/shadow, which allows local users to bypass intended security policy and change their passwords sooner than specified.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0579"
},
{
"id": "CVE-2009-0887",
"summary": "Integer signedness error in the _pam_StrTok function in libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a configuration file contains non-ASCII usernames, might allow remote attackers to cause a denial of service, and might allow remote authenticated users to obtain login access with a different user's non-ASCII username, via a login attempt.",
"scorev2": "6.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0887"
},
{
"id": "CVE-2010-3316",
"summary": "The run_coprocess function in pam_xauth.c in the pam_xauth module in Linux-PAM (aka pam) before 1.1.2 does not check the return values of the setuid, setgid, and setgroups system calls, which might allow local users to read arbitrary files by executing a program that relies on the pam_xauth PAM check.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3316"
},
{
"id": "CVE-2010-3430",
"summary": "The privilege-dropping implementation in the (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) 1.1.2 does not perform the required setfsgid and setgroups system calls, which might allow local users to obtain sensitive information by leveraging unintended group permissions, as demonstrated by a symlink attack on the .pam_environment file in a user's home directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-3435.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3430"
},
{
"id": "CVE-2010-3431",
"summary": "The privilege-dropping implementation in the (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) 1.1.2 does not check the return value of the setfsuid system call, which might allow local users to obtain sensitive information by leveraging an unintended uid, as demonstrated by a symlink attack on the .pam_environment file in a user's home directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-3435.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3431"
},
{
"id": "CVE-2010-3435",
"summary": "The (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) before 1.1.2 use root privileges during read access to files and directories that belong to arbitrary user accounts, which might allow local users to obtain sensitive information by leveraging this filesystem activity, as demonstrated by a symlink attack on the .pam_environment file in a user's home directory.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3435"
},
{
"id": "CVE-2010-3853",
"summary": "pam_namespace.c in the pam_namespace module in Linux-PAM (aka pam) before 1.1.3 uses the environment of the invoking application or service during execution of the namespace.init script, which might allow local users to gain privileges by running a setuid program that relies on the pam_namespace PAM check, as demonstrated by the sudo program.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3853"
},
{
"id": "CVE-2010-4706",
"summary": "The pam_sm_close_session function in pam_xauth.c in the pam_xauth module in Linux-PAM (aka pam) 1.1.2 and earlier does not properly handle a failure to determine a certain target uid, which might allow local users to delete unintended files by executing a program that relies on the pam_xauth PAM check.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4706"
},
{
"id": "CVE-2010-4707",
"summary": "The check_acl function in pam_xauth.c in the pam_xauth module in Linux-PAM (aka pam) 1.1.2 and earlier does not verify that a certain ACL file is a regular file, which might allow local users to cause a denial of service (resource consumption) via a special file.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4707"
},
{
"id": "CVE-2010-4708",
"summary": "The pam_env module in Linux-PAM (aka pam) 1.1.2 and earlier reads the .pam_environment file in a user's home directory, which might allow local users to run programs with an unintended environment by executing a program that relies on the pam_env PAM check.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4708"
},
{
"id": "CVE-2011-3148",
"summary": "Stack-based buffer overflow in the _assemble_line function in modules/pam_env/pam_env.c in Linux-PAM (aka pam) before 1.1.5 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long string of white spaces at the beginning of the ~/.pam_environment file.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3148"
},
{
"id": "CVE-2011-3149",
"summary": "The _expand_arg function in the pam_env module (modules/pam_env/pam_env.c) in Linux-PAM (aka pam) before 1.1.5 does not properly handle when environment variable expansion can overflow, which allows local users to cause a denial of service (CPU consumption).",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3149"
},
{
"id": "CVE-2014-2583",
"summary": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create arbitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty function, which is used by the format_timestamp_name function.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2583"
},
{
"id": "CVE-2015-3238",
"summary": "The _unix_run_helper_binary function in the pam_unix module in Linux-PAM (aka pam) before 1.2.1, when unable to directly access passwords, allows local users to enumerate usernames or cause a denial of service (hang) via a large password.",
"scorev2": "5.8",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3238"
},
{
"id": "CVE-2018-17953",
"summary": "A incorrect variable in a SUSE specific patch for pam_access rule matching in PAM 1.3.0 in openSUSE Leap 15.0 and SUSE Linux Enterprise 15 could lead to pam_access rules not being applied (fail open).",
"scorev2": "9.3",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17953"
},
{
"id": "CVE-2020-27780",
"summary": "A flaw was found in Linux-Pam in versions prior to 1.5.1 in the way it handle empty passwords for non-existing users. When the user doesn't exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27780"
},
{
"id": "CVE-2022-28321",
"summary": "The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-28321"
},
{
"id": "CVE-2024-22365",
"summary": "linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-22365"
}
]
},
{
"name": "libpcap",
"layer": "meta",
"version": "1.10.4",
"products": [
{
"product": "libpcap",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2011-1935",
"summary": "pcap-linux.c in libpcap 1.1.1 before commit ea9432fabdf4b33cbc76d9437200e028f1c47c93 when snaplen is set may truncate packets, which might allow remote attackers to send arbitrary data while avoiding detection via crafted packets.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1935"
},
{
"id": "CVE-2019-15161",
"summary": "rpcapd/daemon.c in libpcap before 1.9.1 mishandles certain length values because of reuse of a variable. This may open up an attack vector involving extra data at the end of a request.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15161"
},
{
"id": "CVE-2019-15162",
"summary": "rpcapd/daemon.c in libpcap before 1.9.1 on non-Windows platforms provides details about why authentication failed, which might make it easier for attackers to enumerate valid usernames.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15162"
},
{
"id": "CVE-2019-15163",
"summary": "rpcapd/daemon.c in libpcap before 1.9.1 allows attackers to cause a denial of service (NULL pointer dereference and daemon crash) if a crypt() call fails.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15163"
},
{
"id": "CVE-2019-15164",
"summary": "rpcapd/daemon.c in libpcap before 1.9.1 allows SSRF because a URL may be provided as a capture source.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15164"
},
{
"id": "CVE-2019-15165",
"summary": "sf-pcapng.c in libpcap before 1.9.1 does not properly validate the PHB header length before allocating memory.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15165"
}
]
},
{
"name": "libpciaccess",
"layer": "meta",
"version": "0.18",
"products": [
{
"product": "libpciaccess",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libpcre",
"layer": "meta",
"version": "8.45",
"products": [
{
"product": "pcre",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2005-2491",
"summary": "Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2491"
},
{
"id": "CVE-2005-4872",
"summary": "Perl-Compatible Regular Expression (PCRE) library before 6.2 does not properly count the number of named capturing subpatterns, which allows context-dependent attackers to cause a denial of service (crash) via a regular expression with a large number of named subpatterns, which triggers a buffer overflow. NOTE: this issue was originally subsumed by CVE-2006-7224, but that CVE has been REJECTED and split.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4872"
},
{
"id": "CVE-2006-7225",
"summary": "Perl-Compatible Regular Expression (PCRE) library before 6.7 allows context-dependent attackers to cause a denial of service (error or crash) via a regular expression that involves a \"malformed POSIX character class\", as demonstrated via an invalid character after a [[ sequence.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7225"
},
{
"id": "CVE-2006-7227",
"summary": "Integer overflow in Perl-Compatible Regular Expression (PCRE) library before 6.7 allows context-dependent attackers to execute arbitrary code via a regular expression containing a large number of named subpatterns (name_count) or long subpattern names (max_name_size), which triggers a buffer overflow. NOTE: this issue was originally subsumed by CVE-2006-7224, but that CVE has been REJECTED and split.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7227"
},
{
"id": "CVE-2006-7228",
"summary": "Integer overflow in Perl-Compatible Regular Expression (PCRE) library before 6.7 might allow context-dependent attackers to execute arbitrary code via a regular expression that involves large (1) min, (2) max, or (3) duplength values that cause an incorrect length calculation and trigger a buffer overflow, a different vulnerability than CVE-2006-7227. NOTE: this issue was originally subsumed by CVE-2006-7224, but that CVE has been REJECTED and split.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7228"
},
{
"id": "CVE-2006-7230",
"summary": "Perl-Compatible Regular Expression (PCRE) library before 7.0 does not properly calculate the amount of memory needed for a compiled regular expression pattern when the (1) -x or (2) -i UTF-8 options change within the pattern, which allows context-dependent attackers to cause a denial of service (PCRE or glibc crash) via crafted regular expressions.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7230"
},
{
"id": "CVE-2007-1659",
"summary": "Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via regex patterns containing unmatched \"\\Q\\E\" sequences with orphan \"\\E\" codes.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1659"
},
{
"id": "CVE-2007-1660",
"summary": "Perl-Compatible Regular Expression (PCRE) library before 7.0 does not properly calculate sizes for unspecified \"multiple forms of character class\", which triggers a buffer overflow that allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1660"
},
{
"id": "CVE-2007-1662",
"summary": "Perl-Compatible Regular Expression (PCRE) library before 7.3 reads past the end of the string when searching for unmatched brackets and parentheses, which allows context-dependent attackers to cause a denial of service (crash), possibly involving forward references.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1662"
},
{
"id": "CVE-2007-4766",
"summary": "Multiple integer overflows in Perl-Compatible Regular Expression (PCRE) library before 7.3 allow context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via unspecified escape (backslash) sequences.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4766"
},
{
"id": "CVE-2007-4767",
"summary": "Perl-Compatible Regular Expression (PCRE) library before 7.3 does not properly compute the length of (1) a \\p sequence, (2) a \\P sequence, or (3) a \\P{x} sequence, which allows context-dependent attackers to cause a denial of service (infinite loop or crash) or execute arbitrary code.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4767"
},
{
"id": "CVE-2007-4768",
"summary": "Heap-based buffer overflow in Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to execute arbitrary code via a singleton Unicode sequence in a character class in a regex pattern, which is incorrectly optimized.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4768"
},
{
"id": "CVE-2008-0674",
"summary": "Buffer overflow in PCRE before 7.6 allows remote attackers to execute arbitrary code via a regular expression containing a character class with a large number of characters with Unicode code points greater than 255.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0674"
},
{
"id": "CVE-2008-2371",
"summary": "Heap-based buffer overflow in pcre_compile.c in the Perl-Compatible Regular Expression (PCRE) library 7.7 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a regular expression that begins with an option and contains multiple branches.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2371"
},
{
"id": "CVE-2014-8964",
"summary": "Heap-based buffer overflow in PCRE 8.36 and earlier allows remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8964"
},
{
"id": "CVE-2014-9769",
"summary": "pcre_jit_compile.c in PCRE 8.35 does not properly use table jumps to optimize nested alternatives, which allows remote attackers to cause a denial of service (stack memory corruption) or possibly have unspecified other impact via a crafted string, as demonstrated by packets encountered by Suricata during use of a regular expression in an Emerging Threats Open ruleset.",
"scorev2": "7.5",
"scorev3": "7.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9769"
},
{
"id": "CVE-2015-2325",
"summary": "The compile_branch function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code, cause a denial of service (out-of-bounds heap read and crash), or possibly have other unspecified impact via a regular expression with a group containing a forward reference repeated a large number of times within a repeated outer group that has a zero minimum quantifier.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2325"
},
{
"id": "CVE-2015-2326",
"summary": "The pcre_compile2 function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code and cause a denial of service (out-of-bounds read) via regular expression with a group containing both a forward referencing subroutine call and a recursive back reference, as demonstrated by \"((?+1)(\\1))/\".",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2326"
},
{
"id": "CVE-2015-2328",
"summary": "PCRE before 8.36 mishandles the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2328"
},
{
"id": "CVE-2015-3210",
"summary": "Heap-based buffer overflow in PCRE 8.34 through 8.37 and PCRE2 10.10 allows remote attackers to execute arbitrary code via a crafted regular expression, as demonstrated by /^(?P=B)((?P=B)(?J:(?Pc)(?Pa(?P=B)))>WGXCREDITS)/, a different vulnerability than CVE-2015-8384.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3210"
},
{
"id": "CVE-2015-3217",
"summary": "PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\\\.|([^\\\\\\\\W_])?)+)+$/.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3217"
},
{
"id": "CVE-2015-5073",
"summary": "Heap-based buffer overflow in the find_fixedlength function in pcre_compile.c in PCRE before 8.38 allows remote attackers to cause a denial of service (crash) or obtain sensitive information from heap memory and possibly bypass the ASLR protection mechanism via a crafted regular expression with an excess closing parenthesis.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5073"
},
{
"id": "CVE-2015-8391",
"summary": "The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.",
"scorev2": "9.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8391"
},
{
"id": "CVE-2016-1283",
"summary": "The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles the /((?:F?+(?:^(?(R)a+\\\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\\){97)?J)?J)(?'R'(?'R'\\){99|(:(?|(?'R')(\\k'R')|((?'R')))H'R'R)(H'R))))))/ pattern and related patterns with named subgroups, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1283"
},
{
"id": "CVE-2016-3191",
"summary": "The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3191"
},
{
"id": "CVE-2017-11164",
"summary": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11164"
},
{
"id": "CVE-2017-16231",
"summary": "In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16231"
},
{
"id": "CVE-2017-6004",
"summary": "The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6004"
},
{
"id": "CVE-2017-7186",
"summary": "libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7186"
},
{
"id": "CVE-2017-7244",
"summary": "The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7244"
},
{
"id": "CVE-2017-7245",
"summary": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7245"
},
{
"id": "CVE-2017-7246",
"summary": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7246"
},
{
"id": "CVE-2019-20838",
"summary": "libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\X or \\R has more than one fixed quantifier, a related issue to CVE-2019-20454.",
"scorev2": "4.3",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20838"
},
{
"id": "CVE-2020-14155",
"summary": "libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14155"
}
]
},
{
"name": "libpcre2",
"layer": "meta",
"version": "10.43",
"products": [
{
"product": "pcre2",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-3210",
"summary": "Heap-based buffer overflow in PCRE 8.34 through 8.37 and PCRE2 10.10 allows remote attackers to execute arbitrary code via a crafted regular expression, as demonstrated by /^(?P=B)((?P=B)(?J:(?Pc)(?Pa(?P=B)))>WGXCREDITS)/, a different vulnerability than CVE-2015-8384.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3210"
},
{
"id": "CVE-2015-3217",
"summary": "PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\\\.|([^\\\\\\\\W_])?)+)+$/.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3217"
},
{
"id": "CVE-2016-3191",
"summary": "The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3191"
},
{
"id": "CVE-2017-7186",
"summary": "libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7186"
},
{
"id": "CVE-2017-8399",
"summary": "PCRE2 before 10.30 has an out-of-bounds write caused by a stack-based buffer overflow in pcre2_match.c, related to a \"pattern with very many captures.\"",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8399"
},
{
"id": "CVE-2017-8786",
"summary": "pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8786"
},
{
"id": "CVE-2019-20454",
"summary": "An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \\X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.",
"scorev2": "5.0",
"scorev3": "5.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20454"
},
{
"id": "CVE-2022-1586",
"summary": "An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1586"
},
{
"id": "CVE-2022-1587",
"summary": "An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1587"
},
{
"id": "CVE-2022-41409",
"summary": "Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41409"
}
]
},
{
"name": "libpcre2-native",
"layer": "meta",
"version": "10.43",
"products": [
{
"product": "pcre2",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-3210",
"summary": "Heap-based buffer overflow in PCRE 8.34 through 8.37 and PCRE2 10.10 allows remote attackers to execute arbitrary code via a crafted regular expression, as demonstrated by /^(?P=B)((?P=B)(?J:(?Pc)(?Pa(?P=B)))>WGXCREDITS)/, a different vulnerability than CVE-2015-8384.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3210"
},
{
"id": "CVE-2015-3217",
"summary": "PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\\\.|([^\\\\\\\\W_])?)+)+$/.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3217"
},
{
"id": "CVE-2016-3191",
"summary": "The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3191"
},
{
"id": "CVE-2017-7186",
"summary": "libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7186"
},
{
"id": "CVE-2017-8399",
"summary": "PCRE2 before 10.30 has an out-of-bounds write caused by a stack-based buffer overflow in pcre2_match.c, related to a \"pattern with very many captures.\"",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8399"
},
{
"id": "CVE-2017-8786",
"summary": "pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8786"
},
{
"id": "CVE-2019-20454",
"summary": "An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \\X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.",
"scorev2": "5.0",
"scorev3": "5.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20454"
},
{
"id": "CVE-2022-1586",
"summary": "An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1586"
},
{
"id": "CVE-2022-1587",
"summary": "An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1587"
},
{
"id": "CVE-2022-41409",
"summary": "Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41409"
}
]
},
{
"name": "libpng",
"layer": "meta",
"version": "1.6.42",
"products": [
{
"product": "libpng",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2002-0660",
"summary": "Buffer overflow in libpng 1.0.12-3.woody.2 and libpng3 1.2.1-1.1.woody.2 on Debian GNU/Linux 3.0, and other operating systems, may allow attackers to cause a denial of service and possibly execute arbitrary code, a different vulnerability than CVE-2002-0728.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0660"
},
{
"id": "CVE-2002-0728",
"summary": "Buffer overflow in the progressive reader for libpng 1.2.x before 1.2.4, and 1.0.x before 1.0.14, allows attackers to cause a denial of service (crash) via a PNG data stream that has more IDAT data than indicated by the IHDR chunk.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0728"
},
{
"id": "CVE-2002-1363",
"summary": "Portable Network Graphics (PNG) library libpng 1.2.5 and earlier does not correctly calculate offsets, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a buffer overflow attack on the row buffers.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1363"
},
{
"id": "CVE-2004-0421",
"summary": "The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0421"
},
{
"id": "CVE-2004-0597",
"summary": "Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0597"
},
{
"id": "CVE-2004-0598",
"summary": "The png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0598"
},
{
"id": "CVE-2004-0599",
"summary": "Multiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0599"
},
{
"id": "CVE-2006-0481",
"summary": "Heap-based buffer overflow in the alpha strip capability in libpng 1.2.7 allows context-dependent attackers to cause a denial of service (crash) when the png_do_strip_filler function is used to strip alpha channels out of the image.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0481"
},
{
"id": "CVE-2006-3334",
"summary": "Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to \"chunk error processing,\" possibly involving the \"chunk_name\".",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3334"
},
{
"id": "CVE-2006-5793",
"summary": "The sPLT chunk handling code (png_set_sPLT function in pngset.c) in libpng 1.0.6 through 1.2.12 uses a sizeof operator on the wrong data type, which allows context-dependent attackers to cause a denial of service (crash) via malformed sPLT chunks that trigger an out-of-bounds read.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5793"
},
{
"id": "CVE-2006-7244",
"summary": "Memory leak in pngwutil.c in libpng 1.2.13beta1, and other versions before 1.2.15beta3, allows context-dependent attackers to cause a denial of service (memory leak or segmentation fault) via a JPEG image containing an iCCP chunk with a negative embedded profile length.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7244"
},
{
"id": "CVE-2007-2445",
"summary": "The png_handle_tRNS function in pngrutil.c in libpng before 1.0.25 and 1.2.x before 1.2.17 allows remote attackers to cause a denial of service (application crash) via a grayscale PNG image with a bad tRNS chunk CRC value.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2445"
},
{
"id": "CVE-2007-5266",
"summary": "Off-by-one error in ICC profile chunk handling in the png_set_iCCP function in pngset.c in libpng before 1.0.29 beta1 and 1.2.x before 1.2.21 beta1 allows remote attackers to cause a denial of service (crash) via a crafted PNG image that prevents a name field from being NULL terminated.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5266"
},
{
"id": "CVE-2007-5267",
"summary": "Off-by-one error in ICC profile chunk handling in the png_set_iCCP function in pngset.c in libpng before 1.2.22 beta1 allows remote attackers to cause a denial of service (crash) via a crafted PNG image, due to an incorrect fix for CVE-2007-5266.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5267"
},
{
"id": "CVE-2007-5268",
"summary": "pngrtran.c in libpng before 1.0.29 and 1.2.x before 1.2.21 use (1) logical instead of bitwise operations and (2) incorrect comparisons, which might allow remote attackers to cause a denial of service (crash) via a crafted PNG image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5268"
},
{
"id": "CVE-2007-5269",
"summary": "Certain chunk handlers in libpng before 1.0.29 and 1.2.x before 1.2.21 allow remote attackers to cause a denial of service (crash) via crafted (1) pCAL (png_handle_pCAL), (2) sCAL (png_handle_sCAL), (3) tEXt (png_push_read_tEXt), (4) iTXt (png_handle_iTXt), and (5) ztXT (png_handle_ztXt) chunking in PNG images, which trigger out-of-bounds read operations.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5269"
},
{
"id": "CVE-2008-1382",
"summary": "libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01 through 1.4.0beta19 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length \"unknown\" chunks, which trigger an access of uninitialized memory.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1382"
},
{
"id": "CVE-2008-3964",
"summary": "Multiple off-by-one errors in libpng before 1.2.32beta01, and 1.4 before 1.4.0beta34, allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a PNG image with crafted zTXt chunks, related to (1) the png_push_read_zTXt function in pngread.c, and possibly related to (2) pngtest.c.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3964"
},
{
"id": "CVE-2008-5907",
"summary": "The png_check_keyword function in pngwutil.c in libpng before 1.0.42, and 1.2.x before 1.2.34, might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords, related to an implicit cast of the '\\0' character constant to a NULL pointer. NOTE: some sources incorrectly report this as a double free vulnerability.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5907"
},
{
"id": "CVE-2008-6218",
"summary": "Memory leak in the png_handle_tEXt function in pngrutil.c in libpng before 1.2.33 rc02 and 1.4.0 beta36 allows context-dependent attackers to cause a denial of service (memory exhaustion) via a crafted PNG file.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-6218"
},
{
"id": "CVE-2009-0040",
"summary": "The PNG reference library (aka libpng) before 1.0.43, and 1.2.x before 1.2.35, as used in pngcrush and other applications, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialized pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0040"
},
{
"id": "CVE-2009-2042",
"summary": "libpng before 1.2.37 does not properly parse 1-bit interlaced images with width values that are not divisible by 8, which causes libpng to include uninitialized bits in certain rows of a PNG file and might allow remote attackers to read portions of sensitive memory via \"out-of-bounds pixels\" in the file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2042"
},
{
"id": "CVE-2009-5063",
"summary": "Memory leak in the embedded_profile_len function in pngwutil.c in libpng before 1.2.39beta5 allows context-dependent attackers to cause a denial of service (memory leak or segmentation fault) via a JPEG image containing an iCCP chunk with a negative embedded profile length. NOTE: this is due to an incomplete fix for CVE-2006-7244.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5063"
},
{
"id": "CVE-2010-0205",
"summary": "The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a \"decompression bomb\" attack.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0205"
},
{
"id": "CVE-2010-1205",
"summary": "Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications, might allow remote attackers to execute arbitrary code via a PNG image that triggers an additional data row.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1205"
},
{
"id": "CVE-2010-2249",
"summary": "Memory leak in pngrutil.c in libpng before 1.2.44, and 1.4.x before 1.4.3, allows remote attackers to cause a denial of service (memory consumption and application crash) via a PNG image containing malformed Physical Scale (aka sCAL) chunks.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2249"
},
{
"id": "CVE-2011-0408",
"summary": "pngrtran.c in libpng 1.5.x before 1.5.1 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted palette-based PNG image that triggers a buffer overflow, related to the png_do_expand_palette function, the png_do_rgb_to_gray function, and an integer underflow. NOTE: some of these details are obtained from third party information.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0408"
},
{
"id": "CVE-2011-2501",
"summary": "The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression. NOTE: this is called an off-by-one error by some sources.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2501"
},
{
"id": "CVE-2011-2690",
"summary": "Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have unspecified other impact, via a crafted PNG image.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2690"
},
{
"id": "CVE-2011-2691",
"summary": "The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2691"
},
{
"id": "CVE-2011-2692",
"summary": "The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2692"
},
{
"id": "CVE-2011-3045",
"summary": "Integer signedness error in the png_inflate function in pngrutil.c in libpng before 1.4.10beta01, as used in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different vulnerability than CVE-2011-3026.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3045"
},
{
"id": "CVE-2011-3048",
"summary": "The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before 1.4.11, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted text chunk in a PNG image file, which triggers a memory allocation failure that is not properly handled, leading to a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3048"
},
{
"id": "CVE-2011-3328",
"summary": "The png_handle_cHRM function in pngrutil.c in libpng 1.5.4, when color-correction support is enabled, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a malformed PNG image containing a cHRM chunk associated with a certain zero value.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3328"
},
{
"id": "CVE-2011-3464",
"summary": "Off-by-one error in the png_formatted_warning function in pngerror.c in libpng 1.5.4 through 1.5.7 might allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via unspecified vectors, which trigger a stack-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3464"
},
{
"id": "CVE-2012-3425",
"summary": "The png_push_read_zTXt function in pngpread.c in libpng 1.0.x before 1.0.58, 1.2.x before 1.2.48, 1.4.x before 1.4.10, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (out-of-bounds read) via a large avail_in field value in a PNG image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3425"
},
{
"id": "CVE-2013-6954",
"summary": "The png_do_expand_palette function in libpng before 1.6.8 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via (1) a PLTE chunk of zero bytes or (2) a NULL palette, related to pngrtran.c and pngset.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6954"
},
{
"id": "CVE-2013-7353",
"summary": "Integer overflow in the png_set_unknown_chunks function in libpng/pngset.c in libpng before 1.5.14beta08 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a crafted image, which triggers a heap-based buffer overflow.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7353"
},
{
"id": "CVE-2013-7354",
"summary": "Multiple integer overflows in libpng before 1.5.14rc03 allow remote attackers to cause a denial of service (crash) via a crafted image to the (1) png_set_sPLT or (2) png_set_text_2 function, which triggers a heap-based buffer overflow.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7354"
},
{
"id": "CVE-2014-0333",
"summary": "The png_push_read_chunk function in pngpread.c in the progressive decoder in libpng 1.6.x through 1.6.9 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an IDAT chunk with a length of zero.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0333"
},
{
"id": "CVE-2014-9495",
"summary": "Heap-based buffer overflow in the png_combine_row function in libpng before 1.5.21 and 1.6.x before 1.6.16, when running on 64-bit systems, might allow context-dependent attackers to execute arbitrary code via a \"very wide interlaced\" PNG image.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9495"
},
{
"id": "CVE-2015-0973",
"summary": "Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0973"
},
{
"id": "CVE-2015-7981",
"summary": "The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1.0.64, 1.2.x before 1.2.54, and 1.4.x before 1.4.17 allows remote attackers to obtain sensitive process memory information via crafted tIME chunk data in an image file, which triggers an out-of-bounds read.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7981"
},
{
"id": "CVE-2015-8126",
"summary": "Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8126"
},
{
"id": "CVE-2015-8472",
"summary": "Buffer overflow in the png_set_PLTE function in libpng before 1.0.65, 1.1.x and 1.2.x before 1.2.55, 1.3.x, 1.4.x before 1.4.18, 1.5.x before 1.5.25, and 1.6.x before 1.6.20 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8126.",
"scorev2": "7.5",
"scorev3": "7.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8472"
},
{
"id": "CVE-2015-8540",
"summary": "Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image, which triggers an out-of-bounds read.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8540"
},
{
"id": "CVE-2016-10087",
"summary": "The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10087"
},
{
"id": "CVE-2016-3751",
"summary": "Unspecified vulnerability in libpng before 1.6.20, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01, allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 23265085.",
"scorev2": "7.5",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3751"
},
{
"id": "CVE-2017-12652",
"summary": "libpng before 1.6.32 does not properly check the length of chunks against the user limit.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12652"
},
{
"id": "CVE-2018-13785",
"summary": "In libpng 1.6.34, a wrong calculation of row_factor in the png_check_chunk_length function (pngrutil.c) may trigger an integer overflow and resultant divide-by-zero while processing a crafted PNG file, leading to a denial of service.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13785"
},
{
"id": "CVE-2018-14048",
"summary": "An issue has been found in libpng 1.6.34. It is a SEGV in the function png_free_data in png.c, related to the recommended error handling for png_read_image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14048"
},
{
"id": "CVE-2018-14550",
"summary": "An issue has been found in third-party PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow in the function get_token in pnm2png.c in pnm2png.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14550"
},
{
"id": "CVE-2019-6129",
"summary": "png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. NOTE: a third party has stated \"I don't think it is libpng's job to free this buffer.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6129"
},
{
"id": "CVE-2019-7317",
"summary": "png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.",
"scorev2": "2.6",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7317"
},
{
"id": "CVE-2021-4214",
"summary": "A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4214"
},
{
"id": "CVE-2022-3857",
"summary": "A flaw was found in libpng 1.6.38. A crafted PNG image can lead to a segmentation fault and denial of service in png_setup_paeth_row() function.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3857"
}
]
},
{
"name": "libpng-native",
"layer": "meta",
"version": "1.6.42",
"products": [
{
"product": "libpng",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2002-0660",
"summary": "Buffer overflow in libpng 1.0.12-3.woody.2 and libpng3 1.2.1-1.1.woody.2 on Debian GNU/Linux 3.0, and other operating systems, may allow attackers to cause a denial of service and possibly execute arbitrary code, a different vulnerability than CVE-2002-0728.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0660"
},
{
"id": "CVE-2002-0728",
"summary": "Buffer overflow in the progressive reader for libpng 1.2.x before 1.2.4, and 1.0.x before 1.0.14, allows attackers to cause a denial of service (crash) via a PNG data stream that has more IDAT data than indicated by the IHDR chunk.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0728"
},
{
"id": "CVE-2002-1363",
"summary": "Portable Network Graphics (PNG) library libpng 1.2.5 and earlier does not correctly calculate offsets, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a buffer overflow attack on the row buffers.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1363"
},
{
"id": "CVE-2004-0421",
"summary": "The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0421"
},
{
"id": "CVE-2004-0597",
"summary": "Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0597"
},
{
"id": "CVE-2004-0598",
"summary": "The png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0598"
},
{
"id": "CVE-2004-0599",
"summary": "Multiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0599"
},
{
"id": "CVE-2006-0481",
"summary": "Heap-based buffer overflow in the alpha strip capability in libpng 1.2.7 allows context-dependent attackers to cause a denial of service (crash) when the png_do_strip_filler function is used to strip alpha channels out of the image.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0481"
},
{
"id": "CVE-2006-3334",
"summary": "Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to \"chunk error processing,\" possibly involving the \"chunk_name\".",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3334"
},
{
"id": "CVE-2006-5793",
"summary": "The sPLT chunk handling code (png_set_sPLT function in pngset.c) in libpng 1.0.6 through 1.2.12 uses a sizeof operator on the wrong data type, which allows context-dependent attackers to cause a denial of service (crash) via malformed sPLT chunks that trigger an out-of-bounds read.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5793"
},
{
"id": "CVE-2006-7244",
"summary": "Memory leak in pngwutil.c in libpng 1.2.13beta1, and other versions before 1.2.15beta3, allows context-dependent attackers to cause a denial of service (memory leak or segmentation fault) via a JPEG image containing an iCCP chunk with a negative embedded profile length.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7244"
},
{
"id": "CVE-2007-2445",
"summary": "The png_handle_tRNS function in pngrutil.c in libpng before 1.0.25 and 1.2.x before 1.2.17 allows remote attackers to cause a denial of service (application crash) via a grayscale PNG image with a bad tRNS chunk CRC value.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2445"
},
{
"id": "CVE-2007-5266",
"summary": "Off-by-one error in ICC profile chunk handling in the png_set_iCCP function in pngset.c in libpng before 1.0.29 beta1 and 1.2.x before 1.2.21 beta1 allows remote attackers to cause a denial of service (crash) via a crafted PNG image that prevents a name field from being NULL terminated.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5266"
},
{
"id": "CVE-2007-5267",
"summary": "Off-by-one error in ICC profile chunk handling in the png_set_iCCP function in pngset.c in libpng before 1.2.22 beta1 allows remote attackers to cause a denial of service (crash) via a crafted PNG image, due to an incorrect fix for CVE-2007-5266.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5267"
},
{
"id": "CVE-2007-5268",
"summary": "pngrtran.c in libpng before 1.0.29 and 1.2.x before 1.2.21 use (1) logical instead of bitwise operations and (2) incorrect comparisons, which might allow remote attackers to cause a denial of service (crash) via a crafted PNG image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5268"
},
{
"id": "CVE-2007-5269",
"summary": "Certain chunk handlers in libpng before 1.0.29 and 1.2.x before 1.2.21 allow remote attackers to cause a denial of service (crash) via crafted (1) pCAL (png_handle_pCAL), (2) sCAL (png_handle_sCAL), (3) tEXt (png_push_read_tEXt), (4) iTXt (png_handle_iTXt), and (5) ztXT (png_handle_ztXt) chunking in PNG images, which trigger out-of-bounds read operations.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5269"
},
{
"id": "CVE-2008-1382",
"summary": "libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01 through 1.4.0beta19 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length \"unknown\" chunks, which trigger an access of uninitialized memory.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1382"
},
{
"id": "CVE-2008-3964",
"summary": "Multiple off-by-one errors in libpng before 1.2.32beta01, and 1.4 before 1.4.0beta34, allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a PNG image with crafted zTXt chunks, related to (1) the png_push_read_zTXt function in pngread.c, and possibly related to (2) pngtest.c.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3964"
},
{
"id": "CVE-2008-5907",
"summary": "The png_check_keyword function in pngwutil.c in libpng before 1.0.42, and 1.2.x before 1.2.34, might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords, related to an implicit cast of the '\\0' character constant to a NULL pointer. NOTE: some sources incorrectly report this as a double free vulnerability.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5907"
},
{
"id": "CVE-2008-6218",
"summary": "Memory leak in the png_handle_tEXt function in pngrutil.c in libpng before 1.2.33 rc02 and 1.4.0 beta36 allows context-dependent attackers to cause a denial of service (memory exhaustion) via a crafted PNG file.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-6218"
},
{
"id": "CVE-2009-0040",
"summary": "The PNG reference library (aka libpng) before 1.0.43, and 1.2.x before 1.2.35, as used in pngcrush and other applications, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialized pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0040"
},
{
"id": "CVE-2009-2042",
"summary": "libpng before 1.2.37 does not properly parse 1-bit interlaced images with width values that are not divisible by 8, which causes libpng to include uninitialized bits in certain rows of a PNG file and might allow remote attackers to read portions of sensitive memory via \"out-of-bounds pixels\" in the file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2042"
},
{
"id": "CVE-2009-5063",
"summary": "Memory leak in the embedded_profile_len function in pngwutil.c in libpng before 1.2.39beta5 allows context-dependent attackers to cause a denial of service (memory leak or segmentation fault) via a JPEG image containing an iCCP chunk with a negative embedded profile length. NOTE: this is due to an incomplete fix for CVE-2006-7244.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5063"
},
{
"id": "CVE-2010-0205",
"summary": "The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a \"decompression bomb\" attack.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0205"
},
{
"id": "CVE-2010-1205",
"summary": "Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications, might allow remote attackers to execute arbitrary code via a PNG image that triggers an additional data row.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1205"
},
{
"id": "CVE-2010-2249",
"summary": "Memory leak in pngrutil.c in libpng before 1.2.44, and 1.4.x before 1.4.3, allows remote attackers to cause a denial of service (memory consumption and application crash) via a PNG image containing malformed Physical Scale (aka sCAL) chunks.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2249"
},
{
"id": "CVE-2011-0408",
"summary": "pngrtran.c in libpng 1.5.x before 1.5.1 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted palette-based PNG image that triggers a buffer overflow, related to the png_do_expand_palette function, the png_do_rgb_to_gray function, and an integer underflow. NOTE: some of these details are obtained from third party information.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0408"
},
{
"id": "CVE-2011-2501",
"summary": "The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression. NOTE: this is called an off-by-one error by some sources.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2501"
},
{
"id": "CVE-2011-2690",
"summary": "Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have unspecified other impact, via a crafted PNG image.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2690"
},
{
"id": "CVE-2011-2691",
"summary": "The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2691"
},
{
"id": "CVE-2011-2692",
"summary": "The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2692"
},
{
"id": "CVE-2011-3045",
"summary": "Integer signedness error in the png_inflate function in pngrutil.c in libpng before 1.4.10beta01, as used in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different vulnerability than CVE-2011-3026.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3045"
},
{
"id": "CVE-2011-3048",
"summary": "The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before 1.4.11, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted text chunk in a PNG image file, which triggers a memory allocation failure that is not properly handled, leading to a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3048"
},
{
"id": "CVE-2011-3328",
"summary": "The png_handle_cHRM function in pngrutil.c in libpng 1.5.4, when color-correction support is enabled, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a malformed PNG image containing a cHRM chunk associated with a certain zero value.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3328"
},
{
"id": "CVE-2011-3464",
"summary": "Off-by-one error in the png_formatted_warning function in pngerror.c in libpng 1.5.4 through 1.5.7 might allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via unspecified vectors, which trigger a stack-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3464"
},
{
"id": "CVE-2012-3425",
"summary": "The png_push_read_zTXt function in pngpread.c in libpng 1.0.x before 1.0.58, 1.2.x before 1.2.48, 1.4.x before 1.4.10, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (out-of-bounds read) via a large avail_in field value in a PNG image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3425"
},
{
"id": "CVE-2013-6954",
"summary": "The png_do_expand_palette function in libpng before 1.6.8 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via (1) a PLTE chunk of zero bytes or (2) a NULL palette, related to pngrtran.c and pngset.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6954"
},
{
"id": "CVE-2013-7353",
"summary": "Integer overflow in the png_set_unknown_chunks function in libpng/pngset.c in libpng before 1.5.14beta08 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a crafted image, which triggers a heap-based buffer overflow.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7353"
},
{
"id": "CVE-2013-7354",
"summary": "Multiple integer overflows in libpng before 1.5.14rc03 allow remote attackers to cause a denial of service (crash) via a crafted image to the (1) png_set_sPLT or (2) png_set_text_2 function, which triggers a heap-based buffer overflow.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7354"
},
{
"id": "CVE-2014-0333",
"summary": "The png_push_read_chunk function in pngpread.c in the progressive decoder in libpng 1.6.x through 1.6.9 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an IDAT chunk with a length of zero.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0333"
},
{
"id": "CVE-2014-9495",
"summary": "Heap-based buffer overflow in the png_combine_row function in libpng before 1.5.21 and 1.6.x before 1.6.16, when running on 64-bit systems, might allow context-dependent attackers to execute arbitrary code via a \"very wide interlaced\" PNG image.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9495"
},
{
"id": "CVE-2015-0973",
"summary": "Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0973"
},
{
"id": "CVE-2015-7981",
"summary": "The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1.0.64, 1.2.x before 1.2.54, and 1.4.x before 1.4.17 allows remote attackers to obtain sensitive process memory information via crafted tIME chunk data in an image file, which triggers an out-of-bounds read.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7981"
},
{
"id": "CVE-2015-8126",
"summary": "Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8126"
},
{
"id": "CVE-2015-8472",
"summary": "Buffer overflow in the png_set_PLTE function in libpng before 1.0.65, 1.1.x and 1.2.x before 1.2.55, 1.3.x, 1.4.x before 1.4.18, 1.5.x before 1.5.25, and 1.6.x before 1.6.20 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8126.",
"scorev2": "7.5",
"scorev3": "7.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8472"
},
{
"id": "CVE-2015-8540",
"summary": "Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image, which triggers an out-of-bounds read.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8540"
},
{
"id": "CVE-2016-10087",
"summary": "The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10087"
},
{
"id": "CVE-2016-3751",
"summary": "Unspecified vulnerability in libpng before 1.6.20, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01, allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 23265085.",
"scorev2": "7.5",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3751"
},
{
"id": "CVE-2017-12652",
"summary": "libpng before 1.6.32 does not properly check the length of chunks against the user limit.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12652"
},
{
"id": "CVE-2018-13785",
"summary": "In libpng 1.6.34, a wrong calculation of row_factor in the png_check_chunk_length function (pngrutil.c) may trigger an integer overflow and resultant divide-by-zero while processing a crafted PNG file, leading to a denial of service.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13785"
},
{
"id": "CVE-2018-14048",
"summary": "An issue has been found in libpng 1.6.34. It is a SEGV in the function png_free_data in png.c, related to the recommended error handling for png_read_image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14048"
},
{
"id": "CVE-2018-14550",
"summary": "An issue has been found in third-party PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow in the function get_token in pnm2png.c in pnm2png.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14550"
},
{
"id": "CVE-2019-6129",
"summary": "png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. NOTE: a third party has stated \"I don't think it is libpng's job to free this buffer.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6129"
},
{
"id": "CVE-2019-7317",
"summary": "png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.",
"scorev2": "2.6",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7317"
},
{
"id": "CVE-2021-4214",
"summary": "A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4214"
},
{
"id": "CVE-2022-3857",
"summary": "A flaw was found in libpng 1.6.38. A crafted PNG image can lead to a segmentation fault and denial of service in png_setup_paeth_row() function.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3857"
}
]
},
{
"name": "libpsl",
"layer": "meta",
"version": "0.21.5",
"products": [
{
"product": "libpsl",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libpthread-stubs",
"layer": "meta",
"version": "0.5",
"products": [
{
"product": "libpthread-stubs",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libpthread-stubs-native",
"layer": "meta",
"version": "0.5",
"products": [
{
"product": "libpthread-stubs",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libqmi",
"layer": "meta-oe",
"version": "1.34.0",
"products": [
{
"product": "libqmi",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libqtappfw",
"layer": "meta-agl-demo",
"version": "2.0.1+git",
"products": [
{
"product": "libqtappfw",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "librepo",
"layer": "meta",
"version": "1.17.0",
"products": [
{
"product": "librepo",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2020-14352",
"summary": "A flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories.",
"scorev2": "8.5",
"scorev3": "8.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14352"
}
]
},
{
"name": "librepo-native",
"layer": "meta",
"version": "1.17.0",
"products": [
{
"product": "librepo",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2020-14352",
"summary": "A flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories.",
"scorev2": "8.5",
"scorev3": "8.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14352"
}
]
},
{
"name": "librsvg",
"layer": "meta",
"version": "2.57.1",
"products": [
{
"product": "librsvg",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2011-3146",
"summary": "librsvg before 2.34.1 uses the node name to identify the type of node, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference) and possibly execute arbitrary code via a SVG file with a node with the element name starting with \"fe,\" which is misidentified as a RsvgFilterPrimitive.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3146"
},
{
"id": "CVE-2013-1881",
"summary": "GNOME libsvg before 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1881"
},
{
"id": "CVE-2015-7557",
"summary": "The _rsvg_node_poly_build_path function in rsvg-shapes.c in librsvg before 2.40.7 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via an odd number of elements in a coordinate pair in an SVG document.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7557"
},
{
"id": "CVE-2015-7558",
"summary": "librsvg before 2.40.12 allows context-dependent attackers to cause a denial of service (infinite loop, stack consumption, and application crash) via cyclic references in an SVG document.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7558"
},
{
"id": "CVE-2016-4348",
"summary": "The _rsvg_css_normalize_font_size function in librsvg 2.40.2 allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via circular definitions in an SVG document.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4348"
},
{
"id": "CVE-2016-6163",
"summary": "The rsvg_pattern_fix_fallback function in rsvg-paint_server.c in librsvg2 2.40.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted svg file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6163"
},
{
"id": "CVE-2017-11464",
"summary": "A SIGFPE is raised in the function box_blur_line of rsvg-filter.c in GNOME librsvg 2.40.17 during an attempted parse of a crafted SVG file, because of incorrect protection against division by zero.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11464"
},
{
"id": "CVE-2018-1000041",
"summary": "GNOME librsvg version before commit c6ddf2ed4d768fd88adbea2b63f575cd523022ea contains a Improper input validation vulnerability in rsvg-io.c that can result in the victim's Windows username and NTLM password hash being leaked to remote attackers through SMB. This attack appear to be exploitable via The victim must process a specially crafted SVG file containing an UNC path on Windows.",
"scorev2": "4.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000041",
"detail": "not-applicable-platform",
"description": "Issue only applies on Windows"
},
{
"id": "CVE-2019-20446",
"summary": "In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20446"
},
{
"id": "CVE-2023-38633",
"summary": "A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=\".?../../../../../../../../../../etc/passwd\" in an xi:include element.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38633"
}
]
},
{
"name": "librsvg-native",
"layer": "meta",
"version": "2.57.1",
"products": [
{
"product": "librsvg",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2011-3146",
"summary": "librsvg before 2.34.1 uses the node name to identify the type of node, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference) and possibly execute arbitrary code via a SVG file with a node with the element name starting with \"fe,\" which is misidentified as a RsvgFilterPrimitive.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3146"
},
{
"id": "CVE-2013-1881",
"summary": "GNOME libsvg before 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1881"
},
{
"id": "CVE-2015-7557",
"summary": "The _rsvg_node_poly_build_path function in rsvg-shapes.c in librsvg before 2.40.7 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via an odd number of elements in a coordinate pair in an SVG document.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7557"
},
{
"id": "CVE-2015-7558",
"summary": "librsvg before 2.40.12 allows context-dependent attackers to cause a denial of service (infinite loop, stack consumption, and application crash) via cyclic references in an SVG document.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7558"
},
{
"id": "CVE-2016-4348",
"summary": "The _rsvg_css_normalize_font_size function in librsvg 2.40.2 allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via circular definitions in an SVG document.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4348"
},
{
"id": "CVE-2016-6163",
"summary": "The rsvg_pattern_fix_fallback function in rsvg-paint_server.c in librsvg2 2.40.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted svg file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6163"
},
{
"id": "CVE-2017-11464",
"summary": "A SIGFPE is raised in the function box_blur_line of rsvg-filter.c in GNOME librsvg 2.40.17 during an attempted parse of a crafted SVG file, because of incorrect protection against division by zero.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11464"
},
{
"id": "CVE-2018-1000041",
"summary": "GNOME librsvg version before commit c6ddf2ed4d768fd88adbea2b63f575cd523022ea contains a Improper input validation vulnerability in rsvg-io.c that can result in the victim's Windows username and NTLM password hash being leaked to remote attackers through SMB. This attack appear to be exploitable via The victim must process a specially crafted SVG file containing an UNC path on Windows.",
"scorev2": "4.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000041",
"detail": "not-applicable-platform",
"description": "Issue only applies on Windows"
},
{
"id": "CVE-2019-20446",
"summary": "In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20446"
},
{
"id": "CVE-2023-38633",
"summary": "A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=\".?../../../../../../../../../../etc/passwd\" in an xi:include element.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38633"
}
]
},
{
"name": "libsamplerate0",
"layer": "meta",
"version": "0.2.2",
"products": [
{
"product": "libsamplerate",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2017-7697",
"summary": "In libsamplerate before 0.1.9, a buffer over-read occurs in the calc_output_single function in src_sinc.c via a crafted audio file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7697"
}
]
},
{
"name": "libseccomp",
"layer": "meta",
"version": "2.5.5",
"products": [
{
"product": "libseccomp",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2019-9893",
"summary": "libseccomp before 2.4.0 did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE), which might able to lead to bypassing seccomp filters and potential privilege escalations.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9893"
}
]
},
{
"name": "libselinux",
"layer": "meta-selinux",
"version": "3.6",
"products": [
{
"product": "selinux",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2020-10751",
"summary": "A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.",
"scorev2": "3.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10751"
}
]
},
{
"name": "libselinux-native",
"layer": "meta-selinux",
"version": "3.6",
"products": [
{
"product": "selinux",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2020-10751",
"summary": "A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.",
"scorev2": "3.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10751"
}
]
},
{
"name": "libselinux-python",
"layer": "meta-selinux",
"version": "3.6",
"products": [
{
"product": "selinux",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2020-10751",
"summary": "A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.",
"scorev2": "3.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10751"
}
]
},
{
"name": "libsemanage",
"layer": "meta-selinux",
"version": "3.6",
"products": [
{
"product": "selinux",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2020-10751",
"summary": "A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.",
"scorev2": "3.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10751"
}
]
},
{
"name": "libsemanage-native",
"layer": "meta-selinux",
"version": "3.6",
"products": [
{
"product": "selinux",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2020-10751",
"summary": "A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.",
"scorev2": "3.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10751"
}
]
},
{
"name": "libsepol",
"layer": "meta-selinux",
"version": "3.6",
"products": [
{
"product": "selinux",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2020-10751",
"summary": "A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.",
"scorev2": "3.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10751"
}
]
},
{
"name": "libsepol-native",
"layer": "meta-selinux",
"version": "3.6",
"products": [
{
"product": "selinux",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2020-10751",
"summary": "A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.",
"scorev2": "3.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10751"
}
]
},
{
"name": "libsndfile1",
"layer": "meta",
"version": "1.2.2",
"products": [
{
"product": "libsndfile",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-4974",
"summary": "Heap-based buffer overflow in the flac_buffer_copy function in libsndfile 1.0.17 and earlier might allow remote attackers to execute arbitrary code via a FLAC file with crafted PCM data containing a block with a size that exceeds the previous block size.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4974"
},
{
"id": "CVE-2009-0186",
"summary": "Integer overflow in libsndfile 1.0.18, as used in Winamp and other products, allows context-dependent attackers to execute arbitrary code via crafted description chunks in a CAF audio file, leading to a heap-based buffer overflow.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0186"
},
{
"id": "CVE-2009-1788",
"summary": "Heap-based buffer overflow in voc_read_header in libsndfile 1.0.15 through 1.0.19, as used in Winamp 5.552 and possibly other media programs, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a VOC file with an invalid header value.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1788"
},
{
"id": "CVE-2009-1791",
"summary": "Heap-based buffer overflow in aiff_read_header in libsndfile 1.0.15 through 1.0.19, as used in Winamp 5.552 and possibly other media programs, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an AIFF file with an invalid header value.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1791"
},
{
"id": "CVE-2009-4835",
"summary": "The (1) htk_read_header, (2) alaw_init, (3) ulaw_init, (4) pcm_init, (5) float32_init, and (6) sds_read_header functions in libsndfile 1.0.20 allow context-dependent attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted audio file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4835"
},
{
"id": "CVE-2011-2696",
"summary": "Integer overflow in libsndfile before 1.0.25 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PARIS Audio Format (PAF) file that triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2696"
},
{
"id": "CVE-2014-9496",
"summary": "The sd2_parse_rsrc_fork function in sd2.c in libsndfile allows attackers to have unspecified impact via vectors related to a (1) map offset or (2) rsrc marker, which triggers an out-of-bounds read.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9496"
},
{
"id": "CVE-2014-9756",
"summary": "The psf_fwrite function in file_io.c in libsndfile allows attackers to cause a denial of service (divide-by-zero error and application crash) via unspecified vectors related to the headindex variable.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9756"
},
{
"id": "CVE-2015-7805",
"summary": "Heap-based buffer overflow in libsndfile 1.0.25 allows remote attackers to have unspecified impact via the headindex value in the header in an AIFF file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7805"
},
{
"id": "CVE-2017-12562",
"summary": "Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in libsndfile through 1.0.28 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12562"
},
{
"id": "CVE-2017-14245",
"summary": "An out of bounds read in the function d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values.",
"scorev2": "5.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14245"
},
{
"id": "CVE-2017-14246",
"summary": "An out of bounds read in the function d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values.",
"scorev2": "5.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14246"
},
{
"id": "CVE-2017-14634",
"summary": "In libsndfile 1.0.28, a divide-by-zero error exists in the function double64_init() in double64.c, which may lead to DoS when playing a crafted audio file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14634"
},
{
"id": "CVE-2017-16942",
"summary": "In libsndfile 1.0.25 (fixed in 1.0.26), a divide-by-zero error exists in the function wav_w64_read_fmt_chunk() in wav_w64.c, which may lead to DoS when playing a crafted audio file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16942"
},
{
"id": "CVE-2017-6892",
"summary": "In libsndfile version 1.0.28, an error in the \"aiff_read_chanmap()\" function (aiff.c) can be exploited to cause an out-of-bounds read memory access via a specially crafted AIFF file.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6892"
},
{
"id": "CVE-2017-7585",
"summary": "In libsndfile before 1.0.28, an error in the \"flac_buffer_copy()\" function (flac.c) can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7585"
},
{
"id": "CVE-2017-7586",
"summary": "In libsndfile before 1.0.28, an error in the \"header_read()\" function (common.c) when handling ID3 tags can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7586"
},
{
"id": "CVE-2017-7741",
"summary": "In libsndfile before 1.0.28, an error in the \"flac_buffer_copy()\" function (flac.c) can be exploited to cause a segmentation violation (with write memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7741"
},
{
"id": "CVE-2017-7742",
"summary": "In libsndfile before 1.0.28, an error in the \"flac_buffer_copy()\" function (flac.c) can be exploited to cause a segmentation violation (with read memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7742"
},
{
"id": "CVE-2017-8361",
"summary": "The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8361"
},
{
"id": "CVE-2017-8362",
"summary": "The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted audio file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8362"
},
{
"id": "CVE-2017-8363",
"summary": "The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8363"
},
{
"id": "CVE-2017-8365",
"summary": "The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8365"
},
{
"id": "CVE-2018-13139",
"summary": "A stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted audio file. The vulnerability can be triggered by the executable sndfile-deinterleave.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13139"
},
{
"id": "CVE-2018-13419",
"summary": "An issue has been found in libsndfile 1.0.28. There is a memory leak in psf_allocate in common.c, as demonstrated by sndfile-convert. NOTE: The maintainer and third parties were unable to reproduce and closed the issue",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13419"
},
{
"id": "CVE-2018-19432",
"summary": "An issue was discovered in libsndfile 1.0.28. There is a NULL pointer dereference in the function sf_write_int in sndfile.c, which will lead to a denial of service.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19432"
},
{
"id": "CVE-2018-19661",
"summary": "An issue was discovered in libsndfile 1.0.28. There is a buffer over-read in the function i2ulaw_array in ulaw.c that will lead to a denial of service.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19661"
},
{
"id": "CVE-2018-19662",
"summary": "An issue was discovered in libsndfile 1.0.28. There is a buffer over-read in the function i2alaw_array in alaw.c that will lead to a denial of service.",
"scorev2": "5.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19662"
},
{
"id": "CVE-2018-19758",
"summary": "There is a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19758"
},
{
"id": "CVE-2019-3832",
"summary": "It was discovered the fix for CVE-2018-19758 (libsndfile) was not complete and still allows a read beyond the limits of a buffer in wav_write_header() function in wav.c. A local attacker may use this flaw to make the application crash.",
"scorev2": "1.9",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3832"
},
{
"id": "CVE-2021-3246",
"summary": "A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted WAV file.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3246"
},
{
"id": "CVE-2021-4156",
"summary": "An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality. An attacker who is able to submit a specially crafted file (via tricking a user to open or otherwise) to an application linked with libsndfile and using the FLAC codec, could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information that could be used in further exploitation of other flaws.",
"scorev2": "5.8",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4156"
},
{
"id": "CVE-2022-33064",
"summary": "An off-by-one error in function wav_read_header in src/wav.c in Libsndfile 1.1.0, results in a write out of bound, which allows an attacker to execute arbitrary code, Denial of Service or other unspecified impacts.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33064"
},
{
"id": "CVE-2022-33065",
"summary": "Multiple signed integers overflow in function au_read_header in src/au.c and in functions mat4_open and mat4_read_header in src/mat4.c in Libsndfile, allows an attacker to cause Denial of Service or other unspecified impacts.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33065"
}
]
},
{
"name": "libsocketcan",
"layer": "meta-oe",
"version": "0.0.12",
"products": [
{
"product": "libsocketcan",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libsolv",
"layer": "meta",
"version": "0.7.28",
"products": [
{
"product": "libsolv",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2018-20532",
"summary": "There is a NULL pointer dereference at ext/testcase.c (function testcase_read) in libsolvext.a in libsolv through 0.7.2 that will cause a denial of service.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20532"
},
{
"id": "CVE-2018-20533",
"summary": "There is a NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a in libsolv through 0.7.2 that will cause a denial of service.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20533"
},
{
"id": "CVE-2018-20534",
"summary": "There is an illegal address access at ext/testcase.c in libsolv.a in libsolv through 0.7.2 that will cause a denial of service. NOTE: third parties dispute this issue stating that the issue affects the test suite and not the underlying library. It cannot be exploited in any real-world application",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20534"
},
{
"id": "CVE-2019-20387",
"summary": "repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-based buffer over-read via a last schema whose length is less than the length of the input schema.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20387"
},
{
"id": "CVE-2021-3200",
"summary": "Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service",
"scorev2": "4.3",
"scorev3": "3.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3200"
},
{
"id": "CVE-2021-33928",
"summary": "Buffer overflow vulnerability in function pool_installable in src/repo.h in libsolv before 0.7.17 allows attackers to cause a Denial of Service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33928"
},
{
"id": "CVE-2021-33929",
"summary": "Buffer overflow vulnerability in function pool_disabled_solvable in src/repo.h in libsolv before 0.7.17 allows attackers to cause a Denial of Service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33929"
},
{
"id": "CVE-2021-33930",
"summary": "Buffer overflow vulnerability in function pool_installable_whatprovides in src/repo.h in libsolv before 0.7.17 allows attackers to cause a Denial of Service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33930"
},
{
"id": "CVE-2021-33938",
"summary": "Buffer overflow vulnerability in function prune_to_recommended in src/policy.c in libsolv before 0.7.17 allows attackers to cause a Denial of Service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33938"
},
{
"id": "CVE-2021-44568",
"summary": "Two heap-overflow vulnerabilities exist in openSUSE/libsolv libsolv through 13 Dec 2020 in the decisionmap variable via the resolve_dependencies function at src/solver.c (line 1940 & line 1995), which could cause a remote Denial of Service.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-44568"
}
]
},
{
"name": "libsolv-native",
"layer": "meta",
"version": "0.7.28",
"products": [
{
"product": "libsolv",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2018-20532",
"summary": "There is a NULL pointer dereference at ext/testcase.c (function testcase_read) in libsolvext.a in libsolv through 0.7.2 that will cause a denial of service.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20532"
},
{
"id": "CVE-2018-20533",
"summary": "There is a NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a in libsolv through 0.7.2 that will cause a denial of service.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20533"
},
{
"id": "CVE-2018-20534",
"summary": "There is an illegal address access at ext/testcase.c in libsolv.a in libsolv through 0.7.2 that will cause a denial of service. NOTE: third parties dispute this issue stating that the issue affects the test suite and not the underlying library. It cannot be exploited in any real-world application",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20534"
},
{
"id": "CVE-2019-20387",
"summary": "repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-based buffer over-read via a last schema whose length is less than the length of the input schema.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20387"
},
{
"id": "CVE-2021-3200",
"summary": "Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service",
"scorev2": "4.3",
"scorev3": "3.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3200"
},
{
"id": "CVE-2021-33928",
"summary": "Buffer overflow vulnerability in function pool_installable in src/repo.h in libsolv before 0.7.17 allows attackers to cause a Denial of Service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33928"
},
{
"id": "CVE-2021-33929",
"summary": "Buffer overflow vulnerability in function pool_disabled_solvable in src/repo.h in libsolv before 0.7.17 allows attackers to cause a Denial of Service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33929"
},
{
"id": "CVE-2021-33930",
"summary": "Buffer overflow vulnerability in function pool_installable_whatprovides in src/repo.h in libsolv before 0.7.17 allows attackers to cause a Denial of Service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33930"
},
{
"id": "CVE-2021-33938",
"summary": "Buffer overflow vulnerability in function prune_to_recommended in src/policy.c in libsolv before 0.7.17 allows attackers to cause a Denial of Service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33938"
},
{
"id": "CVE-2021-44568",
"summary": "Two heap-overflow vulnerabilities exist in openSUSE/libsolv libsolv through 13 Dec 2020 in the decisionmap variable via the resolve_dependencies function at src/solver.c (line 1940 & line 1995), which could cause a remote Denial of Service.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-44568"
}
]
},
{
"name": "libsoup",
"layer": "meta",
"version": "3.4.4",
"products": [
{
"product": "libsoup",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2006-5876",
"summary": "The soup_headers_parse function in soup-headers.c for libsoup HTTP library before 2.2.99 allows remote attackers to cause a denial of service (crash) via malformed HTTP headers, probably involving missing fields or values.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5876"
},
{
"id": "CVE-2009-0585",
"summary": "Integer overflow in the soup_base64_encode function in soup-misc.c in libsoup 2.x.x before 2.2.x, and 2.x before 2.24, allows context-dependent attackers to execute arbitrary code via a long string that is converted to a base64 representation.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0585"
},
{
"id": "CVE-2011-2524",
"summary": "Directory traversal vulnerability in soup-uri.c in SoupServer in libsoup before 2.35.4 allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in a URI.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2524"
},
{
"id": "CVE-2012-2132",
"summary": "libsoup 2.32.2 and earlier does not validate certificates or clear the trust flag when the ssl-ca-file does not exist, which allows remote attackers to bypass authentication by connecting with a SSL connection.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2132"
},
{
"id": "CVE-2017-2885",
"summary": "An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP request can cause a stack overflow resulting in remote code execution. An attacker can send a special HTTP request to the vulnerable server to trigger this vulnerability.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2885"
},
{
"id": "CVE-2018-11713",
"summary": "WebCore/platform/network/soup/SocketStreamHandleImplSoup.cpp in the libsoup network backend of WebKit, as used in WebKitGTK+ prior to version 2.20.0 or without libsoup 2.62.0, unexpectedly failed to use system proxy settings for WebSocket connections. As a result, users could be deanonymized by crafted web sites via a WebSocket connection.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11713"
},
{
"id": "CVE-2018-12910",
"summary": "The get_cookies function in soup-cookie-jar.c in libsoup 2.63.2 allows attackers to have unspecified impact via an empty hostname.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12910"
},
{
"id": "CVE-2019-17266",
"summary": "libsoup from versions 2.65.1 until 2.68.1 have a heap-based buffer over-read because soup_ntlm_parse_challenge() in soup-auth-ntlm.c does not properly check an NTLM message's length before proceeding with a memcpy.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17266"
}
]
},
{
"name": "libspiro-native",
"layer": "meta-oe",
"version": "20221101",
"products": [
{
"product": "libspiro",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2019-19847",
"summary": "Libspiro through 20190731 has a stack-based buffer overflow in the spiro_to_bpath0() function in spiro.c.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19847"
}
]
},
{
"name": "libssh",
"layer": "meta-oe",
"version": "0.10.6",
"products": [
{
"product": "libssh",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2012-4559",
"summary": "Multiple double free vulnerabilities in the (1) agent_sign_data function in agent.c, (2) channel_request function in channels.c, (3) ssh_userauth_pubkey function in auth.c, (4) sftp_parse_attr_3 function in sftp.c, and (5) try_publickey_from_file function in keyfiles.c in libssh before 0.5.3 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4559"
},
{
"id": "CVE-2012-4560",
"summary": "Multiple buffer overflows in libssh before 0.5.3 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4560"
},
{
"id": "CVE-2012-4561",
"summary": "The (1) publickey_make_dss, (2) publickey_make_rsa, (3) signature_from_string, (4) ssh_do_sign, and (5) ssh_sign_session_id functions in keys.c in libssh before 0.5.3 free \"an invalid pointer on an error path,\" which might allow remote attackers to cause a denial of service (crash) via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4561"
},
{
"id": "CVE-2012-4562",
"summary": "Multiple integer overflows in libssh before 0.5.3 allow remote attackers to cause a denial of service (infinite loop or crash) and possibly execute arbitrary code via unspecified vectors, which triggers a buffer overflow, infinite loop, or possibly some other unspecified vulnerabilities.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4562"
},
{
"id": "CVE-2012-6063",
"summary": "Double free vulnerability in the sftp_mkdir function in sftp.c in libssh before 0.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors, a different vector than CVE-2012-4559.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6063"
},
{
"id": "CVE-2013-0176",
"summary": "The publickey_from_privatekey function in libssh before 0.5.4, when no algorithm is matched during negotiations, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a \"Client: Diffie-Hellman Key Exchange Init\" packet.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0176"
},
{
"id": "CVE-2014-0017",
"summary": "The RAND_bytes function in libssh before 0.6.3, when forking is enabled, does not properly reset the state of the OpenSSL pseudo-random number generator (PRNG), which causes the state to be shared between children processes and allows local users to obtain sensitive information by leveraging a pid collision.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0017"
},
{
"id": "CVE-2014-8132",
"summary": "Double free vulnerability in the ssh_packet_kexinit function in kex.c in libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to cause a denial of service via a crafted kexinit packet.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8132"
},
{
"id": "CVE-2015-3146",
"summary": "The (1) SSH_MSG_NEWKEYS and (2) SSH_MSG_KEXDH_REPLY packet handlers in package_cb.c in libssh before 0.6.5 do not properly validate state, which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted SSH packet.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3146"
},
{
"id": "CVE-2016-0739",
"summary": "libssh before 0.7.3 improperly truncates ephemeral secrets generated for the (1) diffie-hellman-group1 and (2) diffie-hellman-group14 key exchange methods to 128 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a \"bits/bytes confusion bug.\"",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0739"
},
{
"id": "CVE-2018-10933",
"summary": "A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10933"
},
{
"id": "CVE-2019-14889",
"summary": "A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.",
"scorev2": "9.3",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14889"
},
{
"id": "CVE-2020-16135",
"summary": "libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16135"
},
{
"id": "CVE-2020-1730",
"summary": "A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1730"
},
{
"id": "CVE-2021-3634",
"summary": "A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating \"secret_hash\" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3634"
},
{
"id": "CVE-2023-1667",
"summary": "A NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a denial of service.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1667"
},
{
"id": "CVE-2023-2283",
"summary": "A vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in the`pki_verify_data_signature` function in memory allocation problems. This issue may happen if there is insufficient memory or the memory usage is limited. The problem is caused by the return value `rc,` which is initialized to SSH_ERROR and later rewritten to save the return value of the function call `pki_key_check_hash_compatible.` The value of the variable is not changed between this point and the cryptographic verification. Therefore any error between them calls `goto error` returning SSH_OK.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2283"
},
{
"id": "CVE-2023-3603",
"summary": "A missing allocation check in sftp server processing read requests may cause a NULL dereference on low-memory conditions. The malicious client can request up to 4GB SFTP reads, causing allocation of up to 4GB buffers, which was not being checked for failure. This will likely crash the authenticated user's sftp server connection (if implemented as forking as recommended). For thread-based servers, this might also cause DoS for legitimate users.\r\n\r\nGiven this code is not in any released versions, no security releases have been issued.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3603"
},
{
"id": "CVE-2023-48795",
"summary": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795"
},
{
"id": "CVE-2023-6004",
"summary": "A flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter.",
"scorev2": "0.0",
"scorev3": "4.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6004"
},
{
"id": "CVE-2023-6918",
"summary": "A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6918"
}
]
},
{
"name": "libssh2-native",
"layer": "meta",
"version": "1.11.0",
"products": [
{
"product": "libssh2",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-1782",
"summary": "The kex_agree_methods function in libssh2 before 1.5.0 allows remote servers to cause a denial of service (crash) or have other unspecified impact via crafted length values in an SSH_MSG_KEXINIT packet.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1782"
},
{
"id": "CVE-2016-0787",
"summary": "The diffie_hellman_sha256 function in kex.c in libssh2 before 1.7.0 improperly truncates secrets to 128 or 256 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a \"bits/bytes confusion bug.\"",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0787"
},
{
"id": "CVE-2019-13115",
"summary": "In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.",
"scorev2": "5.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13115"
},
{
"id": "CVE-2019-17498",
"summary": "In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.",
"scorev2": "5.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17498"
},
{
"id": "CVE-2019-3855",
"summary": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
"scorev2": "9.3",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3855"
},
{
"id": "CVE-2019-3856",
"summary": "An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
"scorev2": "6.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3856"
},
{
"id": "CVE-2019-3857",
"summary": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
"scorev2": "6.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3857"
},
{
"id": "CVE-2019-3858",
"summary": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3858"
},
{
"id": "CVE-2019-3859",
"summary": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3859"
},
{
"id": "CVE-2019-3860",
"summary": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3860"
},
{
"id": "CVE-2019-3861",
"summary": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3861"
},
{
"id": "CVE-2019-3862",
"summary": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3862"
},
{
"id": "CVE-2019-3863",
"summary": "A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3863"
},
{
"id": "CVE-2020-22218",
"summary": "An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out of bounds memory.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-22218"
},
{
"id": "CVE-2023-48795",
"summary": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795"
}
]
},
{
"name": "libstd-rs",
"layer": "meta",
"version": "1.75.0",
"products": [
{
"product": "libstd-rs",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libtasn1",
"layer": "meta",
"version": "4.19.0",
"products": [
{
"product": "libtasn1",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0401",
"summary": "Unknown vulnerability in libtasn1 0.1.x before 0.1.2, and 0.2.x before 0.2.7, related to the DER parsing functions.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0401"
},
{
"id": "CVE-2006-0645",
"summary": "Tiny ASN.1 Library (libtasn1) before 0.2.18, as used by (1) GnuTLS 1.2.x before 1.2.10 and 1.3.x before 1.3.4, and (2) GNU Shishi, allows attackers to crash the DER decoder and possibly execute arbitrary code via \"out-of-bounds access\" caused by invalid input, as demonstrated by the ProtoVer SSL test suite.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0645"
},
{
"id": "CVE-2012-1569",
"summary": "The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1569"
},
{
"id": "CVE-2014-3467",
"summary": "Multiple unspecified vulnerabilities in the DER decoder in GNU Libtasn1 before 3.6, as used in GnuTLS, allow remote attackers to cause a denial of service (out-of-bounds read) via crafted ASN.1 data.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3467"
},
{
"id": "CVE-2014-3468",
"summary": "The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN.1 data.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3468"
},
{
"id": "CVE-2014-3469",
"summary": "The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1 before 3.6 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via a NULL value in an ivalue argument.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3469"
},
{
"id": "CVE-2015-2806",
"summary": "Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows remote attackers to have unspecified impact via unknown vectors.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2806"
},
{
"id": "CVE-2015-3622",
"summary": "The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.5 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3622"
},
{
"id": "CVE-2016-4008",
"summary": "The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.8, when used without the ASN1_DECODE_FLAG_STRICT_DER flag, allows remote attackers to cause a denial of service (infinite recursion) via a crafted certificate.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4008"
},
{
"id": "CVE-2017-10790",
"summary": "The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10790"
},
{
"id": "CVE-2017-6891",
"summary": "Two errors in the \"asn1_find_node()\" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6891"
},
{
"id": "CVE-2018-1000654",
"summary": "GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000654"
},
{
"id": "CVE-2018-6003",
"summary": "An issue was discovered in the _asn1_decode_simple_ber function in decoding.c in GNU Libtasn1 before 4.13. Unlimited recursion in the BER decoder leads to stack exhaustion and DoS.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6003"
},
{
"id": "CVE-2021-46848",
"summary": "GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.",
"scorev2": "0.0",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46848"
}
]
},
{
"name": "libtasn1-native",
"layer": "meta",
"version": "4.19.0",
"products": [
{
"product": "libtasn1",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0401",
"summary": "Unknown vulnerability in libtasn1 0.1.x before 0.1.2, and 0.2.x before 0.2.7, related to the DER parsing functions.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0401"
},
{
"id": "CVE-2006-0645",
"summary": "Tiny ASN.1 Library (libtasn1) before 0.2.18, as used by (1) GnuTLS 1.2.x before 1.2.10 and 1.3.x before 1.3.4, and (2) GNU Shishi, allows attackers to crash the DER decoder and possibly execute arbitrary code via \"out-of-bounds access\" caused by invalid input, as demonstrated by the ProtoVer SSL test suite.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0645"
},
{
"id": "CVE-2012-1569",
"summary": "The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1569"
},
{
"id": "CVE-2014-3467",
"summary": "Multiple unspecified vulnerabilities in the DER decoder in GNU Libtasn1 before 3.6, as used in GnuTLS, allow remote attackers to cause a denial of service (out-of-bounds read) via crafted ASN.1 data.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3467"
},
{
"id": "CVE-2014-3468",
"summary": "The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN.1 data.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3468"
},
{
"id": "CVE-2014-3469",
"summary": "The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1 before 3.6 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via a NULL value in an ivalue argument.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3469"
},
{
"id": "CVE-2015-2806",
"summary": "Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows remote attackers to have unspecified impact via unknown vectors.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2806"
},
{
"id": "CVE-2015-3622",
"summary": "The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.5 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3622"
},
{
"id": "CVE-2016-4008",
"summary": "The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.8, when used without the ASN1_DECODE_FLAG_STRICT_DER flag, allows remote attackers to cause a denial of service (infinite recursion) via a crafted certificate.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4008"
},
{
"id": "CVE-2017-10790",
"summary": "The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10790"
},
{
"id": "CVE-2017-6891",
"summary": "Two errors in the \"asn1_find_node()\" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6891"
},
{
"id": "CVE-2018-1000654",
"summary": "GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000654"
},
{
"id": "CVE-2018-6003",
"summary": "An issue was discovered in the _asn1_decode_simple_ber function in decoding.c in GNU Libtasn1 before 4.13. Unlimited recursion in the BER decoder leads to stack exhaustion and DoS.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6003"
},
{
"id": "CVE-2021-46848",
"summary": "GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.",
"scorev2": "0.0",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46848"
}
]
},
{
"name": "libtheora",
"layer": "meta",
"version": "1.1.1",
"products": [
{
"product": "libtheora",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libtirpc",
"layer": "meta",
"version": "1.3.4",
"products": [
{
"product": "libtirpc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-1950",
"summary": "The svc_dg_getargs function in libtirpc 0.2.3 and earlier allows remote attackers to cause a denial of service (rpcbind crash) via a Sun RPC request with crafted arguments that trigger a free of an invalid pointer.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1950"
},
{
"id": "CVE-2017-8779",
"summary": "rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8779"
},
{
"id": "CVE-2018-14621",
"summary": "An infinite loop vulnerability was found in libtirpc before version 1.0.2-rc2. With the port to using poll rather than select, exhaustion of file descriptors would cause the server to enter an infinite loop, consuming a large amount of CPU time and denying service to other clients until restarted.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14621"
},
{
"id": "CVE-2018-14622",
"summary": "A null-pointer dereference vulnerability was found in libtirpc before version 0.3.3-rc3. The return value of makefd_xprt() was not checked in all instances, which could lead to a crash when the server exhausted the maximum number of available file descriptors. A remote attacker could cause an rpc-based application to crash by flooding it with new connections.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14622"
},
{
"id": "CVE-2021-46828",
"summary": "In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46828",
"detail": "fixed-version",
"description": "fixed in 1.3.3rc1 so not present in 1.3.3"
}
]
},
{
"name": "libtirpc-native",
"layer": "meta",
"version": "1.3.4",
"products": [
{
"product": "libtirpc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-1950",
"summary": "The svc_dg_getargs function in libtirpc 0.2.3 and earlier allows remote attackers to cause a denial of service (rpcbind crash) via a Sun RPC request with crafted arguments that trigger a free of an invalid pointer.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1950"
},
{
"id": "CVE-2017-8779",
"summary": "rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8779"
},
{
"id": "CVE-2018-14621",
"summary": "An infinite loop vulnerability was found in libtirpc before version 1.0.2-rc2. With the port to using poll rather than select, exhaustion of file descriptors would cause the server to enter an infinite loop, consuming a large amount of CPU time and denying service to other clients until restarted.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14621"
},
{
"id": "CVE-2018-14622",
"summary": "A null-pointer dereference vulnerability was found in libtirpc before version 0.3.3-rc3. The return value of makefd_xprt() was not checked in all instances, which could lead to a crash when the server exhausted the maximum number of available file descriptors. A remote attacker could cause an rpc-based application to crash by flooding it with new connections.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14622"
},
{
"id": "CVE-2021-46828",
"summary": "In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46828",
"detail": "fixed-version",
"description": "fixed in 1.3.3rc1 so not present in 1.3.3"
}
]
},
{
"name": "libtool",
"layer": "meta",
"version": "2.4.7",
"products": [
{
"product": "libtool",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0256",
"summary": "GNU libtool before 1.5.2, during compile time, allows local users to overwrite arbitrary files via a symlink attack on libtool directories in /tmp.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0256"
},
{
"id": "CVE-2009-3736",
"summary": "ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries, Q, and possibly other products, attempts to open a .la file in the current working directory, which allows local users to gain privileges via a Trojan horse file.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3736"
}
]
},
{
"name": "libtool-cross",
"layer": "meta",
"version": "2.4.7",
"products": [
{
"product": "libtool",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0256",
"summary": "GNU libtool before 1.5.2, during compile time, allows local users to overwrite arbitrary files via a symlink attack on libtool directories in /tmp.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0256"
},
{
"id": "CVE-2009-3736",
"summary": "ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries, Q, and possibly other products, attempts to open a .la file in the current working directory, which allows local users to gain privileges via a Trojan horse file.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3736"
}
]
},
{
"name": "libtool-native",
"layer": "meta",
"version": "2.4.7",
"products": [
{
"product": "libtool",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0256",
"summary": "GNU libtool before 1.5.2, during compile time, allows local users to overwrite arbitrary files via a symlink attack on libtool directories in /tmp.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0256"
},
{
"id": "CVE-2009-3736",
"summary": "ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries, Q, and possibly other products, attempts to open a .la file in the current working directory, which allows local users to gain privileges via a Trojan horse file.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3736"
}
]
},
{
"name": "libtraceevent",
"layer": "meta",
"version": "1.7.3",
"products": [
{
"product": "libtraceevent",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libtracefs",
"layer": "meta-oe",
"version": "1.7.0",
"products": [
{
"product": "libtracefs",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libunistring",
"layer": "meta",
"version": "1.2",
"products": [
{
"product": "libunistring",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libunistring-native",
"layer": "meta",
"version": "1.2",
"products": [
{
"product": "libunistring",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libunwind",
"layer": "meta",
"version": "1.6.2",
"products": [
{
"product": "libunwind",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-3239",
"summary": "Off-by-one error in the dwarf_to_unw_regnum function in include/dwarf_i.h in libunwind 1.1 allows local users to have unspecified impact via invalid dwarf opcodes.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3239"
}
]
},
{
"name": "liburcu",
"layer": "meta",
"version": "0.14.0",
"products": [
{
"product": "liburcu",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libusb-compat",
"layer": "meta-oe",
"version": "1_0.1.8",
"products": [
{
"product": "libusb-compat",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libusb1",
"layer": "meta",
"version": "1.0.27",
"products": [
{
"product": "libusb",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libvorbis",
"layer": "meta",
"version": "1.3.7",
"products": [
{
"product": "libvorbis",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-3106",
"summary": "lib/info.c in libvorbis 1.1.2, and possibly other versions before 1.2.0, allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via invalid (1) blocksize_0 and (2) blocksize_1 values, which trigger a \"heap overwrite\" in the _01inverse function in res0.c. NOTE: this issue has been RECAST so that CVE-2007-4029 handles additional vectors.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3106"
},
{
"id": "CVE-2007-4029",
"summary": "libvorbis 1.1.2, and possibly other versions before 1.2.0, allows context-dependent attackers to cause a denial of service via (1) an invalid mapping type, which triggers an out-of-bounds read in the vorbis_info_clear function in info.c, and (2) invalid blocksize values that trigger a segmentation fault in the read function in block.c.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4029"
},
{
"id": "CVE-2007-4065",
"summary": "lib/vorbisfile.c in libvorbisfile in Xiph.Org libvorbis before 1.2.0 allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted OGG file, aka trac Changeset 13217.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4065"
},
{
"id": "CVE-2007-4066",
"summary": "Multiple buffer overflows in Xiph.Org libvorbis before 1.2.0 allow context-dependent attackers to cause a denial of service or have other unspecified impact via a crafted OGG file, aka trac Changesets 13162, 13168, 13169, 13170, 13172, 13211, and 13215, as demonstrated by an overflow in oggenc.exe related to the _psy_noiseguards_8 array.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4066"
},
{
"id": "CVE-2008-1419",
"summary": "Xiph.org libvorbis 1.2.0 and earlier does not properly handle a zero value for codebook.dim, which allows remote attackers to cause a denial of service (crash or infinite loop) or trigger an integer overflow.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1419"
},
{
"id": "CVE-2008-1420",
"summary": "Integer overflow in residue partition value (aka partvals) evaluation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to execute arbitrary code via a crafted OGG file, which triggers a heap overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1420"
},
{
"id": "CVE-2008-1423",
"summary": "Integer overflow in a certain quantvals and quantlist calculation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted OGG file with a large virtual space for its codebook, which triggers a heap overflow.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1423"
},
{
"id": "CVE-2008-2009",
"summary": "Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman trees, which allows remote attackers to cause a denial of service (crash) via a crafted OGG file that triggers memory corruption during execution of the _make_decode_tree function.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2009"
},
{
"id": "CVE-2017-11333",
"summary": "The vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (OOM) via a crafted wav file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11333"
},
{
"id": "CVE-2017-14160",
"summary": "The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact via a crafted mp4 file.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14160"
},
{
"id": "CVE-2017-14632",
"summary": "Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing uninitialized memory in the function vorbis_analysis_headerout() in info.c when vi->channels<=0, a similar issue to Mozilla bug 550184.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14632"
},
{
"id": "CVE-2017-14633",
"summary": "In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability exists in the function mapping0_forward() in mapping0.c, which may lead to DoS when operating on a crafted audio file with vorbis_analysis().",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14633"
},
{
"id": "CVE-2018-10392",
"summary": "mapping0_forward in mapping0.c in Xiph.Org libvorbis 1.3.6 does not validate the number of channels, which allows remote attackers to cause a denial of service (heap-based buffer overflow or over-read) or possibly have unspecified other impact via a crafted file.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10392"
},
{
"id": "CVE-2018-10393",
"summary": "bark_noise_hybridmp in psy.c in Xiph.Org libvorbis 1.3.6 has a stack-based buffer over-read.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10393"
},
{
"id": "CVE-2020-20412",
"summary": "lib/codebook.c in libvorbis before 1.3.6, as used in StepMania 5.0.12 and other products, has insufficient array bounds checking via a crafted OGG file. NOTE: this may overlap CVE-2018-5146.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-20412"
}
]
},
{
"name": "libwebp",
"layer": "meta",
"version": "1.3.2",
"products": [
{
"product": "libwebp",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2016-9085",
"summary": "Multiple integer overflows in libwebp allows attackers to have unspecified impact via unknown vectors.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9085"
},
{
"id": "CVE-2016-9969",
"summary": "In libwebp 0.5.1, there is a double free bug in libwebpmux.",
"scorev2": "5.1",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9969"
},
{
"id": "CVE-2018-25009",
"summary": "A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE16().",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-25009"
},
{
"id": "CVE-2018-25010",
"summary": "A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ApplyFilter().",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-25010"
},
{
"id": "CVE-2018-25011",
"summary": "A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in PutLE16().",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-25011"
},
{
"id": "CVE-2018-25012",
"summary": "A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE24().",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-25012"
},
{
"id": "CVE-2018-25013",
"summary": "A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ShiftBytes().",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-25013"
},
{
"id": "CVE-2018-25014",
"summary": "A use of uninitialized value was found in libwebp in versions before 1.0.1 in ReadSymbol().",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-25014"
},
{
"id": "CVE-2020-36328",
"summary": "A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36328"
},
{
"id": "CVE-2020-36329",
"summary": "A flaw was found in libwebp in versions before 1.0.1. A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36329"
},
{
"id": "CVE-2020-36330",
"summary": "A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkVerifyAndAssign. The highest threat from this vulnerability is to data confidentiality and to the service availability.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36330"
},
{
"id": "CVE-2020-36331",
"summary": "A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkAssignData. The highest threat from this vulnerability is to data confidentiality and to the service availability.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36331"
},
{
"id": "CVE-2020-36332",
"summary": "A flaw was found in libwebp in versions before 1.0.1. When reading a file libwebp allocates an excessive amount of memory. The highest threat from this vulnerability is to the service availability.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36332"
},
{
"id": "CVE-2023-1999",
"summary": "There exists a use after free/double free in libwebp. An attacker can use the\u00a0ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free.\u00a0\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1999"
},
{
"id": "CVE-2023-4863",
"summary": "Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4863"
}
]
},
{
"name": "libx11-compose-data",
"layer": "meta",
"version": "1.8.4",
"products": [
{
"product": "libx11-compose-data",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libx11-native",
"layer": "meta",
"version": "1_1.8.9",
"products": [
{
"product": "libx11",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2006-5397",
"summary": "The Xinput module (modules/im/ximcp/imLcIm.c) in X.Org libX11 1.0.2 and 1.0.3 opens a file for reading twice using the same file descriptor, which causes a file descriptor leak that allows local users to read files specified by the XCOMPOSEFILE environment variable via the duplicate file descriptor.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5397"
},
{
"id": "CVE-2007-1667",
"summary": "Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1667"
},
{
"id": "CVE-2013-1981",
"summary": "Multiple integer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XQueryFont, (2) _XF86BigfontQueryFont, (3) XListFontsWithInfo, (4) XGetMotionEvents, (5) XListHosts, (6) XGetModifierMapping, (7) XGetPointerMapping, (8) XGetKeyboardMapping, (9) XGetWindowProperty, (10) XGetImage, (11) LoadColornameDB, (12) XrmGetFileDatabase, (13) _XimParseStringFile, or (14) TransFileName functions.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1981"
},
{
"id": "CVE-2013-1997",
"summary": "Multiple buffer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and earlier allow X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the (1) XAllocColorCells, (2) _XkbReadGetDeviceInfoReply, (3) _XkbReadGeomShapes, (4) _XkbReadGetGeometryReply, (5) _XkbReadKeySyms, (6) _XkbReadKeyActions, (7) _XkbReadKeyBehaviors, (8) _XkbReadModifierMap, (9) _XkbReadExplicitComponents, (10) _XkbReadVirtualModMap, (11) _XkbReadGetNamesReply, (12) _XkbReadGetMapReply, (13) _XimXGetReadData, (14) XListFonts, (15) XListExtensions, and (16) XGetFontPath functions.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1997"
},
{
"id": "CVE-2013-2004",
"summary": "The (1) GetDatabase and (2) _XimParseStringFile functions in X.org libX11 1.5.99.901 (1.6 RC1) and earlier do not restrict the recursion depth when processing directives to include files, which allows X servers to cause a denial of service (stack consumption) via a crafted file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2004"
},
{
"id": "CVE-2013-7439",
"summary": "Multiple off-by-one errors in the (1) MakeBigReq and (2) SetReqLen macros in include/X11/Xlibint.h in X11R6.x and libX11 before 1.6.0 allow remote attackers to have unspecified impact via a crafted request, which triggers a buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7439"
},
{
"id": "CVE-2016-7942",
"summary": "The XGetImage function in X.org libX11 before 1.6.4 might allow remote X servers to gain privileges via vectors involving image type and geometry, which triggers out-of-bounds read operations.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7942"
},
{
"id": "CVE-2016-7943",
"summary": "The XListFonts function in X.org libX11 before 1.6.4 might allow remote X servers to gain privileges via vectors involving length fields, which trigger out-of-bounds write operations.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7943"
},
{
"id": "CVE-2018-14598",
"summary": "An issue was discovered in XListExtensions in ListExt.c in libX11 through 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14598"
},
{
"id": "CVE-2018-14599",
"summary": "An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14599"
},
{
"id": "CVE-2018-14600",
"summary": "An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14600"
},
{
"id": "CVE-2020-14344",
"summary": "An integer overflow leading to a heap-buffer overflow was found in The X Input Method (XIM) client was implemented in libX11 before version 1.6.10. As per upstream this is security relevant when setuid programs call XIM client functions while running with elevated privileges. No such programs are shipped with Red Hat Enterprise Linux.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14344"
},
{
"id": "CVE-2020-14363",
"summary": "An integer overflow vulnerability leading to a double-free was found in libX11. This flaw allows a local privileged attacker to cause an application compiled with libX11 to crash, or in some cases, result in arbitrary code execution. The highest threat from this flaw is to confidentiality, integrity as well as system availability.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14363"
},
{
"id": "CVE-2021-31535",
"summary": "LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-31535"
},
{
"id": "CVE-2023-3138",
"summary": "A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3138"
},
{
"id": "CVE-2023-43785",
"summary": "A vulnerability was found in libX11 due to a boundary condition within the _XkbReadKeySyms() function. This flaw allows a local user to trigger an out-of-bounds read error and read the contents of memory on the system.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43785"
},
{
"id": "CVE-2023-43786",
"summary": "A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43786"
},
{
"id": "CVE-2023-43787",
"summary": "A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43787"
}
]
},
{
"name": "libxau-native",
"layer": "meta",
"version": "1_1.0.11",
"products": [
{
"product": "libxau",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libxcb-native",
"layer": "meta",
"version": "1.16",
"products": [
{
"product": "libxcb",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-2064",
"summary": "Integer overflow in X.org libxcb 1.9 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the read_packet function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2064"
}
]
},
{
"name": "libxcomposite-native",
"layer": "meta",
"version": "1_0.4.6",
"products": [
{
"product": "libxcomposite",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libxcrypt",
"layer": "meta",
"version": "4.4.36",
"products": [
{
"product": "libxcrypt",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libxcursor-native",
"layer": "meta",
"version": "1_1.2.2",
"products": [
{
"product": "libxcursor",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-2003",
"summary": "Integer overflow in X.org libXcursor 1.1.13 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the _XcursorFileHeaderCreate function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2003"
},
{
"id": "CVE-2015-9262",
"summary": "_XcursorThemeInherits in library.c in libXcursor before 1.1.15 allows remote attackers to cause denial of service or potentially code execution via a one-byte heap overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9262"
},
{
"id": "CVE-2017-16612",
"summary": "libXcursor before 1.1.15 has various integer overflows that could lead to heap buffer overflows when processing malicious cursors, e.g., with programs like GIMP. It is also possible that an attack vector exists against the related code in cursor/xcursor.c in Wayland through 1.14.0.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16612"
}
]
},
{
"name": "libxdamage-native",
"layer": "meta",
"version": "1_1.1.6",
"products": [
{
"product": "libxdamage",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libxdmcp-native",
"layer": "meta",
"version": "1_1.1.4",
"products": [
{
"product": "libxdmcp",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2017-2625",
"summary": "It was discovered that libXdmcp before 1.1.2 including used weak entropy to generate session keys. On a multi-user system using xdmcp, a local attacker could potentially use information available from the process list to brute force the key, allowing them to hijack other users' sessions.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2625"
}
]
},
{
"name": "libxext-native",
"layer": "meta",
"version": "1_1.3.6",
"products": [
{
"product": "libxext",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-1982",
"summary": "Multiple integer overflows in X.org libXext 1.3.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XcupGetReservedColormapEntries, (2) XcupStoreColors, (3) XdbeGetVisualInfo, (4) XeviGetVisualInfo, (5) XShapeGetRectangles, and (6) XSyncListSystemCounters functions.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1982"
}
]
},
{
"name": "libxfixes-native",
"layer": "meta",
"version": "1_6.0.1",
"products": [
{
"product": "libxfixes",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-1983",
"summary": "Integer overflow in X.org libXfixes 5.0 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XFixesGetCursorImage function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1983"
},
{
"id": "CVE-2016-7944",
"summary": "Integer overflow in X.org libXfixes before 5.0.3 on 32-bit platforms might allow remote X servers to gain privileges via a length value of INT_MAX, which triggers the client to stop reading data and get out of sync.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7944"
}
]
},
{
"name": "libxft-native",
"layer": "meta",
"version": "1_2.3.8",
"products": [
{
"product": "libxft",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libxi-native",
"layer": "meta",
"version": "1_1.8.1",
"products": [
{
"product": "libxi",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-1984",
"summary": "Multiple integer overflows in X.org libXi 1.7.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XGetDeviceControl, (2) XGetFeedbackControl, (3) XGetDeviceDontPropagateList, (4) XGetDeviceMotionEvents, (5) XIGetProperty, (6) XIGetSelectedEvents, (7) XGetDeviceProperties, and (8) XListInputDevices functions.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1984"
},
{
"id": "CVE-2013-1995",
"summary": "X.org libXi 1.7.1 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to an unexpected sign extension in the XListInputDevices function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1995"
},
{
"id": "CVE-2013-1998",
"summary": "Multiple buffer overflows in X.org libXi 1.7.1 and earlier allow X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the (1) XGetDeviceButtonMapping, (2) XIPassiveGrabDevice, and (3) XQueryDeviceState functions.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1998"
},
{
"id": "CVE-2016-7945",
"summary": "Multiple integer overflows in X.org libXi before 1.7.7 allow remote X servers to cause a denial of service (out-of-bounds memory access or infinite loop) via vectors involving length fields.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7945"
},
{
"id": "CVE-2016-7946",
"summary": "X.org libXi before 1.7.7 allows remote X servers to cause a denial of service (infinite loop) via vectors involving length fields.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7946"
}
]
},
{
"name": "libxkbcommon",
"layer": "meta",
"version": "1.6.0",
"products": [
{
"product": "libxkbcommon",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2018-15853",
"summary": "Endless recursion exists in xkbcomp/expr.c in xkbcommon and libxkbcommon before 0.8.1, which could be used by local attackers to crash xkbcommon users by supplying a crafted keymap file that triggers boolean negation.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15853"
},
{
"id": "CVE-2018-15857",
"summary": "An invalid free in ExprAppendMultiKeysymList in xkbcomp/ast-build.c in xkbcommon before 0.8.1 could be used by local attackers to crash xkbcommon keymap parsers or possibly have unspecified other impact by supplying a crafted keymap file.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15857"
},
{
"id": "CVE-2018-15858",
"summary": "Unchecked NULL pointer usage when handling invalid aliases in CopyKeyAliasesToKeymap in xkbcomp/keycodes.c in xkbcommon before 0.8.1 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15858"
},
{
"id": "CVE-2018-15859",
"summary": "Unchecked NULL pointer usage when parsing invalid atoms in ExprResolveLhs in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because lookup failures are mishandled.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15859"
},
{
"id": "CVE-2018-15861",
"summary": "Unchecked NULL pointer usage in ExprResolveLhs in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file that triggers an xkb_intern_atom failure.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15861"
},
{
"id": "CVE-2018-15862",
"summary": "Unchecked NULL pointer usage in LookupModMask in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file with invalid virtual modifiers.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15862"
},
{
"id": "CVE-2018-15863",
"summary": "Unchecked NULL pointer usage in ResolveStateAndPredicate in xkbcomp/compat.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file with a no-op modmask expression.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15863"
},
{
"id": "CVE-2018-15864",
"summary": "Unchecked NULL pointer usage in resolve_keysym in xkbcomp/parser.y in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because a map access attempt can occur for a map that was never created.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15864"
}
]
},
{
"name": "libxml-parser-perl-native",
"layer": "meta",
"version": "2.47",
"products": [
{
"product": "libxml-parser-perl",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "libxml2",
"layer": "meta",
"version": "2.12.6",
"products": [
{
"product": "libxml2",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2003-1564",
"summary": "libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the \"billion laughs attack.\"",
"scorev2": "9.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-1564"
},
{
"id": "CVE-2004-0110",
"summary": "Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0110"
},
{
"id": "CVE-2004-0989",
"summary": "Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and possibly other versions, may allow remote attackers to execute arbitrary code via (1) a long FTP URL that is not properly handled by the xmlNanoFTPScanURL function, (2) a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy function, and other overflows related to manipulation of DNS length values, including (3) xmlNanoFTPConnect, (4) xmlNanoHTTPConnectHost, and (5) xmlNanoHTTPConnectHost.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0989"
},
{
"id": "CVE-2008-3281",
"summary": "libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3281"
},
{
"id": "CVE-2008-3529",
"summary": "Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3529"
},
{
"id": "CVE-2008-4409",
"summary": "libxml2 2.7.0 and 2.7.1 does not properly handle \"predefined entities definitions\" in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4409"
},
{
"id": "CVE-2009-2414",
"summary": "Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD, related to a function recursion, as demonstrated by the Codenomicon XML fuzzing framework.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2414"
},
{
"id": "CVE-2009-2416",
"summary": "Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2416"
},
{
"id": "CVE-2010-4008",
"summary": "libxml2 before 2.7.8, as used in Google Chrome before 7.0.517.44, Apple Safari 5.0.2 and earlier, and other products, reads from invalid memory locations during processing of malformed XPath expressions, which allows context-dependent attackers to cause a denial of service (application crash) via a crafted XML document.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4008"
},
{
"id": "CVE-2010-4494",
"summary": "Double free vulnerability in libxml2 2.7.8 and other versions, as used in Google Chrome before 8.0.552.215 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to XPath handling.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4494"
},
{
"id": "CVE-2011-1944",
"summary": "Integer overflow in xpath.c in libxml2 2.6.x through 2.6.32 and 2.7.x through 2.7.8, and libxml 1.8.16 and earlier, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted XML file that triggers a heap-based buffer overflow when adding a new namespace node, related to handling of XPath expressions.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1944"
},
{
"id": "CVE-2012-0841",
"summary": "libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0841"
},
{
"id": "CVE-2012-2871",
"summary": "libxml2 2.9.0-rc1 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly support a cast of an unspecified variable during handling of XSL transforms, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document, related to the _xmlNs data structure in include/libxml/tree.h.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2871"
},
{
"id": "CVE-2012-5134",
"summary": "Heap-based buffer underflow in the xmlParseAttValueComplex function in parser.c in libxml2 2.9.0 and earlier, as used in Google Chrome before 23.0.1271.91 and other products, allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted entities in an XML document.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5134"
},
{
"id": "CVE-2013-0338",
"summary": "libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka \"internal entity expansion\" with linear complexity.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0338"
},
{
"id": "CVE-2013-0339",
"summary": "libxml2 through 2.9.1 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because libxml2 already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed and each affected application would need its own CVE.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0339"
},
{
"id": "CVE-2013-1969",
"summary": "Multiple use-after-free vulnerabilities in libxml2 2.9.0 and possibly other versions might allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to the (1) htmlParseChunk and (2) xmldecl_done functions, as demonstrated by a buffer overflow in the xmlBufGetInputBase function.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1969"
},
{
"id": "CVE-2013-2877",
"summary": "parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2877"
},
{
"id": "CVE-2014-3660",
"summary": "parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the \"billion laughs\" attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3660"
},
{
"id": "CVE-2015-5312",
"summary": "The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5312"
},
{
"id": "CVE-2015-6837",
"summary": "The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation during initial error checking, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6838.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6837"
},
{
"id": "CVE-2015-6838",
"summary": "The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation after the principal argument loop, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6837.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6838"
},
{
"id": "CVE-2015-7497",
"summary": "Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7497"
},
{
"id": "CVE-2015-7498",
"summary": "Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7498"
},
{
"id": "CVE-2015-7499",
"summary": "Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7499"
},
{
"id": "CVE-2015-7500",
"summary": "The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7500"
},
{
"id": "CVE-2015-7941",
"summary": "libxml2 2.9.2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as demonstrated by non-terminated entities.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7941"
},
{
"id": "CVE-2015-7942",
"summary": "The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data, a different vulnerability than CVE-2015-7941.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7942"
},
{
"id": "CVE-2015-8035",
"summary": "The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8035"
},
{
"id": "CVE-2015-8241",
"summary": "The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8241"
},
{
"id": "CVE-2015-8242",
"summary": "The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8242"
},
{
"id": "CVE-2015-8317",
"summary": "The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8317"
},
{
"id": "CVE-2015-8710",
"summary": "The htmlParseComment function in HTMLparser.c in libxml2 allows attackers to obtain sensitive information, cause a denial of service (out-of-bounds heap memory access and application crash), or possibly have unspecified other impact via an unclosed HTML comment.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8710"
},
{
"id": "CVE-2015-8806",
"summary": "dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the \"type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about \"size\" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9047"
},
{
"id": "CVE-2017-9048",
"summary": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9048"
},
{
"id": "CVE-2017-9049",
"summary": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9049"
},
{
"id": "CVE-2017-9050",
"summary": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9050"
},
{
"id": "CVE-2018-14404",
"summary": "A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14404"
},
{
"id": "CVE-2018-14567",
"summary": "libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14567"
},
{
"id": "CVE-2018-9251",
"summary": "The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035.",
"scorev2": "2.6",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9251"
},
{
"id": "CVE-2019-19956",
"summary": "xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19956"
},
{
"id": "CVE-2019-20388",
"summary": "xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20388"
},
{
"id": "CVE-2020-24977",
"summary": "GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.",
"scorev2": "6.4",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24977"
},
{
"id": "CVE-2020-7595",
"summary": "xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-7595"
},
{
"id": "CVE-2021-3517",
"summary": "There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.",
"scorev2": "7.5",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3517"
},
{
"id": "CVE-2021-3518",
"summary": "There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3518"
},
{
"id": "CVE-2021-3537",
"summary": "A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3537"
},
{
"id": "CVE-2021-3541",
"summary": "A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3541"
},
{
"id": "CVE-2022-23308",
"summary": "valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.",
"scorev2": "4.3",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23308"
},
{
"id": "CVE-2022-29824",
"summary": "In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29824"
},
{
"id": "CVE-2022-40303",
"summary": "An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40303"
},
{
"id": "CVE-2022-40304",
"summary": "An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40304"
},
{
"id": "CVE-2023-28484",
"summary": "In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-28484"
},
{
"id": "CVE-2023-29469",
"summary": "An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\\0' value).",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29469"
},
{
"id": "CVE-2023-39615",
"summary": "Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39615"
},
{
"id": "CVE-2023-45322",
"summary": "libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is \"I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail.\"",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-45322",
"detail": "disputed",
"description": "issue requires memory allocation to fail"
},
{
"id": "CVE-2024-25062",
"summary": "An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-25062"
}
]
},
{
"name": "libxml2-native",
"layer": "meta",
"version": "2.12.6",
"products": [
{
"product": "libxml2",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2003-1564",
"summary": "libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the \"billion laughs attack.\"",
"scorev2": "9.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-1564"
},
{
"id": "CVE-2004-0110",
"summary": "Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0110"
},
{
"id": "CVE-2004-0989",
"summary": "Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and possibly other versions, may allow remote attackers to execute arbitrary code via (1) a long FTP URL that is not properly handled by the xmlNanoFTPScanURL function, (2) a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy function, and other overflows related to manipulation of DNS length values, including (3) xmlNanoFTPConnect, (4) xmlNanoHTTPConnectHost, and (5) xmlNanoHTTPConnectHost.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0989"
},
{
"id": "CVE-2008-3281",
"summary": "libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3281"
},
{
"id": "CVE-2008-3529",
"summary": "Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3529"
},
{
"id": "CVE-2008-4409",
"summary": "libxml2 2.7.0 and 2.7.1 does not properly handle \"predefined entities definitions\" in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4409"
},
{
"id": "CVE-2009-2414",
"summary": "Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD, related to a function recursion, as demonstrated by the Codenomicon XML fuzzing framework.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2414"
},
{
"id": "CVE-2009-2416",
"summary": "Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2416"
},
{
"id": "CVE-2010-4008",
"summary": "libxml2 before 2.7.8, as used in Google Chrome before 7.0.517.44, Apple Safari 5.0.2 and earlier, and other products, reads from invalid memory locations during processing of malformed XPath expressions, which allows context-dependent attackers to cause a denial of service (application crash) via a crafted XML document.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4008"
},
{
"id": "CVE-2010-4494",
"summary": "Double free vulnerability in libxml2 2.7.8 and other versions, as used in Google Chrome before 8.0.552.215 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to XPath handling.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4494"
},
{
"id": "CVE-2011-1944",
"summary": "Integer overflow in xpath.c in libxml2 2.6.x through 2.6.32 and 2.7.x through 2.7.8, and libxml 1.8.16 and earlier, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted XML file that triggers a heap-based buffer overflow when adding a new namespace node, related to handling of XPath expressions.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1944"
},
{
"id": "CVE-2012-0841",
"summary": "libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0841"
},
{
"id": "CVE-2012-2871",
"summary": "libxml2 2.9.0-rc1 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly support a cast of an unspecified variable during handling of XSL transforms, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document, related to the _xmlNs data structure in include/libxml/tree.h.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2871"
},
{
"id": "CVE-2012-5134",
"summary": "Heap-based buffer underflow in the xmlParseAttValueComplex function in parser.c in libxml2 2.9.0 and earlier, as used in Google Chrome before 23.0.1271.91 and other products, allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted entities in an XML document.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5134"
},
{
"id": "CVE-2013-0338",
"summary": "libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka \"internal entity expansion\" with linear complexity.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0338"
},
{
"id": "CVE-2013-0339",
"summary": "libxml2 through 2.9.1 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because libxml2 already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed and each affected application would need its own CVE.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0339"
},
{
"id": "CVE-2013-1969",
"summary": "Multiple use-after-free vulnerabilities in libxml2 2.9.0 and possibly other versions might allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to the (1) htmlParseChunk and (2) xmldecl_done functions, as demonstrated by a buffer overflow in the xmlBufGetInputBase function.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1969"
},
{
"id": "CVE-2013-2877",
"summary": "parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2877"
},
{
"id": "CVE-2014-3660",
"summary": "parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the \"billion laughs\" attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3660"
},
{
"id": "CVE-2015-5312",
"summary": "The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5312"
},
{
"id": "CVE-2015-6837",
"summary": "The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation during initial error checking, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6838.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6837"
},
{
"id": "CVE-2015-6838",
"summary": "The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation after the principal argument loop, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6837.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6838"
},
{
"id": "CVE-2015-7497",
"summary": "Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7497"
},
{
"id": "CVE-2015-7498",
"summary": "Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7498"
},
{
"id": "CVE-2015-7499",
"summary": "Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7499"
},
{
"id": "CVE-2015-7500",
"summary": "The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7500"
},
{
"id": "CVE-2015-7941",
"summary": "libxml2 2.9.2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as demonstrated by non-terminated entities.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7941"
},
{
"id": "CVE-2015-7942",
"summary": "The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data, a different vulnerability than CVE-2015-7941.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7942"
},
{
"id": "CVE-2015-8035",
"summary": "The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8035"
},
{
"id": "CVE-2015-8241",
"summary": "The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8241"
},
{
"id": "CVE-2015-8242",
"summary": "The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8242"
},
{
"id": "CVE-2015-8317",
"summary": "The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8317"
},
{
"id": "CVE-2015-8710",
"summary": "The htmlParseComment function in HTMLparser.c in libxml2 allows attackers to obtain sensitive information, cause a denial of service (out-of-bounds heap memory access and application crash), or possibly have unspecified other impact via an unclosed HTML comment.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8710"
},
{
"id": "CVE-2015-8806",
"summary": "dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the \"type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about \"size\" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9047"
},
{
"id": "CVE-2017-9048",
"summary": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9048"
},
{
"id": "CVE-2017-9049",
"summary": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9049"
},
{
"id": "CVE-2017-9050",
"summary": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9050"
},
{
"id": "CVE-2018-14404",
"summary": "A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14404"
},
{
"id": "CVE-2018-14567",
"summary": "libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14567"
},
{
"id": "CVE-2018-9251",
"summary": "The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035.",
"scorev2": "2.6",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9251"
},
{
"id": "CVE-2019-19956",
"summary": "xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19956"
},
{
"id": "CVE-2019-20388",
"summary": "xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20388"
},
{
"id": "CVE-2020-24977",
"summary": "GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.",
"scorev2": "6.4",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24977"
},
{
"id": "CVE-2020-7595",
"summary": "xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-7595"
},
{
"id": "CVE-2021-3517",
"summary": "There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.",
"scorev2": "7.5",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3517"
},
{
"id": "CVE-2021-3518",
"summary": "There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3518"
},
{
"id": "CVE-2021-3537",
"summary": "A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3537"
},
{
"id": "CVE-2021-3541",
"summary": "A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3541"
},
{
"id": "CVE-2022-23308",
"summary": "valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.",
"scorev2": "4.3",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23308"
},
{
"id": "CVE-2022-29824",
"summary": "In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29824"
},
{
"id": "CVE-2022-40303",
"summary": "An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40303"
},
{
"id": "CVE-2022-40304",
"summary": "An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40304"
},
{
"id": "CVE-2023-28484",
"summary": "In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-28484"
},
{
"id": "CVE-2023-29469",
"summary": "An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\\0' value).",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29469"
},
{
"id": "CVE-2023-39615",
"summary": "Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39615"
},
{
"id": "CVE-2023-45322",
"summary": "libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is \"I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail.\"",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-45322",
"detail": "disputed",
"description": "issue requires memory allocation to fail"
},
{
"id": "CVE-2024-25062",
"summary": "An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-25062"
}
]
},
{
"name": "libxrandr-native",
"layer": "meta",
"version": "1_1.5.4",
"products": [
{
"product": "libxrandr",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-1986",
"summary": "Multiple integer overflows in X.org libXrandr 1.4.0 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XRRQueryOutputProperty and (2) XRRQueryProviderProperty functions.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1986"
},
{
"id": "CVE-2016-7947",
"summary": "Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7947"
},
{
"id": "CVE-2016-7948",
"summary": "X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7948"
}
]
},
{
"name": "libxrender-native",
"layer": "meta",
"version": "1_0.9.11",
"products": [
{
"product": "libxrender",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-1987",
"summary": "Multiple integer overflows in X.org libXrender 0.9.7 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XRenderQueryFilters, (2) XRenderQueryFormats, and (3) XRenderQueryPictIndexValues functions.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1987"
},
{
"id": "CVE-2016-7949",
"summary": "Multiple buffer overflows in the (1) XvQueryAdaptors and (2) XvQueryEncodings functions in X.org libXrender before 0.9.10 allow remote X servers to trigger out-of-bounds write operations via vectors involving length fields.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7949"
},
{
"id": "CVE-2016-7950",
"summary": "The XRenderQueryFilters function in X.org libXrender before 0.9.10 allows remote X servers to trigger out-of-bounds write operations via vectors involving filter name lengths.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7950"
}
]
},
{
"name": "libxslt",
"layer": "meta",
"version": "1.1.39",
"products": [
{
"product": "libxslt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2008-2935",
"summary": "Multiple heap-based buffer overflows in the rc4 (1) encryption (aka exsltCryptoRc4EncryptFunction) and (2) decryption (aka exsltCryptoRc4DecryptFunction) functions in crypto.c in libexslt in libxslt 1.1.8 through 1.1.24 allow context-dependent attackers to execute arbitrary code via an XML file containing a long string as \"an argument in the XSL input.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2935"
},
{
"id": "CVE-2011-1202",
"summary": "The xsltGenerateIdFunction function in functions.c in libxslt 1.1.26 and earlier, as used in Google Chrome before 10.0.648.127 and other products, allows remote attackers to obtain potentially sensitive information about heap memory addresses via an XML document containing a call to the XSLT generate-id XPath function.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1202"
},
{
"id": "CVE-2011-3970",
"summary": "libxslt, as used in Google Chrome before 17.0.963.46, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3970"
},
{
"id": "CVE-2012-2870",
"summary": "libxslt 1.1.26 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly manage memory, which might allow remote attackers to cause a denial of service (application crash) via a crafted XSLT expression that is not properly identified during XPath navigation, related to (1) the xsltCompileLocationPathPattern function in libxslt/pattern.c and (2) the xsltGenerateIdFunction function in libxslt/functions.c.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2870"
},
{
"id": "CVE-2012-6139",
"summary": "libxslt before 1.1.28 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an (1) empty match attribute in a XSL key to the xsltAddKey function in keys.c or (2) uninitialized variable to the xsltDocumentFunction function in functions.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6139"
},
{
"id": "CVE-2013-4520",
"summary": "xslt.c in libxslt before 1.1.25 allows context-dependent attackers to cause a denial of service (crash) via a stylesheet that embeds a DTD, which causes a structure to be accessed as a different type. NOTE: this issue is due to an incomplete fix for CVE-2012-2825.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4520"
},
{
"id": "CVE-2015-7995",
"summary": "The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not check if the parent node is an element, which allows attackers to cause a denial of service via a crafted XML file, related to a \"type confusion\" issue.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7995"
},
{
"id": "CVE-2015-9019",
"summary": "In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9019"
},
{
"id": "CVE-2016-1683",
"summary": "numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles namespace nodes, which allows remote attackers to cause a denial of service (out-of-bounds heap memory access) or possibly have unspecified other impact via a crafted document.",
"scorev2": "5.1",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1683"
},
{
"id": "CVE-2016-1684",
"summary": "numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles the i format token for xsl:number data, which allows remote attackers to cause a denial of service (integer overflow or resource consumption) or possibly have unspecified other impact via a crafted document.",
"scorev2": "5.1",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1684"
},
{
"id": "CVE-2016-4607",
"summary": "libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4608, CVE-2016-4609, CVE-2016-4610, and CVE-2016-4612.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4607"
},
{
"id": "CVE-2016-4608",
"summary": "libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-4609, CVE-2016-4610, and CVE-2016-4612.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4608"
},
{
"id": "CVE-2016-4609",
"summary": "libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-4608, CVE-2016-4610, and CVE-2016-4612.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4609"
},
{
"id": "CVE-2016-4610",
"summary": "libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, and CVE-2016-4612.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4610"
},
{
"id": "CVE-2017-5029",
"summary": "The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5029"
},
{
"id": "CVE-2019-11068",
"summary": "libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11068"
},
{
"id": "CVE-2019-13117",
"summary": "In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13117"
},
{
"id": "CVE-2019-13118",
"summary": "In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13118"
},
{
"id": "CVE-2019-18197",
"summary": "In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.",
"scorev2": "5.1",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18197"
},
{
"id": "CVE-2019-5815",
"summary": "Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5815"
},
{
"id": "CVE-2021-30560",
"summary": "Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-30560"
},
{
"id": "CVE-2022-29824",
"summary": "In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29824",
"detail": "not-applicable-config",
"description": "Static linking to libxml2 is not enabled."
}
]
},
{
"name": "libxslt-native",
"layer": "meta",
"version": "1.1.39",
"products": [
{
"product": "libxslt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2008-2935",
"summary": "Multiple heap-based buffer overflows in the rc4 (1) encryption (aka exsltCryptoRc4EncryptFunction) and (2) decryption (aka exsltCryptoRc4DecryptFunction) functions in crypto.c in libexslt in libxslt 1.1.8 through 1.1.24 allow context-dependent attackers to execute arbitrary code via an XML file containing a long string as \"an argument in the XSL input.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2935"
},
{
"id": "CVE-2011-1202",
"summary": "The xsltGenerateIdFunction function in functions.c in libxslt 1.1.26 and earlier, as used in Google Chrome before 10.0.648.127 and other products, allows remote attackers to obtain potentially sensitive information about heap memory addresses via an XML document containing a call to the XSLT generate-id XPath function.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1202"
},
{
"id": "CVE-2011-3970",
"summary": "libxslt, as used in Google Chrome before 17.0.963.46, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3970"
},
{
"id": "CVE-2012-2870",
"summary": "libxslt 1.1.26 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly manage memory, which might allow remote attackers to cause a denial of service (application crash) via a crafted XSLT expression that is not properly identified during XPath navigation, related to (1) the xsltCompileLocationPathPattern function in libxslt/pattern.c and (2) the xsltGenerateIdFunction function in libxslt/functions.c.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2870"
},
{
"id": "CVE-2012-6139",
"summary": "libxslt before 1.1.28 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an (1) empty match attribute in a XSL key to the xsltAddKey function in keys.c or (2) uninitialized variable to the xsltDocumentFunction function in functions.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6139"
},
{
"id": "CVE-2013-4520",
"summary": "xslt.c in libxslt before 1.1.25 allows context-dependent attackers to cause a denial of service (crash) via a stylesheet that embeds a DTD, which causes a structure to be accessed as a different type. NOTE: this issue is due to an incomplete fix for CVE-2012-2825.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4520"
},
{
"id": "CVE-2015-7995",
"summary": "The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not check if the parent node is an element, which allows attackers to cause a denial of service via a crafted XML file, related to a \"type confusion\" issue.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7995"
},
{
"id": "CVE-2015-9019",
"summary": "In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9019"
},
{
"id": "CVE-2016-1683",
"summary": "numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles namespace nodes, which allows remote attackers to cause a denial of service (out-of-bounds heap memory access) or possibly have unspecified other impact via a crafted document.",
"scorev2": "5.1",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1683"
},
{
"id": "CVE-2016-1684",
"summary": "numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles the i format token for xsl:number data, which allows remote attackers to cause a denial of service (integer overflow or resource consumption) or possibly have unspecified other impact via a crafted document.",
"scorev2": "5.1",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1684"
},
{
"id": "CVE-2016-4607",
"summary": "libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4608, CVE-2016-4609, CVE-2016-4610, and CVE-2016-4612.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4607"
},
{
"id": "CVE-2016-4608",
"summary": "libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-4609, CVE-2016-4610, and CVE-2016-4612.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4608"
},
{
"id": "CVE-2016-4609",
"summary": "libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-4608, CVE-2016-4610, and CVE-2016-4612.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4609"
},
{
"id": "CVE-2016-4610",
"summary": "libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, and CVE-2016-4612.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4610"
},
{
"id": "CVE-2017-5029",
"summary": "The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5029"
},
{
"id": "CVE-2019-11068",
"summary": "libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11068"
},
{
"id": "CVE-2019-13117",
"summary": "In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13117"
},
{
"id": "CVE-2019-13118",
"summary": "In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13118"
},
{
"id": "CVE-2019-18197",
"summary": "In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.",
"scorev2": "5.1",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18197"
},
{
"id": "CVE-2019-5815",
"summary": "Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5815"
},
{
"id": "CVE-2021-30560",
"summary": "Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-30560"
},
{
"id": "CVE-2022-29824",
"summary": "In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29824",
"detail": "not-applicable-config",
"description": "Static linking to libxml2 is not enabled."
}
]
},
{
"name": "libxtst-native",
"layer": "meta",
"version": "1_1.2.4",
"products": [
{
"product": "libxtst",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-2063",
"summary": "Integer overflow in X.org libXtst 1.2.1 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XRecordGetContext function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2063"
},
{
"id": "CVE-2016-7951",
"summary": "Multiple integer overflows in X.org libXtst before 1.2.3 allow remote X servers to trigger out-of-bounds memory access operations by leveraging the lack of range checks.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7951"
},
{
"id": "CVE-2016-7952",
"summary": "X.org libXtst before 1.2.3 allows remote X servers to cause a denial of service (infinite loop) via a reply in the (1) XRecordStartOfData, (2) XRecordEndOfData, or (3) XRecordClientDied category without a client sequence and with attached data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7952"
}
]
},
{
"name": "libyaml",
"layer": "meta",
"version": "0.2.5",
"products": [
{
"product": "libyaml",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-6393",
"summary": "The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6393"
},
{
"id": "CVE-2014-2525",
"summary": "Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2525"
},
{
"id": "CVE-2014-9130",
"summary": "scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9130"
}
]
},
{
"name": "libyaml-native",
"layer": "meta",
"version": "0.2.5",
"products": [
{
"product": "libyaml",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-6393",
"summary": "The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6393"
},
{
"id": "CVE-2014-2525",
"summary": "Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2525"
},
{
"id": "CVE-2014-9130",
"summary": "scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9130"
}
]
},
{
"name": "linux-firmware",
"layer": "meta",
"version": "1_20240312",
"products": [
{
"product": "linux-firmware",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "linux-libc-headers",
"layer": "meta",
"version": "6.6",
"products": [
{
"product": "linux-libc-headers",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "linux-yocto",
"layer": "meta",
"version": "6.6.23+git",
"products": [
{
"product": "linux_kernel",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-0061",
"summary": "File creation and deletion, and remote execution, in the BSD line printer daemon (lpd).",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0061"
},
{
"id": "CVE-1999-0074",
"summary": "Listening TCP ports are sequentially allocated, allowing spoofing attacks.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0074"
},
{
"id": "CVE-1999-0128",
"summary": "Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0128"
},
{
"id": "CVE-1999-0138",
"summary": "The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0138"
},
{
"id": "CVE-1999-0165",
"summary": "NFS cache poisoning.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0165"
},
{
"id": "CVE-1999-0171",
"summary": "Denial of service in syslog by sending it a large number of superfluous messages.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0171"
},
{
"id": "CVE-1999-0183",
"summary": "Linux implementations of TFTP would allow access to files outside the restricted directory.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0183"
},
{
"id": "CVE-1999-0195",
"summary": "Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0195"
},
{
"id": "CVE-1999-0216",
"summary": "Denial of service of inetd on Linux through SYN and RST packets.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0216"
},
{
"id": "CVE-1999-0245",
"summary": "Some configurations of NIS+ in Linux allowed attackers to log in as the user \"+\".",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0245"
},
{
"id": "CVE-1999-0257",
"summary": "Nestea variation of teardrop IP fragmentation denial of service.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0257"
},
{
"id": "CVE-1999-0317",
"summary": "Buffer overflow in Linux su command gives root access to local users.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0317"
},
{
"id": "CVE-1999-0330",
"summary": "Linux bdash game has a buffer overflow that allows local users to gain root access.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0330"
},
{
"id": "CVE-1999-0381",
"summary": "super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0381"
},
{
"id": "CVE-1999-0400",
"summary": "Denial of service in Linux 2.2.0 running the ldd command on a core file.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0400"
},
{
"id": "CVE-1999-0401",
"summary": "A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0401"
},
{
"id": "CVE-1999-0414",
"summary": "In Linux before version 2.0.36, remote attackers can spoof a TCP connection and pass data to the application layer before fully establishing the connection.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0414"
},
{
"id": "CVE-1999-0431",
"summary": "Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0431"
},
{
"id": "CVE-1999-0451",
"summary": "Denial of service in Linux 2.0.36 allows local users to prevent any server from listening on any non-privileged port.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0451"
},
{
"id": "CVE-1999-0460",
"summary": "Buffer overflow in Linux autofs module through long directory names allows local users to perform a denial of service.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0460"
},
{
"id": "CVE-1999-0461",
"summary": "Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind allow a remote attacker to insert and delete entries by spoofing a source address.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0461"
},
{
"id": "CVE-1999-0513",
"summary": "ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0513"
},
{
"id": "CVE-1999-0524",
"summary": "ICMP information such as (1) netmask and (2) timestamp is allowed from arbitrary hosts.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0524"
},
{
"id": "CVE-1999-0590",
"summary": "A system does not present an appropriate legal message or warning to a user who is accessing it.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0590"
},
{
"id": "CVE-1999-0628",
"summary": "The rwho/rwhod service is running, which exposes machine status and user information.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0628"
},
{
"id": "CVE-1999-0656",
"summary": "The ugidd RPC interface, by design, allows remote attackers to enumerate valid usernames by specifying arbitrary UIDs that ugidd maps to local user and group names.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0656",
"detail": "not-applicable-config",
"description": "specific to ugidd, part of the old user-mode NFS server"
},
{
"id": "CVE-1999-0720",
"summary": "The pt_chown command in Linux allows local users to modify TTY terminal devices that belong to other users.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0720"
},
{
"id": "CVE-1999-0780",
"summary": "KDE klock allows local users to kill arbitrary processes by specifying an arbitrary PID in the .kss.pid file.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0780"
},
{
"id": "CVE-1999-0781",
"summary": "KDE allows local users to execute arbitrary commands by setting the KDEDIR environmental variable to modify the search path that KDE uses to locate its executables.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0781"
},
{
"id": "CVE-1999-0782",
"summary": "KDE kppp allows local users to create a directory in an arbitrary location via the HOME environmental variable.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0782"
},
{
"id": "CVE-1999-0804",
"summary": "Denial of service in Linux 2.2.x kernels via malformed ICMP packets containing unusual types, codes, and IP header lengths.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0804"
},
{
"id": "CVE-1999-0986",
"summary": "The ping command in Linux 2.0.3x allows local users to cause a denial of service by sending large packets with the -R (record route) option.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0986"
},
{
"id": "CVE-1999-1018",
"summary": "IPChains in Linux kernels 2.2.10 and earlier does not reassemble IP fragments before checking the header information, which allows a remote attacker to bypass the filtering rules using several fragments with 0 offsets.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1018"
},
{
"id": "CVE-1999-1166",
"summary": "Linux 2.0.37 does not properly encode the Custom segment limit, which allows local users to gain root privileges by accessing and modifying kernel memory.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1166"
},
{
"id": "CVE-1999-1225",
"summary": "rpc.mountd on Linux, Ultrix, and possibly other operating systems, allows remote attackers to determine the existence of a file on the server by attempting to mount that file, which generates different error messages depending on whether the file exists or not.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1225"
},
{
"id": "CVE-1999-1276",
"summary": "fte-console in the fte package before 0.46b-4.1 does not drop root privileges, which allows local users to gain root access via the virtual console device.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1276"
},
{
"id": "CVE-1999-1285",
"summary": "Linux 2.1.132 and earlier allows local users to cause a denial of service (resource exhaustion) by reading a large buffer from a random device (e.g. /dev/urandom), which cannot be interrupted until the read has completed.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1285"
},
{
"id": "CVE-1999-1339",
"summary": "Vulnerability when Network Address Translation (NAT) is enabled in Linux 2.2.10 and earlier with ipchains, or FreeBSD 3.2 with ipfw, allows remote attackers to cause a denial of service (kernel panic) via a ping -R (record route) command.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1339"
},
{
"id": "CVE-1999-1341",
"summary": "Linux kernel before 2.3.18 or 2.2.13pre15, with SLIP and PPP options, allows local unprivileged users to forge IP packets via the TIOCSETD option on tty devices.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1341"
},
{
"id": "CVE-1999-1352",
"summary": "mknod in Linux 2.2 follows symbolic links, which could allow local users to overwrite files or gain privileges.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1352"
},
{
"id": "CVE-1999-1441",
"summary": "Linux 2.0.34 does not properly prevent users from sending SIGIO signals to arbitrary processes, which allows local users to cause a denial of service by sending SIGIO to processes that do not catch it.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1441"
},
{
"id": "CVE-1999-1442",
"summary": "Bug in AMD K6 processor on Linux 2.0.x and 2.1.x kernels allows local users to cause a denial of service (crash) via a particular sequence of instructions, possibly related to accessing addresses outside of segments.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1442"
},
{
"id": "CVE-2000-0006",
"summary": "strace allows local users to read arbitrary files via memory mapped file names.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0006"
},
{
"id": "CVE-2000-0227",
"summary": "The Linux 2.2.x kernel does not restrict the number of Unix domain sockets as defined by the wmem_max parameter, which allows local users to cause a denial of service by requesting a large number of sockets.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0227"
},
{
"id": "CVE-2000-0289",
"summary": "IP masquerading in Linux 2.2.x allows remote attackers to route UDP packets through the internal interface by modifying the external source IP address and port number to match those of an established connection.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0289"
},
{
"id": "CVE-2000-0344",
"summary": "The knfsd NFS server in Linux kernel 2.2.x allows remote attackers to cause a denial of service via a negative size value.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0344"
},
{
"id": "CVE-2000-0506",
"summary": "The \"capabilities\" feature in Linux before 2.2.16 allows local users to cause a denial of service or gain privileges by setting the capabilities to prevent a setuid program from dropping privileges, aka the \"Linux kernel setuid/setcap vulnerability.\"",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0506"
},
{
"id": "CVE-2001-0316",
"summary": "Linux kernel 2.4 and 2.2 allows local users to read kernel memory and possibly gain privileges via a negative argument to the sysctl call.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0316"
},
{
"id": "CVE-2001-0317",
"summary": "Race condition in ptrace in Linux kernel 2.4 and 2.2 allows local users to gain privileges by using ptrace to track and modify a running setuid process.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0317"
},
{
"id": "CVE-2001-0405",
"summary": "ip_conntrack_ftp in the IPTables firewall for Linux 2.4 allows remote attackers to bypass access restrictions for an FTP server via a PORT command that lists an arbitrary IP address and port number, which is added to the RELATED table and allowed by the firewall.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0405"
},
{
"id": "CVE-2001-0851",
"summary": "Linux kernel 2.0, 2.2 and 2.4 with syncookies enabled allows remote attackers to bypass firewall rules by brute force guessing the cookie.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0851"
},
{
"id": "CVE-2001-0907",
"summary": "Linux kernel 2.2.1 through 2.2.19, and 2.4.1 through 2.4.10, allows local users to cause a denial of service via a series of deeply nested symlinks, which causes the kernel to spend extra time when trying to access the link.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0907"
},
{
"id": "CVE-2001-0914",
"summary": "Linux kernel before 2.4.11pre3 in multiple Linux distributions allows local users to cause a denial of service (crash) by starting the core vmlinux kernel, possibly related to poor error checking during ELF loading.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0914"
},
{
"id": "CVE-2001-1056",
"summary": "IRC DCC helper in the ip_masq_irc IP masquerading module 2.2 allows remote attackers to bypass intended firewall restrictions by causing the target system to send a \"DCC SEND\" request to a malicious server which listens on port 6667, which may cause the module to believe that the traffic is a valid request and allow the connection to the port specified in the DCC SEND request.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1056"
},
{
"id": "CVE-2001-1244",
"summary": "Multiple TCP implementations could allow remote attackers to cause a denial of service (bandwidth and CPU exhaustion) by setting the maximum segment size (MSS) to a very small number and requesting large amounts of data, which generates more packets with less TCP-level data that amplify network traffic and consume more server CPU to process.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1244"
},
{
"id": "CVE-2001-1273",
"summary": "The \"mxcsr P4\" vulnerability in the Linux kernel before 2.2.17-14, when running on certain Intel CPUs, allows local users to cause a denial of service (system halt).",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1273"
},
{
"id": "CVE-2001-1384",
"summary": "ptrace in Linux 2.2.x through 2.2.19, and 2.4.x through 2.4.9, allows local users to gain root privileges by running ptrace on a setuid or setgid program that itself calls an unprivileged program, such as newgrp.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1384"
},
{
"id": "CVE-2001-1390",
"summary": "Unknown vulnerability in binfmt_misc in the Linux kernel before 2.2.19, related to user pages.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1390"
},
{
"id": "CVE-2001-1391",
"summary": "Off-by-one vulnerability in CPIA driver of Linux kernel before 2.2.19 allows users to modify kernel memory.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1391"
},
{
"id": "CVE-2001-1392",
"summary": "The Linux kernel before 2.2.19 does not have unregister calls for (1) CPUID and (2) MSR drivers, which could cause a DoS (crash) by unloading and reloading the drivers.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1392"
},
{
"id": "CVE-2001-1393",
"summary": "Unknown vulnerability in classifier code for Linux kernel before 2.2.19 could result in denial of service (hang).",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1393"
},
{
"id": "CVE-2001-1394",
"summary": "Signedness error in (1) getsockopt and (2) setsockopt for Linux kernel before 2.2.19 allows local users to cause a denial of service.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1394"
},
{
"id": "CVE-2001-1395",
"summary": "Unknown vulnerability in sockfilter for Linux kernel before 2.2.19 related to \"boundary cases,\" with unknown impact.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1395"
},
{
"id": "CVE-2001-1396",
"summary": "Unknown vulnerabilities in strnlen_user for Linux kernel before 2.2.19, with unknown impact.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1396"
},
{
"id": "CVE-2001-1397",
"summary": "The System V (SYS5) shared memory implementation for Linux kernel before 2.2.19 could allow attackers to modify recently freed memory.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1397"
},
{
"id": "CVE-2001-1398",
"summary": "Masquerading code for Linux kernel before 2.2.19 does not fully check packet lengths in certain cases, which may lead to a vulnerability.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1398"
},
{
"id": "CVE-2001-1399",
"summary": "Certain operations in Linux kernel before 2.2.19 on the x86 architecture copy the wrong number of bytes, which might allow attackers to modify memory, aka \"User access asm bug on x86.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1399"
},
{
"id": "CVE-2001-1400",
"summary": "Unknown vulnerabilities in the UDP port allocation for Linux kernel before 2.2.19 could allow local users to cause a denial of service (deadlock).",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1400"
},
{
"id": "CVE-2001-1551",
"summary": "Linux kernel 2.2.19 enables CAP_SYS_RESOURCE for setuid processes, which allows local users to exceed disk quota restrictions during execution of setuid programs.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1551"
},
{
"id": "CVE-2001-1572",
"summary": "The MAC module in Netfilter in Linux kernel 2.4.1 through 2.4.11, when configured to filter based on MAC addresses, allows remote attackers to bypass packet filters via small packets.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1572"
},
{
"id": "CVE-2002-0046",
"summary": "Linux kernel, and possibly other operating systems, allows remote attackers to read portions of memory via a series of fragmented ICMP packets that generate an ICMP TTL Exceeded response, which includes portions of the memory in the response packet.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0046"
},
{
"id": "CVE-2002-0060",
"summary": "IRC connection tracking helper module in the netfilter subsystem for Linux 2.4.18-pre9 and earlier does not properly set the mask for conntrack expectations for incoming DCC connections, which could allow remote attackers to bypass intended firewall restrictions.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0060"
},
{
"id": "CVE-2002-0429",
"summary": "The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a a binary compatibility interface (lcall).",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0429"
},
{
"id": "CVE-2002-0499",
"summary": "The d_path function in Linux kernel 2.2.20 and earlier, and 2.4.18 and earlier, truncates long pathnames without generating an error, which could allow local users to force programs to perform inappropriate operations on the wrong directories.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0499"
},
{
"id": "CVE-2002-0510",
"summary": "The UDP implementation in Linux 2.4.x kernels keeps the IP Identification field at 0 for all non-fragmented packets, which could allow remote attackers to determine that a target system is running Linux.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0510"
},
{
"id": "CVE-2002-0570",
"summary": "The encrypted loop device in Linux kernel 2.4.10 and earlier does not authenticate the entity that is encrypting data, which allows local users to modify encrypted data without knowing the key.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0570"
},
{
"id": "CVE-2002-0704",
"summary": "The Network Address Translation (NAT) capability for Netfilter (\"iptables\") 1.2.6a and earlier leaks translated IP addresses in ICMP error messages.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0704"
},
{
"id": "CVE-2002-1319",
"summary": "The Linux kernel 2.4.20 and earlier, and 2.5.x, when running on x86 systems, allows local users to cause a denial of service (hang) via the emulation mode, which does not properly clear TF and NT EFLAGs.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1319"
},
{
"id": "CVE-2002-1380",
"summary": "Linux kernel 2.2.x allows local users to cause a denial of service (crash) by using the mmap() function with a PROT_READ parameter to access non-readable memory pages through the /proc/pid/mem interface.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1380"
},
{
"id": "CVE-2002-1571",
"summary": "The linux 2.4 kernel before 2.4.19 assumes that the fninit instruction clears all registers, which could lead to an information leak on processors that do not clear all relevant SSE registers.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1571"
},
{
"id": "CVE-2002-1572",
"summary": "Signed integer overflow in the bttv_read function in the bttv driver (bttv-driver.c) in Linux kernel before 2.4.20 has unknown impact and attack vectors.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1572"
},
{
"id": "CVE-2002-1573",
"summary": "Unspecified vulnerability in the pcilynx ieee1394 firewire driver (pcilynx.c) in Linux kernel before 2.4.20 has unknown impact and attack vectors, related to \"wrap handling.\"",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1573"
},
{
"id": "CVE-2002-1574",
"summary": "Buffer overflow in the ixj telephony card driver in Linux before 2.4.20 has unknown impact and attack vectors.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1574"
},
{
"id": "CVE-2002-1963",
"summary": "Linux kernel 2.4.1 through 2.4.19 sets root's NR_RESERVED_FILES limit to 10 files, which allows local users to cause a denial of service (resource exhaustion) by opening 10 setuid binaries.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1963"
},
{
"id": "CVE-2002-1976",
"summary": "ifconfig, when used on the Linux kernel 2.2 and later, does not report when the network interface is in promiscuous mode if it was put in promiscuous mode using PACKET_MR_PROMISC, which could allow attackers to sniff the network without detection, as demonstrated using libpcap.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1976"
},
{
"id": "CVE-2002-2254",
"summary": "The experimental IP packet queuing feature in Netfilter / IPTables in Linux kernel 2.4 up to 2.4.19 and 2.5 up to 2.5.31, when a privileged process exits and network traffic is not being queued, may allow a later process with the same Process ID (PID) to access certain network traffic that would otherwise be restricted.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-2254"
},
{
"id": "CVE-2002-2438",
"summary": "TCP firewalls could be circumvented by sending a SYN Packets with other flags (like e.g. RST flag) set, which was not correctly discarded by the Linux TCP stack after firewalling.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-2438"
},
{
"id": "CVE-2003-0001",
"summary": "Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0001"
},
{
"id": "CVE-2003-0018",
"summary": "Linux kernel 2.4.10 through 2.4.21-pre4 does not properly handle the O_DIRECT feature, which allows local attackers with write privileges to read portions of previously deleted files, or cause file system corruption.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0018"
},
{
"id": "CVE-2003-0127",
"summary": "The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0127"
},
{
"id": "CVE-2003-0187",
"summary": "The connection tracking core of Netfilter for Linux 2.4.20, with CONFIG_IP_NF_CONNTRACK enabled or the ip_conntrack module loaded, allows remote attackers to cause a denial of service (resource consumption) due to an inconsistency with Linux 2.4.20's support of linked lists, which causes Netfilter to fail to identify connections with an UNCONFIRMED status and use large timeouts.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0187"
},
{
"id": "CVE-2003-0244",
"summary": "The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0244"
},
{
"id": "CVE-2003-0246",
"summary": "The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0246"
},
{
"id": "CVE-2003-0418",
"summary": "The Linux 2.0 kernel IP stack does not properly calculate the size of an ICMP citation, which causes it to include portions of unauthorized memory in ICMP error responses.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0418"
},
{
"id": "CVE-2003-0462",
"summary": "A race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash).",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0462"
},
{
"id": "CVE-2003-0465",
"summary": "The kernel strncpy function in Linux 2.4 and 2.5 does not %NUL pad the buffer on architectures other than x86, as opposed to the expected behavior of strncpy as implemented in libc, which could lead to information leaks.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0465"
},
{
"id": "CVE-2003-0467",
"summary": "Unknown vulnerability in ip_nat_sack_adjust of Netfilter in Linux kernels 2.4.20, and some 2.5.x, when CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC is enabled, or the ip_nat_ftp or ip_nat_irc modules are loaded, allows remote attackers to cause a denial of service (crash) in systems using NAT, possibly due to an integer signedness error.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0467"
},
{
"id": "CVE-2003-0476",
"summary": "The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, which allows local users to gain read access to restricted file descriptors.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0476"
},
{
"id": "CVE-2003-0501",
"summary": "The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program, which causes the program to fail to change the ownership and permissions of those entries.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0501"
},
{
"id": "CVE-2003-0619",
"summary": "Integer signedness error in the decode_fh function of nfs3xdr.c in Linux kernel before 2.4.21 allows remote attackers to cause a denial of service (kernel panic) via a negative size value within XDR data of an NFSv3 procedure call.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0619"
},
{
"id": "CVE-2003-0643",
"summary": "Integer signedness error in the Linux Socket Filter implementation (filter.c) in Linux 2.4.3-pre3 to 2.4.22-pre10 allows attackers to cause a denial of service (crash).",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0643"
},
{
"id": "CVE-2003-0956",
"summary": "Multiple race conditions in the handling of O_DIRECT in Linux kernel prior to version 2.4.22 could cause stale data to be returned from the disk when handling sparse files, or cause incorrect data to be returned when a file is truncated as it is being read, which might allow local users to obtain sensitive data that was originally owned by other users, a different vulnerability than CVE-2003-0018.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0956"
},
{
"id": "CVE-2003-0961",
"summary": "Integer overflow in the do_brk function for the brk system call in Linux kernel 2.4.22 and earlier allows local users to gain root privileges.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0961"
},
{
"id": "CVE-2003-0984",
"summary": "Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0984"
},
{
"id": "CVE-2003-0985",
"summary": "The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0985"
},
{
"id": "CVE-2003-0986",
"summary": "Various routines for the ppc64 architecture on Linux kernel 2.6 prior to 2.6.2 and 2.4 prior to 2.4.24 do not use the copy_from_user function when copying data from userspace to kernelspace, which crosses security boundaries and allows local users to cause a denial of service.",
"scorev2": "1.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0986"
},
{
"id": "CVE-2003-1040",
"summary": "kmod in the Linux kernel does not set its uid, suid, gid, or sgid to 0, which allows local users to cause a denial of service (crash) by sending certain signals to kmod.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-1040"
},
{
"id": "CVE-2003-1161",
"summary": "exit.c in Linux kernel 2.6-test9-CVS, as stored on kernel.bkbits.net, was modified to contain a backdoor, which could allow local users to elevate their privileges by passing __WCLONE|__WALL to the sys_wait4 function.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-1161"
},
{
"id": "CVE-2003-1604",
"summary": "The redirect_target function in net/ipv4/netfilter/ipt_REDIRECT.c in the Linux kernel before 2.6.0 allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending packets to an interface that has a 0.0.0.0 IP address, a related issue to CVE-2015-8787.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-1604",
"detail": "fixed-version",
"description": "Fixed from version 2.6.12rc2"
},
{
"id": "CVE-2004-0001",
"summary": "Unknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0001"
},
{
"id": "CVE-2004-0003",
"summary": "Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to \"R128 DRI limits checking.\"",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0003"
},
{
"id": "CVE-2004-0010",
"summary": "Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0010"
},
{
"id": "CVE-2004-0058",
"summary": "Antivir / Linux 2.0.9-9, and possibly earlier versions, allows local users to overwrite arbitrary files via a symlink attack on the .pid_antivir_$$ temporary file.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0058"
},
{
"id": "CVE-2004-0075",
"summary": "The Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0075"
},
{
"id": "CVE-2004-0077",
"summary": "The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0077"
},
{
"id": "CVE-2004-0109",
"summary": "Buffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x, allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0109"
},
{
"id": "CVE-2004-0133",
"summary": "The XFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the XFS file system, which allows local users to obtain sensitive information by reading the raw device.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0133"
},
{
"id": "CVE-2004-0138",
"summary": "The ELF loader in Linux kernel 2.4 before 2.4.25 allows local users to cause a denial of service (crash) via a crafted ELF file with an interpreter with an invalid arch (architecture), which triggers a BUG() when an invalid VMA is unmapped.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0138"
},
{
"id": "CVE-2004-0177",
"summary": "The ext3 code in Linux 2.4.x before 2.4.26 does not properly initialize journal descriptor blocks, which causes an information leak in which in-memory data is written to the device for the ext3 file system, which allows privileged users to obtain portions of kernel memory by reading the raw device.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0177"
},
{
"id": "CVE-2004-0178",
"summary": "The OSS code for the Sound Blaster (sb16) driver in Linux 2.4.x before 2.4.26, when operating in 16 bit mode, does not properly handle certain sample sizes, which allows local users to cause a denial of service (crash) via a sample with an odd number of bytes.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0178"
},
{
"id": "CVE-2004-0181",
"summary": "The JFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the JFS file system, which allows local users to obtain sensitive information by reading the raw device.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0181"
},
{
"id": "CVE-2004-0186",
"summary": "smbmnt in Samba 2.x and 3.x on Linux 2.6, when installed setuid, allows local users to gain root privileges by mounting a Samba share that contains a setuid root program, whose setuid attributes are not cleared when the share is mounted.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0186"
},
{
"id": "CVE-2004-0228",
"summary": "Integer signedness error in the cpufreq proc handler (cpufreq_procctl) in Linux kernel 2.6 allows local users to gain privileges.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0228"
},
{
"id": "CVE-2004-0229",
"summary": "The framebuffer driver in Linux kernel 2.6.x does not properly use the fb_copy_cmap function, with unknown impact.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0229"
},
{
"id": "CVE-2004-0230",
"summary": "TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0230",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc1"
},
{
"id": "CVE-2004-0394",
"summary": "A \"potential\" buffer overflow exists in the panic() function in Linux 2.4.x, although it may not be exploitable due to the functionality of panic.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0394"
},
{
"id": "CVE-2004-0415",
"summary": "Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, which allows local users to access portions of kernel memory.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0415"
},
{
"id": "CVE-2004-0424",
"summary": "Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or execute arbitrary code via the MCAST_MSFILTER socket option.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0424"
},
{
"id": "CVE-2004-0427",
"summary": "The do_fork function in Linux 2.4.x before 2.4.26, and 2.6.x before 2.6.6, does not properly decrement the mm_count counter when an error occurs after the mm_struct for a child process has been activated, which triggers a memory leak that allows local users to cause a denial of service (memory exhaustion) via the clone (CLONE_VM) system call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0427"
},
{
"id": "CVE-2004-0447",
"summary": "Unknown vulnerability in Linux before 2.4.26 for IA64 allows local users to cause a denial of service, with unknown impact. NOTE: due to a typo, this issue was accidentally assigned CVE-2004-0477. This is the proper candidate to use for the Linux local DoS.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0447"
},
{
"id": "CVE-2004-0495",
"summary": "Multiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users to gain privileges or access kernel memory, as found by the Sparse source code checking tool.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0495"
},
{
"id": "CVE-2004-0496",
"summary": "Multiple unknown vulnerabilities in Linux kernel 2.6 allow local users to gain privileges or access kernel memory, a different set of vulnerabilities than those identified in CVE-2004-0495, as found by the Sparse source code checking tool.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0496"
},
{
"id": "CVE-2004-0497",
"summary": "Unknown vulnerability in Linux kernel 2.x may allow local users to modify the group ID of files, such as NFS exported files in kernel 2.4.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0497"
},
{
"id": "CVE-2004-0535",
"summary": "The e1000 driver for Linux kernel 2.4.26 and earlier does not properly initialize memory before using it, which allows local users to read portions of kernel memory. NOTE: this issue was originally incorrectly reported as a \"buffer overflow\" by some sources.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0535"
},
{
"id": "CVE-2004-0554",
"summary": "Linux kernel 2.4.x and 2.6.x for x86 allows local users to cause a denial of service (system crash), possibly via an infinite loop that triggers a signal handler with a certain sequence of fsave and frstor instructions, as originally demonstrated using a \"crash.c\" program.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0554"
},
{
"id": "CVE-2004-0565",
"summary": "Floating point information leak in the context switch code for Linux 2.4.x only checks the MFH bit but does not verify the FPH owner, which allows local users to read register values of other processes by setting the MFH bit.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0565"
},
{
"id": "CVE-2004-0596",
"summary": "The Equalizer Load-balancer for serial network interfaces (eql.c) in Linux kernel 2.6.x up to 2.6.7 allows local users to cause a denial of service via a non-existent device name that triggers a null dereference.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0596"
},
{
"id": "CVE-2004-0626",
"summary": "The tcp_find_option function of the netfilter subsystem in Linux kernel 2.6, when using iptables and TCP options rules, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a large option length that produces a negative integer after a casting operation to the char type.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0626"
},
{
"id": "CVE-2004-0658",
"summary": "Integer overflow in the hpsb_alloc_packet function (incorrectly reported as alloc_hpsb_packet) in IEEE 1394 (Firewire) driver 2.4 and 2.6 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via the functions (1) raw1394_write, (2) state_connected, (3) handle_remote_request, or (4) hpsb_make_writebpacket.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0658"
},
{
"id": "CVE-2004-0685",
"summary": "Certain USB drivers in the Linux 2.4 kernel use the copy_to_user function on uninitialized structures, which could allow local users to obtain sensitive information by reading memory that was not cleared from previous usage.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0685"
},
{
"id": "CVE-2004-0812",
"summary": "Unknown vulnerability in the Linux kernel before 2.4.23, on the AMD AMD64 and Intel EM64T architectures, associated with \"setting up TSS limits,\" allows local users to cause a denial of service (crash) and possibly execute arbitrary code.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0812"
},
{
"id": "CVE-2004-0814",
"summary": "Multiple race conditions in the terminal layer in Linux 2.4.x, and 2.6.x before 2.6.9, allow (1) local users to obtain portions of kernel data via a TIOCSETD ioctl call to a terminal interface that is being accessed by another thread, or (2) remote attackers to cause a denial of service (panic) by switching from console to PPP line discipline, then quickly sending data that is received during the switch.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0814"
},
{
"id": "CVE-2004-0816",
"summary": "Integer underflow in the firewall logging rules for iptables in Linux before 2.6.8 allows remote attackers to cause a denial of service (application crash) via a malformed IP packet.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0816"
},
{
"id": "CVE-2004-0883",
"summary": "Multiple vulnerabilities in the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 allow remote samba servers to cause a denial of service (crash) or gain sensitive information from kernel memory via a samba server (1) returning more data than requested to the smb_proc_read function, (2) returning a data offset from outside the samba packet to the smb_proc_readX function, (3) sending a certain TRANS2 fragmented packet to the smb_receive_trans2 function, (4) sending a samba packet with a certain header size to the smb_proc_readX_data function, or (5) sending a certain packet based offset for the data in a packet to the smb_receive_trans2 function.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0883"
},
{
"id": "CVE-2004-0887",
"summary": "SUSE Linux Enterprise Server 9 on the S/390 platform does not properly handle a certain privileged instruction, which allows local users to gain root privileges.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0887"
},
{
"id": "CVE-2004-0949",
"summary": "The smb_recv_trans2 function call in the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 does not properly handle the re-assembly of fragmented packets correctly, which could allow remote samba servers to (1) read arbitrary kernel information or (2) raise a counter value to an arbitrary number by sending the first part of the fragmented packet multiple times.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0949"
},
{
"id": "CVE-2004-0986",
"summary": "Iptables before 1.2.11, under certain conditions, does not properly load the required modules at system startup, which causes the firewall rules to fail to load and protect the system from remote attackers.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0986"
},
{
"id": "CVE-2004-0997",
"summary": "Unspecified vulnerability in the ptrace MIPS assembly code in Linux kernel 2.4 before 2.4.17 allows local users to gain privileges via unknown vectors.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0997"
},
{
"id": "CVE-2004-1016",
"summary": "The scm_send function in the scm layer for Linux kernel 2.4.x up to 2.4.28, and 2.6.x up to 2.6.9, allows local users to cause a denial of service (system hang) via crafted auxiliary messages that are passed to the sendmsg function, which causes a deadlock condition.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1016"
},
{
"id": "CVE-2004-1017",
"summary": "Multiple \"overflows\" in the io_edgeport driver for Linux kernel 2.4.x have unknown impact and unknown attack vectors.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1017"
},
{
"id": "CVE-2004-1056",
"summary": "Direct Rendering Manager (DRM) driver in Linux kernel 2.6 does not properly check the DMA lock, which could allow remote attackers or local users to cause a denial of service (X Server crash) and possibly modify the video output.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1056"
},
{
"id": "CVE-2004-1057",
"summary": "Multiple drivers in Linux kernel 2.4.19 and earlier do not properly mark memory with the VM_IO flag, which causes incorrect reference counts and may lead to a denial of service (kernel panic) when accessing freed kernel pages.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1057"
},
{
"id": "CVE-2004-1058",
"summary": "Race condition in Linux kernel 2.6 allows local users to read the environment variables of another process that is still spawning via /proc/.../cmdline.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1058"
},
{
"id": "CVE-2004-1068",
"summary": "A \"missing serialization\" error in the unix_dgram_recvmsg function in Linux 2.4.27 and earlier, and 2.6.x up to 2.6.9, allows local users to gain privileges via a race condition.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1068"
},
{
"id": "CVE-2004-1069",
"summary": "Race condition in SELinux 2.6.x through 2.6.9 allows local users to cause a denial of service (kernel crash) via SOCK_SEQPACKET unix domain sockets, which are not properly handled in the sock_dgram_sendmsg function.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1069"
},
{
"id": "CVE-2004-1070",
"summary": "The load_elf_binary function in the binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, does not properly check return values from calls to the kernel_read function, which may allow local users to modify sensitive memory in a setuid program and execute arbitrary code.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1070"
},
{
"id": "CVE-2004-1071",
"summary": "The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, does not properly handle a failed call to the mmap function, which causes an incorrect mapped image and may allow local users to execute arbitrary code.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1071"
},
{
"id": "CVE-2004-1072",
"summary": "The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, may create an interpreter name string that is not NULL terminated, which could cause strings longer than PATH_MAX to be used, leading to buffer overflows that allow local users to cause a denial of service (hang) and possibly execute arbitrary code.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1072"
},
{
"id": "CVE-2004-1073",
"summary": "The open_exec function in the execve functionality (exec.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, allows local users to read non-readable ELF binaries by using the interpreter (PT_INTERP) functionality.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1073"
},
{
"id": "CVE-2004-1137",
"summary": "Multiple vulnerabilities in the IGMP functionality for Linux kernel 2.4.22 to 2.4.28, and 2.6.x to 2.6.9, allow local and remote attackers to cause a denial of service or execute arbitrary code via (1) the ip_mc_source function, which decrements a counter to -1, or (2) the igmp_marksources function, which does not properly validate IGMP message parameters and performs an out-of-bounds read.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1137"
},
{
"id": "CVE-2004-1144",
"summary": "Unknown vulnerability in the 32bit emulation code in Linux 2.4 on AMD64 systems allows local users to gain privileges.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1144"
},
{
"id": "CVE-2004-1151",
"summary": "Multiple buffer overflows in the (1) sys32_ni_syscall and (2) sys32_vm86_warning functions in sys_ia32.c for Linux 2.6.x may allow local attackers to modify kernel memory and gain privileges.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1151"
},
{
"id": "CVE-2004-1234",
"summary": "load_elf_binary in Linux before 2.4.26 allows local users to cause a denial of service (system crash) via an ELF binary in which the interpreter is NULL.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1234"
},
{
"id": "CVE-2004-1235",
"summary": "Race condition in the (1) load_elf_library and (2) binfmt_aout function calls for uselib in Linux kernel 2.4 through 2.429-rc2 and 2.6 through 2.6.10 allows local users to execute arbitrary code by manipulating the VMA descriptor.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1235"
},
{
"id": "CVE-2004-1237",
"summary": "Unknown vulnerability in the system call filtering code in the audit subsystem for Red Hat Enterprise Linux 3 allows local users to cause a denial of service (system crash) via unknown vectors.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1237"
},
{
"id": "CVE-2004-1333",
"summary": "Integer overflow in the vc_resize function in the Linux kernel 2.4 and 2.6 before 2.6.10 allows local users to cause a denial of service (kernel crash) via a short new screen value, which leads to a buffer overflow.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1333"
},
{
"id": "CVE-2004-1335",
"summary": "Memory leak in the ip_options_get function in the Linux kernel before 2.6.10 allows local users to cause a denial of service (memory consumption) by repeatedly calling the ip_cmsg_send function.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1335"
},
{
"id": "CVE-2004-2013",
"summary": "Integer overflow in the SCTP_SOCKOPT_DEBUG_NAME SCTP socket option in socket.c in the Linux kernel 2.4.25 and earlier allows local users to execute arbitrary code via an optlen value of -1, which causes kmalloc to allocate 0 bytes of memory.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2013"
},
{
"id": "CVE-2004-2135",
"summary": "cryptoloop on Linux kernel 2.6.x, when used on certain file systems with a block size 1024 or greater, has certain \"IV computation\" weaknesses that allow watermarked files to be detected without decryption.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2135"
},
{
"id": "CVE-2004-2136",
"summary": "dm-crypt on Linux kernel 2.6.x, when used on certain file systems with a block size 1024 or greater, has certain \"IV computation\" weaknesses that allow watermarked files to be detected without decryption.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2136"
},
{
"id": "CVE-2004-2302",
"summary": "Race condition in the sysfs_read_file and sysfs_write_file functions in Linux kernel before 2.6.10 allows local users to read kernel memory and cause a denial of service (crash) via large offsets in sysfs files.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2302"
},
{
"id": "CVE-2004-2536",
"summary": "The exit_thread function (process.c) in Linux kernel 2.6 through 2.6.5 does not invalidate the per-TSS io_bitmap pointers if a process obtains IO access permissions from the ioperm function but does not drop those permissions when it exits, which allows other processes to access the per-TSS pointers, access restricted memory locations, and possibly gain privileges.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2536"
},
{
"id": "CVE-2004-2607",
"summary": "A numeric casting discrepancy in sdla_xfer in Linux kernel 2.6.x up to 2.6.5 and 2.4 up to 2.4.29-rc1 allows local users to read portions of kernel memory via a large len argument, which is received as an int but cast to a short, which prevents a read loop from filling a buffer.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2607"
},
{
"id": "CVE-2004-2660",
"summary": "Memory leak in direct-io.c in Linux kernel 2.6.x before 2.6.10 allows local users to cause a denial of service (memory consumption) via certain O_DIRECT (direct IO) write requests.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2660"
},
{
"id": "CVE-2004-2731",
"summary": "Multiple integer overflows in Sbus PROM driver (drivers/sbus/char/openprom.c) for the Linux kernel 2.4.x up to 2.4.27, 2.6.x up to 2.6.7, and possibly later versions, allow local users to execute arbitrary code by specifying (1) a small buffer size to the copyin_string function or (2) a negative buffer size to the copyin function.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2731"
},
{
"id": "CVE-2005-0001",
"summary": "Race condition in the page fault handler (fault.c) for Linux kernel 2.2.x to 2.2.7, 2.4 to 2.4.29, and 2.6 to 2.6.10, when running on multiprocessor machines, allows local users to execute arbitrary code via concurrent threads that share the same virtual memory space and simultaneously request stack expansion.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0001"
},
{
"id": "CVE-2005-0003",
"summary": "The 64 bit ELF support in Linux kernel 2.6 before 2.6.10, on 64-bit architectures, does not properly check for overlapping VMA (virtual memory address) allocations, which allows local users to cause a denial of service (system crash) or execute arbitrary code via a crafted ELF or a.out file.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0003"
},
{
"id": "CVE-2005-0124",
"summary": "The coda_pioctl function in the coda functionality (pioctl.c) for Linux kernel 2.6.9 and 2.4.x before 2.4.29 may allow local users to cause a denial of service (crash) or execute arbitrary code via negative vi.in_size or vi.out_size values, which may trigger a buffer overflow.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0124"
},
{
"id": "CVE-2005-0135",
"summary": "The unw_unwind_to_user function in unwind.c on Itanium (ia64) architectures in Linux kernel 2.6 allows local users to cause a denial of service (system crash).",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0135"
},
{
"id": "CVE-2005-0136",
"summary": "The Linux kernel before 2.6.11 on the Itanium IA64 platform has certain \"ptrace corner cases\" that allow local users to cause a denial of service (crash) via crafted syscalls, possibly related to MCA/INIT, a different vulnerability than CVE-2005-1761.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0136"
},
{
"id": "CVE-2005-0137",
"summary": "Linux kernel 2.6 on Itanium (ia64) architectures allows local users to cause a denial of service via a \"missing Itanium syscall table entry.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0137"
},
{
"id": "CVE-2005-0176",
"summary": "The shmctl function in Linux 2.6.9 and earlier allows local users to unlock the memory of other processes, which could cause sensitive memory to be swapped to disk, which could allow it to be read by other users once it has been released.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0176"
},
{
"id": "CVE-2005-0177",
"summary": "nls_ascii.c in Linux before 2.6.8.1 uses an incorrect table size, which allows attackers to cause a denial of service (kernel crash) via a buffer overflow.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0177"
},
{
"id": "CVE-2005-0178",
"summary": "Race condition in the setsid function in Linux before 2.6.8.1 allows local users to cause a denial of service (crash) and possibly access portions of kernel memory, related to TTY changes, locking, and semaphores.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0178"
},
{
"id": "CVE-2005-0179",
"summary": "Linux kernel 2.4.x and 2.6.x allows local users to cause a denial of service (CPU and memory consumption) and bypass RLIM_MEMLOCK limits via the mlockall call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0179"
},
{
"id": "CVE-2005-0180",
"summary": "Multiple integer signedness errors in the sg_scsi_ioctl function in scsi_ioctl.c for Linux 2.6.x allow local users to read or modify kernel memory via negative integers in arguments to the scsi ioctl, which bypass a maximum length check before calling the copy_from_user and copy_to_user functions.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0180"
},
{
"id": "CVE-2005-0204",
"summary": "Linux kernel before 2.6.9, when running on the AMD64 and Intel EM64T architectures, allows local users to write to privileged IO ports via the OUTS instruction.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0204"
},
{
"id": "CVE-2005-0207",
"summary": "Unknown vulnerability in Linux kernel 2.4.x, 2.5.x, and 2.6.x allows NFS clients to cause a denial of service via O_DIRECT.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0207"
},
{
"id": "CVE-2005-0209",
"summary": "Netfilter in Linux kernel 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) via crafted IP packet fragments.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0209"
},
{
"id": "CVE-2005-0210",
"summary": "Netfilter in the Linux kernel 2.6.8.1 allows local users to cause a denial of service (memory consumption) via certain packet fragments that are reassembled twice, which causes a data structure to be allocated twice.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0210"
},
{
"id": "CVE-2005-0400",
"summary": "The ext2_make_empty function call in the Linux kernel before 2.6.11.6 does not properly initialize memory when creating a block for a new directory entry, which allows local users to obtain potentially sensitive information by reading the block.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0400"
},
{
"id": "CVE-2005-0449",
"summary": "The netfilter/iptables module in Linux before 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) or bypass firewall rules via crafted packets, which are not properly handled by the skb_checksum_help function.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0449"
},
{
"id": "CVE-2005-0489",
"summary": "The /proc handling (proc/base.c) Linux kernel 2.4 before 2.4.17 allows local users to cause a denial of service via unknown vectors that cause an invalid access of free memory.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0489"
},
{
"id": "CVE-2005-0504",
"summary": "Buffer overflow in the MoxaDriverIoctl function for the moxa serial driver (moxa.c) in Linux 2.2.x, 2.4.x, and 2.6.x before 2.6.22 allows local users to execute arbitrary code via a certain modified length value.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0504"
},
{
"id": "CVE-2005-0529",
"summary": "Linux kernel 2.6.10 and 2.6.11rc1-bk6 uses different size types for offset arguments to the proc_file_read and locks_read_proc functions, which leads to a heap-based buffer overflow when a signed comparison causes negative integers to be used in a positive context.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0529"
},
{
"id": "CVE-2005-0530",
"summary": "Signedness error in the copy_from_read_buf function in n_tty.c for Linux kernel 2.6.10 and 2.6.11rc1 allows local users to read kernel memory via a negative argument.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0530"
},
{
"id": "CVE-2005-0531",
"summary": "The atm_get_addr function in addr.c for Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4 may allow local users to trigger a buffer overflow via negative arguments.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0531"
},
{
"id": "CVE-2005-0532",
"summary": "The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c for Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4, when running on 64-bit architectures, may allow local users to trigger a buffer overflow as a result of casting discrepancies between size_t and int data types.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0532"
},
{
"id": "CVE-2005-0736",
"summary": "Integer overflow in sys_epoll_wait in eventpoll.c for Linux kernel 2.6 to 2.6.11 allows local users to overwrite kernel memory via a large number of events.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0736"
},
{
"id": "CVE-2005-0749",
"summary": "The load_elf_library in the Linux kernel before 2.6.11.6 allows local users to cause a denial of service (kernel crash) via a crafted ELF library or executable, which causes a free of an invalid pointer.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0749"
},
{
"id": "CVE-2005-0750",
"summary": "The bluez_sock_create function in the Bluetooth stack for Linux kernel 2.4.6 through 2.4.30-rc1 and 2.6 through 2.6.11.5 allows local users to gain privileges via (1) socket or (2) socketpair call with a negative protocol value.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0750"
},
{
"id": "CVE-2005-0756",
"summary": "ptrace in Linux kernel 2.6.8.1 does not properly verify addresses on the amd64 platform, which allows local users to cause a denial of service (kernel crash).",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0756"
},
{
"id": "CVE-2005-0767",
"summary": "Race condition in the Radeon DRI driver for Linux kernel 2.6.8.1 allows local users with DRI privileges to execute arbitrary code as root.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0767"
},
{
"id": "CVE-2005-0815",
"summary": "Multiple \"range checking flaws\" in the ISO9660 filesystem handler in Linux 2.6.11 and earlier may allow attackers to cause a denial of service or corrupt memory via a crafted filesystem.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0815"
},
{
"id": "CVE-2005-0839",
"summary": "Linux kernel 2.6 before 2.6.11 does not restrict access to the N_MOUSE line discipline for a TTY, which allows local users to gain privileges by injecting mouse or keyboard events into other user sessions.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0839"
},
{
"id": "CVE-2005-0867",
"summary": "Integer overflow in Linux kernel 2.6 allows local users to overwrite kernel memory by writing to a sysfs file.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0867"
},
{
"id": "CVE-2005-0916",
"summary": "AIO in the Linux kernel 2.6.11 on the PPC64 or IA64 architectures with CONFIG_HUGETLB_PAGE enabled allows local users to cause a denial of service (system panic) via a process that executes the io_queue_init function but exits without running io_queue_release, which causes exit_aio and is_hugepage_only_range to fail.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0916"
},
{
"id": "CVE-2005-0937",
"summary": "Some futex functions in futex.c for Linux kernel 2.6.x perform get_user calls while holding the mmap_sem semaphore, which could allow local users to cause a deadlock condition in do_page_fault by triggering get_user faults while another thread is executing mmap or other functions.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0937"
},
{
"id": "CVE-2005-0977",
"summary": "The shmem_nopage function in shmem.c for the tmpfs driver in Linux kernel 2.6 does not properly verify the address argument, which allows local users to cause a denial of service (kernel crash) via an invalid address.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0977"
},
{
"id": "CVE-2005-1041",
"summary": "The fib_seq_start function in fib_hash.c in Linux kernel allows local users to cause a denial of service (system crash) via /proc/net/route.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1041"
},
{
"id": "CVE-2005-1263",
"summary": "The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1263"
},
{
"id": "CVE-2005-1264",
"summary": "Raw character devices (raw.c) in the Linux kernel 2.6.x call the wrong function before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space, a similar vulnerability to CVE-2005-1589.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1264"
},
{
"id": "CVE-2005-1265",
"summary": "The mmap function in the Linux Kernel 2.6.10 can be used to create memory maps with a start address beyond the end address, which allows local users to cause a denial of service (kernel crash).",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1265"
},
{
"id": "CVE-2005-1368",
"summary": "The key_user_lookup function in security/keys/key.c in Linux kernel 2.6.10 to 2.6.11.8 may allow attackers to cause a denial of service (oops) via SMP.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1368"
},
{
"id": "CVE-2005-1369",
"summary": "The (1) it87 and (2) via686a drivers in I2C for Linux 2.6.x before 2.6.11.8, and 2.6.12 before 2.6.12-rc2, create the sysfs \"alarms\" file with write permissions, which allows local users to cause a denial of service (CPU consumption) by attempting to write to the file, which does not have an associated store function.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1369"
},
{
"id": "CVE-2005-1589",
"summary": "The pkt_ioctl function in the pktcdvd block device ioctl handler (pktcdvd.c) in Linux kernel 2.6.12-rc4 and earlier calls the wrong function before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space and allows local users to cause a denial of service and possibly execute arbitrary code, a similar vulnerability to CVE-2005-1264.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1589"
},
{
"id": "CVE-2005-1762",
"summary": "The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform allows local users to cause a denial of service (kernel crash) via a \"non-canonical\" address.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1762"
},
{
"id": "CVE-2005-1764",
"summary": "Linux 2.6.11 on 64-bit x86 (x86_64) platforms does not use a guard page for the 47-bit address page to protect against an AMD K8 bug, which allows local users to cause a denial of service.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1764"
},
{
"id": "CVE-2005-1765",
"summary": "syscall in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform, when running in 32-bit compatibility mode, allows local users to cause a denial of service (kernel hang) via crafted arguments.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1765"
},
{
"id": "CVE-2005-1768",
"summary": "Race condition in the ia32 compatibility code for the execve system call in Linux kernel 2.4 before 2.4.31 and 2.6 before 2.6.6 allows local users to cause a denial of service (kernel panic) and possibly execute arbitrary code via a concurrent thread that increments a pointer count after the nargs function has counted the pointers, but before the count is copied from user space to kernel space, which leads to a buffer overflow.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1768"
},
{
"id": "CVE-2005-1913",
"summary": "The Linux kernel 2.6 before 2.6.12.1 allows local users to cause a denial of service (kernel panic) via a non group-leader thread executing a different program than was pending in itimer, which causes the signal to be delivered to the old group-leader task, which does not exist.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1913"
},
{
"id": "CVE-2005-2098",
"summary": "The KEYCTL_JOIN_SESSION_KEYRING operation in the Linux kernel before 2.6.12.5 contains an error path that does not properly release the session management semaphore, which allows local users or remote attackers to cause a denial of service (semaphore hang) via a new session keyring (1) with an empty name string, (2) with a long name string, (3) with the key quota reached, or (4) ENOMEM.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2098"
},
{
"id": "CVE-2005-2099",
"summary": "The Linux kernel before 2.6.12.5 does not properly destroy a keyring that is not instantiated properly, which allows local users or remote attackers to cause a denial of service (kernel oops) via a keyring with a payload that is not empty, which causes the creation to fail, leading to a null dereference in the keyring destructor.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2099"
},
{
"id": "CVE-2005-2456",
"summary": "Array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c in Linux kernel 2.6 allows local users to cause a denial of service (oops or deadlock) and possibly execute arbitrary code via a p->dir value that is larger than XFRM_POLICY_OUT, which is used as an index in the sock->sk_policy array.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2456"
},
{
"id": "CVE-2005-2457",
"summary": "The driver for compressed ISO file systems (zisofs) in the Linux kernel before 2.6.12.5 allows local users and remote attackers to cause a denial of service (kernel crash) via a crafted compressed ISO file system.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2457"
},
{
"id": "CVE-2005-2458",
"summary": "inflate.c in the zlib routines in the Linux kernel before 2.6.12.5 allows remote attackers to cause a denial of service (kernel crash) via a compressed file with \"improper tables\".",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2458"
},
{
"id": "CVE-2005-2459",
"summary": "The huft_build function in inflate.c in the zlib routines in the Linux kernel before 2.6.12.5 returns the wrong value, which allows remote attackers to cause a denial of service (kernel crash) via a certain compressed file that leads to a null pointer dereference, a different vulnerability than CVE-2005-2458.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2459"
},
{
"id": "CVE-2005-2490",
"summary": "Stack-based buffer overflow in the sendmsg function call in the Linux kernel 2.6 before 2.6.13.1 allows local users to execute arbitrary code by calling sendmsg and modifying the message contents in another thread.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2490"
},
{
"id": "CVE-2005-2492",
"summary": "The raw_sendmsg function in the Linux kernel 2.6 before 2.6.13.1 allows local users to cause a denial of service (change hardware state) or read from arbitrary memory via crafted input.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2492"
},
{
"id": "CVE-2005-2500",
"summary": "Buffer overflow in the xdr_xcode_array2 function in xdr.c in Linux kernel 2.6.12, as used in SuSE Linux Enterprise Server 9, might allow remote attackers to cause a denial of service and possibly execute arbitrary code via crafted XDR data for the nfsacl protocol.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2500"
},
{
"id": "CVE-2005-2548",
"summary": "vlan_dev.c in the VLAN code for Linux kernel 2.6.8 allows remote attackers to cause a denial of service (kernel oops from null dereference) via certain UDP packets that lead to a function call with the wrong argument, as demonstrated using snmpwalk on snmpd.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2548"
},
{
"id": "CVE-2005-2553",
"summary": "The find_target function in ptrace32.c in the Linux kernel 2.4.x before 2.4.29 does not properly handle a NULL return value from another function, which allows local users to cause a denial of service (kernel crash/oops) by running a 32-bit ltrace program with the -i option on a 64-bit executable program.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2553"
},
{
"id": "CVE-2005-2555",
"summary": "Linux kernel 2.6.x does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability, which could allow local users to conduct unauthorized activities via (1) ipv4/ip_sockglue.c and (2) ipv6/ipv6_sockglue.c.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2555"
},
{
"id": "CVE-2005-2617",
"summary": "The syscall32_setup_pages function in syscall32.c for Linux kernel 2.6.12 and later, on the 64-bit x86 platform, does not check the return value of the insert_vm_struct function, which allows local users to trigger a memory leak via a 32-bit application with crafted ELF headers.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2617"
},
{
"id": "CVE-2005-2708",
"summary": "The search_binary_handler function in exec.c in Linux 2.4 kernel on 64-bit x86 architectures does not check a return code for a particular function call when virtual memory is low, which allows local users to cause a denial of service (panic), as demonstrated by running a process using the bash ulimit -v command.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2708"
},
{
"id": "CVE-2005-2709",
"summary": "The sysctl functionality (sysctl.c) in Linux kernel before 2.6.14.1 allows local users to cause a denial of service (kernel oops) and possibly execute code by opening an interface file in /proc/sys/net/ipv4/conf/, waiting until the interface is unregistered, then obtaining and modifying function pointers in memory that was used for the ctl_table.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2709"
},
{
"id": "CVE-2005-2800",
"summary": "Memory leak in the seq_file implementation in the SCSI procfs interface (sg.c) in Linux kernel 2.6.13 and earlier allows local users to cause a denial of service (memory consumption) via certain repeated reads from the /proc/scsi/sg/devices file, which is not properly handled when the next() iterator returns NULL or an error.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2800"
},
{
"id": "CVE-2005-2801",
"summary": "xattr.c in the ext2 and ext3 file system code for Linux kernel 2.6 does not properly compare the name_index fields when sharing xattr blocks, which could prevent default ACLs from being applied.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2801"
},
{
"id": "CVE-2005-2872",
"summary": "The ipt_recent kernel module (ipt_recent.c) in Linux kernel before 2.6.12, when running on 64-bit processors such as AMD64, allows remote attackers to cause a denial of service (kernel panic) via certain attacks such as SSH brute force, which leads to memset calls using a length based on the u_int32_t type, acting on an array of unsigned long elements, a different vulnerability than CVE-2005-2873.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2872"
},
{
"id": "CVE-2005-2873",
"summary": "The ipt_recent kernel module (ipt_recent.c) in Linux kernel 2.6.12 and earlier does not properly perform certain time tests when the jiffies value is greater than LONG_MAX, which can cause ipt_recent netfilter rules to block too early, a different vulnerability than CVE-2005-2872.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2873"
},
{
"id": "CVE-2005-2973",
"summary": "The udp_v6_get_port function in udp.c in Linux 2.6 before 2.6.14-rc5, when running IPv6, allows local users to cause a denial of service (infinite loop and crash).",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2973"
},
{
"id": "CVE-2005-3044",
"summary": "Multiple vulnerabilities in Linux kernel before 2.6.13.2 allow local users to cause a denial of service (kernel OOPS from null dereference) via (1) fput in a 32-bit ioctl on 64-bit x86 systems or (2) sockfd_put in the 32-bit routing_ioctl function on 64-bit systems.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3044"
},
{
"id": "CVE-2005-3053",
"summary": "The sys_set_mempolicy function in mempolicy.c in Linux kernel 2.6.x allows local users to cause a denial of service (kernel BUG()) via a negative first argument.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3053"
},
{
"id": "CVE-2005-3055",
"summary": "Linux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a denial of service (kernel OOPS) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3055"
},
{
"id": "CVE-2005-3105",
"summary": "The mprotect code (mprotect.c) in Linux 2.6 on Itanium IA64 Montecito processors does not properly maintain cache coherency as required by the architecture, which allows local users to cause a denial of service and possibly corrupt data by modifying PTE protections.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3105"
},
{
"id": "CVE-2005-3106",
"summary": "Race condition in Linux 2.6, when threads are sharing memory mapping via CLONE_VM (such as linuxthreads and vfork), might allow local users to cause a denial of service (deadlock) by triggering a core dump while waiting for a thread that has just performed an exec.",
"scorev2": "1.2",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3106"
},
{
"id": "CVE-2005-3107",
"summary": "fs/exec.c in Linux 2.6, when one thread is tracing another thread that shares the same memory map, might allow local users to cause a denial of service (deadlock) by forcing a core dump when the traced thread is in the TASK_TRACED state.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3107"
},
{
"id": "CVE-2005-3108",
"summary": "mm/ioremap.c in Linux 2.6 on 64-bit x86 systems allows local users to cause a denial of service or an information leak via an ioremap on a certain memory map that causes the iounmap to perform a lookup of a page that does not exist.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3108"
},
{
"id": "CVE-2005-3109",
"summary": "The HFS and HFS+ (hfsplus) modules in Linux 2.6 allow attackers to cause a denial of service (oops) by using hfsplus to mount a filesystem that is not hfsplus.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3109"
},
{
"id": "CVE-2005-3110",
"summary": "Race condition in ebtables netfilter module (ebtables.c) in Linux 2.6, when running on an SMP system that is operating under a heavy load, might allow remote attackers to cause a denial of service (crash) via a series of packets that cause a value to be modified after it has been read but before it has been locked.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3110"
},
{
"id": "CVE-2005-3119",
"summary": "Memory leak in the request_key_auth_destroy function in request_key_auth in Linux kernel 2.6.10 up to 2.6.13 allows local users to cause a denial of service (memory consumption) via a large number of authorization token keys.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3119"
},
{
"id": "CVE-2005-3179",
"summary": "drm.c in Linux kernel 2.6.10 to 2.6.13 creates a debug file in sysfs with world-readable and world-writable permissions, which allows local users to enable DRM debugging and obtain sensitive information.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3179"
},
{
"id": "CVE-2005-3180",
"summary": "The Orinoco driver (orinoco.c) in Linux kernel 2.6.13 and earlier does not properly clear memory from a previously used packet whose length is increased, which allows remote attackers to obtain sensitive information.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3180"
},
{
"id": "CVE-2005-3181",
"summary": "The audit system in Linux kernel 2.6.6, and other versions before 2.6.13.4, when CONFIG_AUDITSYSCALL is enabled, uses an incorrect function to free names_cache memory, which prevents the memory from being tracked by AUDITSYSCALL code and leads to a memory leak that allows attackers to cause a denial of service (memory consumption).",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3181"
},
{
"id": "CVE-2005-3257",
"summary": "The VT implementation (vt_ioctl.c) in Linux kernel 2.6.12, and possibly other versions including 2.6.14.4, allows local users to use the KDSKBSENT ioctl on terminals of other users and gain privileges, as demonstrated by modifying key bindings using loadkeys.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3257"
},
{
"id": "CVE-2005-3271",
"summary": "Exec in Linux kernel 2.6 does not properly clear posix-timers in multi-threaded environments, which results in a resource leak and could allow a large number of multiple local users to cause a denial of service by using more posix-timers than specified by the quota for a single user.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3271"
},
{
"id": "CVE-2005-3272",
"summary": "Linux kernel before 2.6.12 allows remote attackers to poison the bridge forwarding table using frames that have already been dropped by filtering, which can cause the bridge to forward spoofed packets.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3272"
},
{
"id": "CVE-2005-3273",
"summary": "The rose_rt_ioctl function in rose_route.c for Radionet Open Source Environment (ROSE) in Linux 2.6 kernels before 2.6.12, and 2.4 before 2.4.29, does not properly verify the ndigis argument for a new route, which allows attackers to trigger array out-of-bounds errors with a large number of digipeats.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3273"
},
{
"id": "CVE-2005-3274",
"summary": "Race condition in ip_vs_conn_flush in Linux 2.6 before 2.6.13 and 2.4 before 2.4.32-pre2, when running on SMP systems, allows local users to cause a denial of service (null dereference) by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired.",
"scorev2": "1.2",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3274"
},
{
"id": "CVE-2005-3275",
"summary": "The NAT code (1) ip_nat_proto_tcp.c and (2) ip_nat_proto_udp.c in Linux kernel 2.6 before 2.6.13 and 2.4 before 2.4.32-rc1 incorrectly declares a variable to be static, which allows remote attackers to cause a denial of service (memory corruption) by causing two packets for the same protocol to be NATed at the same time, which leads to memory corruption.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3275"
},
{
"id": "CVE-2005-3276",
"summary": "The sys_get_thread_area function in process.c in Linux 2.6 before 2.6.12.4 and 2.6.13 does not clear a data structure before copying it to userspace, which might allow a user process to obtain sensitive information.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3276"
},
{
"id": "CVE-2005-3356",
"summary": "The mq_open system call in Linux kernel 2.6.9, in certain situations, can decrement a counter twice (\"double decrement\") as a result of multiple calls to the mntput function when the dentry_open function call fails, which allows local users to cause a denial of service (panic) via unspecified attack vectors.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3356"
},
{
"id": "CVE-2005-3358",
"summary": "Linux kernel before 2.6.15 allows local users to cause a denial of service (panic) via a set_mempolicy call with a 0 bitmask, which causes a panic when a page fault occurs.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3358"
},
{
"id": "CVE-2005-3359",
"summary": "The atm module in Linux kernel 2.6 before 2.6.14 allows local users to cause a denial of service (panic) via certain socket calls that produce inconsistent reference counts for loadable protocol modules.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3359"
},
{
"id": "CVE-2005-3527",
"summary": "Race condition in do_coredump in signal.c in Linux kernel 2.6 allows local users to cause a denial of service by triggering a core dump in one thread while another thread has a pending SIGSTOP.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3527"
},
{
"id": "CVE-2005-3623",
"summary": "nfs2acl.c in the Linux kernel 2.6.14.4 does not check for MAY_SATTR privilege before setting access controls (ACL) on files on exported NFS filesystems, which allows remote attackers to bypass ACLs for readonly mounted NFS filesystems.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3623"
},
{
"id": "CVE-2005-3660",
"summary": "Linux kernel 2.4 and 2.6 allows attackers to cause a denial of service (memory exhaustion and panic) by creating a large number of connected file descriptors or socketpairs and setting a large data transfer buffer, then preventing Linux from being able to finish the transfer by causing the process to become a zombie, or closing the file descriptor without closing an associated reference.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3660"
},
{
"id": "CVE-2005-3753",
"summary": "Linux kernel before after 2.6.12 and before 2.6.13.1 might allow attackers to cause a denial of service (Oops) via certain IPSec packets that cause alignment problems in standard multi-block cipher processors. NOTE: it is not clear whether this issue can be triggered by an attacker.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3753"
},
{
"id": "CVE-2005-3783",
"summary": "The ptrace functionality (ptrace.c) in Linux kernel 2.6 before 2.6.14.2, using CLONE_THREAD, does not use the thread group ID to check whether it is attaching to itself, which allows local users to cause a denial of service (crash).",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3783"
},
{
"id": "CVE-2005-3784",
"summary": "The auto-reap of child processes in Linux kernel 2.6 before 2.6.15 includes processes with ptrace attached, which leads to a dangling ptrace reference and allows local users to cause a denial of service (crash) and gain root privileges.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3784"
},
{
"id": "CVE-2005-3805",
"summary": "A locking problem in POSIX timer cleanup handling on exit in Linux kernel 2.6.10 to 2.6.14, when running on SMP systems, allows local users to cause a denial of service (deadlock) involving process CPU timers.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3805"
},
{
"id": "CVE-2005-3806",
"summary": "The IPv6 flow label handling code (ip6_flowlabel.c) in Linux kernels 2.4 up to 2.4.32 and 2.6 before 2.6.14 modifies the wrong variable in certain circumstances, which allows local users to corrupt kernel memory or cause a denial of service (crash) by triggering a free of non-allocated memory.",
"scorev2": "6.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3806"
},
{
"id": "CVE-2005-3807",
"summary": "Memory leak in the VFS file lease handling in locks.c in Linux kernels 2.6.10 to 2.6.15 allows local users to cause a denial of service (memory exhaustion) via certain Samba activities that cause an fasync entry to be re-allocated by the fcntl_setlease function after the fasync queue has already been cleaned by the locks_delete_lock function.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3807"
},
{
"id": "CVE-2005-3808",
"summary": "Integer overflow in the invalidate_inode_pages2_range function in mm/truncate.c in Linux kernel 2.6.11 to 2.6.14 allows local users to cause a denial of service (hang) via 64-bit mmap calls that are not properly handled on a 32-bit system.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3808"
},
{
"id": "CVE-2005-3809",
"summary": "The nfattr_to_tcp function in ip_conntrack_proto_tcp.c in ctnetlink in Linux kernel 2.6.14 up to 2.6.14.3 allows attackers to cause a denial of service (kernel oops) via an update message without private protocol information, which triggers a null dereference.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3809"
},
{
"id": "CVE-2005-3810",
"summary": "ip_conntrack_proto_icmp.c in ctnetlink in Linux kernel 2.6.14 up to 2.6.14.3 allows attackers to cause a denial of service (kernel oops) via a message without ICMP ID (ICMP_ID) information, which leads to a null dereference.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3810"
},
{
"id": "CVE-2005-3847",
"summary": "The handle_stop_signal function in signal.c in Linux kernel 2.6.11 up to other versions before 2.6.13 and 2.6.12.6 allows local users to cause a denial of service (deadlock) by sending a SIGKILL to a real-time threaded process while it is performing a core dump.",
"scorev2": "4.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3847"
},
{
"id": "CVE-2005-3848",
"summary": "Memory leak in the icmp_push_reply function in Linux 2.6 before 2.6.12.6 and 2.6.13 allows remote attackers to cause a denial of service (memory consumption) via a large number of crafted packets that cause the ip_append_data function to fail, aka \"DST leak in icmp_push_reply.\"",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3848"
},
{
"id": "CVE-2005-3857",
"summary": "The time_out_leases function in locks.c for Linux kernel before 2.6.15-rc3 allows local users to cause a denial of service (kernel log message consumption) by causing a large number of broken leases, which is recorded to the log using the printk function.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3857"
},
{
"id": "CVE-2005-3858",
"summary": "Memory leak in the ip6_input_finish function in ip6_input.c in Linux kernel 2.6.12 and earlier might allow attackers to cause a denial of service via malformed IPv6 packets with unspecified parameter problems, which prevents the SKB from being freed.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3858"
},
{
"id": "CVE-2005-4351",
"summary": "The securelevels implementation in FreeBSD 7.0 and earlier, OpenBSD up to 3.8, DragonFly up to 1.2, and Linux up to 2.6.15 allows root users to bypass immutable settings for files by mounting another filesystem that masks the immutable files while the system is running.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4351"
},
{
"id": "CVE-2005-4352",
"summary": "The securelevels implementation in NetBSD 2.1 and earlier, and Linux 2.6.15 and earlier, allows local users to bypass time setting restrictions and set the clock backwards by setting the clock ahead to the maximum unixtime value (19 Jan 2038), which then wraps around to the minimum value (13 Dec 1901), which can then be set ahead to the desired time, aka \"settimeofday() time wrap.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4352"
},
{
"id": "CVE-2005-4605",
"summary": "The procfs code (proc_misc.c) in Linux 2.6.14.3 and other versions before 2.6.15 allows attackers to read sensitive kernel memory via unspecified vectors in which a signed value is added to an unsigned value.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4605"
},
{
"id": "CVE-2005-4618",
"summary": "Buffer overflow in sysctl in the Linux Kernel 2.6 before 2.6.15 allows local users to corrupt user memory and possibly cause a denial of service via a long string, which causes sysctl to write a zero byte outside the buffer. NOTE: since the sysctl is called from a userland program that provides the argument, this might not be a vulnerability, unless a legitimate user-assisted or setuid scenario can be identified.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4618"
},
{
"id": "CVE-2005-4635",
"summary": "The nl_fib_input function in fib_frontend.c in the Linux kernel before 2.6.15 does not check for valid lengths of the header and payload, which allows remote attackers to cause a denial of service (invalid memory reference) via malformed fib_lookup netlink messages.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4635"
},
{
"id": "CVE-2005-4639",
"summary": "Buffer overflow in the CA-driver (dst_ca.c) for TwinHan DST Frontend/Card in Linux kernel 2.6.12 and other versions before 2.6.15 allows local users to cause a denial of service (crash) and possibly execute arbitrary code by \"reading more than 8 bytes into an 8 byte long array\".",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4639"
},
{
"id": "CVE-2005-4798",
"summary": "Buffer overflow in NFS readlink handling in the Linux Kernel 2.4 up to 2.4.31 allows remote NFS servers to cause a denial of service (crash) via a long symlink, which is not properly handled in (1) nfs2xdr.c or (2) nfs3xdr.c and causes a crash in the NFS client.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4798"
},
{
"id": "CVE-2005-4811",
"summary": "The hugepage code (hugetlb.c) in Linux kernel 2.6, possibly 2.6.12 and 2.6.13, in certain configurations, allows local users to cause a denial of service (crash) by triggering an mmap error before a prefault, which causes an error in the unmap_hugepage_area function.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4811"
},
{
"id": "CVE-2005-4881",
"summary": "The netlink subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.13-rc1 does not initialize certain padding fields in structures, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors, related to the (1) tc_fill_qdisc, (2) tcf_fill_node, (3) neightbl_fill_info, (4) neightbl_fill_param_info, (5) neigh_fill_info, (6) rtnetlink_fill_ifinfo, (7) rtnetlink_fill_iwinfo, (8) vif_delete, (9) ipmr_destroy_unres, (10) ipmr_cache_alloc_unres, (11) ipmr_cache_resolve, (12) inet6_fill_ifinfo, (13) tca_get_fill, (14) tca_action_flush, (15) tcf_add_notify, (16) tc_dump_action, (17) cbq_dump_police, (18) __nlmsg_put, (19) __rta_fill, (20) __rta_reserve, (21) inet6_fill_prefix, (22) rsvp_dump, and (23) cbq_dump_ovl functions.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4881"
},
{
"id": "CVE-2005-4886",
"summary": "The selinux_parse_skb_ipv6 function in security/selinux/hooks.c in the Linux kernel before 2.6.12-rc4 allows remote attackers to cause a denial of service (OOPS) via vectors associated with an incorrect call to the ipv6_skip_exthdr function.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4886"
},
{
"id": "CVE-2006-0035",
"summary": "The netlink_rcv_skb function in af_netlink.c in Linux kernel 2.6.14 and 2.6.15 allows local users to cause a denial of service (infinite loop) via a nlmsg_len field of 0.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0035"
},
{
"id": "CVE-2006-0036",
"summary": "ip_nat_pptp in the PPTP NAT helper (netfilter/ip_nat_helper_pptp.c) in Linux kernel 2.6.14, and other versions, allows remote attackers to cause a denial of service (memory corruption or crash) via an inbound PPTP_IN_CALL_REQUEST packet that causes a null pointer to be used in an offset calculation.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0036"
},
{
"id": "CVE-2006-0037",
"summary": "ip_nat_pptp in the PPTP NAT helper (netfilter/ip_nat_helper_pptp.c) in Linux kernel 2.6.14, and other versions, allows local users to cause a denial of service (memory corruption or crash) via a crafted outbound packet that causes an incorrect offset to be calculated from pointer arithmetic when non-linear SKBs (socket buffers) are used.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0037"
},
{
"id": "CVE-2006-0038",
"summary": "Integer overflow in the do_replace function in netfilter for Linux before 2.6.16-rc3, when using \"virtualization solutions\" such as OpenVZ, allows local users with CAP_NET_ADMIN rights to cause a buffer overflow in the copy_from_user function.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0038"
},
{
"id": "CVE-2006-0039",
"summary": "Race condition in the do_add_counters function in netfilter for Linux kernel 2.6.16 allows local users with CAP_NET_ADMIN capabilities to read kernel memory by triggering the race condition in a way that produces a size value that is inconsistent with allocated memory, which leads to a buffer over-read in IPT_ENTRY_ITERATE.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0039"
},
{
"id": "CVE-2006-0095",
"summary": "dm-crypt in Linux kernel 2.6.15 and earlier does not clear a structure before it is freed, which leads to a memory disclosure that could allow local users to obtain sensitive information about a cryptographic key.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0095"
},
{
"id": "CVE-2006-0096",
"summary": "wan/sdla.c in Linux kernel 2.6.x before 2.6.11 and 2.4.x before 2.4.29 does not require the CAP_SYS_RAWIO privilege for an SDLA firmware upgrade, with unknown impact and local attack vectors. NOTE: further investigation suggests that this issue requires root privileges to exploit, since it is protected by CAP_NET_ADMIN; thus it might not be a vulnerability, although capabilities provide finer distinctions between privilege levels.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0096"
},
{
"id": "CVE-2006-0454",
"summary": "Linux kernel before 2.6.15.3 down to 2.6.12, while constructing an ICMP response in icmp_send, does not properly handle when the ip_options_echo function in icmp.c fails, which allows remote attackers to cause a denial of service (crash) via vectors such as (1) record-route and (2) timestamp IP options with the needaddr bit set and a truncated value.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0454"
},
{
"id": "CVE-2006-0456",
"summary": "The strnlen_user function in Linux kernel before 2.6.16 on IBM S/390 can return an incorrect value, which allows local users to cause a denial of service via unknown vectors.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0456"
},
{
"id": "CVE-2006-0457",
"summary": "Race condition in the (1) add_key, (2) request_key, and (3) keyctl functions in Linux kernel 2.6.x allows local users to cause a denial of service (crash) or read sensitive kernel memory by modifying the length of a string argument between the time that the kernel calculates the length and when it copies the data into kernel memory.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0457"
},
{
"id": "CVE-2006-0482",
"summary": "Linux kernel 2.6.15.1 and earlier, when running on SPARC architectures, allows local users to cause a denial of service (hang) via a \"date -s\" command, which causes invalid sign extended arguments to be provided to the get_compat_timespec function call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0482"
},
{
"id": "CVE-2006-0554",
"summary": "Linux kernel 2.6 before 2.6.15.5 allows local users to obtain sensitive information via a crafted XFS ftruncate call, which may return stale data.",
"scorev2": "1.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:S/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0554"
},
{
"id": "CVE-2006-0555",
"summary": "The Linux Kernel before 2.6.15.5 allows local users to cause a denial of service (NFS client panic) via unknown attack vectors related to the use of O_DIRECT (direct I/O).",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0555"
},
{
"id": "CVE-2006-0557",
"summary": "sys_mbind in mempolicy.c in Linux kernel 2.6.16 and earlier does not sanity check the maxnod variable before making certain computations for the get_nodes function, which has unknown impact and attack vectors.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0557"
},
{
"id": "CVE-2006-0558",
"summary": "perfmon (perfmon.c) in Linux kernel on IA64 architectures allows local users to cause a denial of service (crash) by interrupting a task while another process is accessing the mm_struct, which triggers a BUG_ON action in the put_page_testzero function.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0558"
},
{
"id": "CVE-2006-0741",
"summary": "Linux kernel before 2.6.15.5, when running on Intel processors, allows local users to cause a denial of service (\"endless recursive fault\") via unknown attack vectors related to a \"bad elf entry address.\"",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0741"
},
{
"id": "CVE-2006-0742",
"summary": "The die_if_kernel function in arch/ia64/kernel/unaligned.c in Linux kernel 2.6.x before 2.6.15.6, possibly when compiled with certain versions of gcc, has the \"noreturn\" attribute set, which allows local users to cause a denial of service by causing user faults on Itanium systems.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0742"
},
{
"id": "CVE-2006-0744",
"summary": "Linux kernel before 2.6.16.5 does not properly handle uncanonical return addresses on Intel EM64T CPUs, which reports an exception in the SYSRET instead of the next instruction, which causes the kernel exception handler to run on the user stack with the wrong GS.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0744"
},
{
"id": "CVE-2006-1052",
"summary": "The selinux_ptrace logic in hooks.c in SELinux for Linux 2.6.6 allows local users with ptrace permissions to change the tracer SID to an SID of another process.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1052"
},
{
"id": "CVE-2006-1055",
"summary": "The fill_write_buffer function in sysfs/file.c in Linux kernel 2.6.12 up to versions before 2.6.17-rc1 does not zero terminate a buffer when a length of PAGE_SIZE or more is requested, which might allow local users to cause a denial of service (crash) by causing an out-of-bounds read.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1055"
},
{
"id": "CVE-2006-1056",
"summary": "The Linux kernel before 2.6.16.9 and the FreeBSD kernel, when running on AMD64 and other 7th and 8th generation AuthenticAMD processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one process to determine portions of the state of floating point instructions of other processes, which can be leveraged to obtain sensitive information such as cryptographic keys. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processors in a security-relevant fashion that was not addressed by the kernels.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1056"
},
{
"id": "CVE-2006-1066",
"summary": "Linux kernel 2.6.16-rc2 and earlier, when running on x86_64 systems with preemption enabled, allows local users to cause a denial of service (oops) via multiple ptrace tasks that perform single steps, which can cause corruption of the DEBUG_STACK stack during the do_debug function call.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1066"
},
{
"id": "CVE-2006-1242",
"summary": "The ip_push_pending_frames function in Linux 2.4.x and 2.6.x before 2.6.16 increments the IP ID field when sending a RST after receiving unsolicited TCP SYN-ACK packets, which allows remote attackers to conduct an Idle Scan (nmap -sI) attack, which bypasses intended protections against such attacks.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1242"
},
{
"id": "CVE-2006-1342",
"summary": "net/ipv4/af_inet.c in Linux kernel 2.4 does not clear sockaddr_in.sin_zero before returning IPv4 socket names from the (1) getsockname, (2) getpeername, and (3) accept functions, which allows local users to obtain portions of potentially sensitive memory.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1342"
},
{
"id": "CVE-2006-1343",
"summary": "net/ipv4/netfilter/ip_conntrack_core.c in Linux kernel 2.4 and 2.6, and possibly net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c in 2.6, does not clear sockaddr_in.sin_zero before returning IPv4 socket names from the getsockopt function with SO_ORIGINAL_DST, which allows local users to obtain portions of potentially sensitive memory.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1343"
},
{
"id": "CVE-2006-1368",
"summary": "Buffer overflow in the USB Gadget RNDIS implementation in the Linux kernel before 2.6.16 allows remote attackers to cause a denial of service (kmalloc'd memory corruption) via a remote NDIS response to OID_GEN_SUPPORTED_LIST, which causes memory to be allocated for the reply data but not the reply structure.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1368"
},
{
"id": "CVE-2006-1522",
"summary": "The sys_add_key function in the keyring code in Linux kernel 2.6.16.1 and 2.6.17-rc1, and possibly earlier versions, allows local users to cause a denial of service (OOPS) via keyctl requests that add a key to a user key instead of a keyring key, which causes an invalid dereference in the __keyring_search_one function.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1522"
},
{
"id": "CVE-2006-1523",
"summary": "The __group_complete_signal function in the RCU signal handling (signal.c) in Linux kernel 2.6.16, and possibly other versions, has unknown impact and attack vectors related to improper use of BUG_ON.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1523"
},
{
"id": "CVE-2006-1524",
"summary": "madvise_remove in Linux kernel 2.6.16 up to 2.6.16.6 does not follow file and mmap restrictions, which allows local users to bypass IPC permissions and replace portions of readonly tmpfs files with zeroes, aka the MADV_REMOVE vulnerability. NOTE: this description was originally written in a way that combined two separate issues. The mprotect issue now has a separate name, CVE-2006-2071.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1524"
},
{
"id": "CVE-2006-1525",
"summary": "ip_route_input in Linux kernel 2.6 before 2.6.16.8 allows local users to cause a denial of service (panic) via a request for a route for a multicast IP address, which triggers a null dereference.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1525"
},
{
"id": "CVE-2006-1527",
"summary": "The SCTP-netfilter code in Linux kernel before 2.6.16.13 allows remote attackers to trigger a denial of service (infinite loop) via unknown vectors that cause an invalid SCTP chunk size to be processed by the for_each_sctp_chunk function.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1527"
},
{
"id": "CVE-2006-1528",
"summary": "Linux kernel before 2.6.13 allows local users to cause a denial of service (crash) via a dio transfer from the sg driver to memory mapped (mmap) IO space.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1528"
},
{
"id": "CVE-2006-1624",
"summary": "The default configuration of syslogd in the Linux sysklogd package does not enable the -x (disable name lookups) option, which allows remote attackers to cause a denial of service (traffic amplification) via messages with spoofed source IP addresses.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1624"
},
{
"id": "CVE-2006-1855",
"summary": "choose_new_parent in Linux kernel before 2.6.11.12 includes certain debugging code, which allows local users to cause a denial of service (panic) by causing certain circumstances involving termination of a parent process.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1855"
},
{
"id": "CVE-2006-1856",
"summary": "Certain modifications to the Linux kernel 2.6.16 and earlier do not add the appropriate Linux Security Modules (LSM) file_permission hooks to the (1) readv and (2) writev functions, which might allow attackers to bypass intended access restrictions.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1856"
},
{
"id": "CVE-2006-1857",
"summary": "Buffer overflow in SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malformed HB-ACK chunk.",
"scorev2": "9.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1857"
},
{
"id": "CVE-2006-1858",
"summary": "SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a chunk length that is inconsistent with the actual length of provided parameters.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1858"
},
{
"id": "CVE-2006-1859",
"summary": "Memory leak in __setlease in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to cause a denial of service (memory consumption) via unspecified actions related to an \"uninitialised return value,\" aka \"slab leak.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1859"
},
{
"id": "CVE-2006-1860",
"summary": "lease_init in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to cause a denial of service (fcntl_setlease lockup) via actions that cause lease_init to free a lock that might not have been allocated on the stack.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1860"
},
{
"id": "CVE-2006-1862",
"summary": "The virtual memory implementation in Linux kernel 2.6.x allows local users to cause a denial of service (panic) by running lsof a large number of times in a way that produces a heavy system load.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1862"
},
{
"id": "CVE-2006-1863",
"summary": "Directory traversal vulnerability in CIFS in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via \"..\\\\\" sequences, a similar vulnerability to CVE-2006-1864.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1863"
},
{
"id": "CVE-2006-1864",
"summary": "Directory traversal vulnerability in smbfs in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via \"..\\\\\" sequences, a similar vulnerability to CVE-2006-1863.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1864"
},
{
"id": "CVE-2006-2071",
"summary": "Linux kernel 2.4.x and 2.6.x up to 2.6.16 allows local users to bypass IPC permissions and modify a readonly attachment of shared memory by using mprotect to give write permission to the attachment. NOTE: some original raw sources combined this issue with CVE-2006-1524, but they are different bugs.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2071"
},
{
"id": "CVE-2006-2444",
"summary": "The snmp_trap_decode function in the SNMP NAT helper for Linux kernel before 2.6.16.18 allows remote attackers to cause a denial of service (crash) via unspecified remote attack vectors that cause failures in snmp_trap_decode that trigger (1) frees of random memory or (2) frees of previously-freed memory (double-free) by snmp_trap_decode as well as its calling function, as demonstrated via certain test cases of the PROTOS SNMP test suite.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2444"
},
{
"id": "CVE-2006-2445",
"summary": "Race condition in run_posix_cpu_timers in Linux kernel before 2.6.16.21 allows local users to cause a denial of service (BUG_ON crash) by causing one CPU to attach a timer to a process that is exiting.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2445"
},
{
"id": "CVE-2006-2446",
"summary": "Race condition between the kfree_skb and __skb_unlink functions in the socket buffer handling in Linux kernel 2.6.9, and possibly other versions, allows remote attackers to cause a denial of service (crash), as demonstrated using the TCP stress tests from the LTP test suite.",
"scorev2": "5.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2446"
},
{
"id": "CVE-2006-2448",
"summary": "Linux kernel before 2.6.16.21 and 2.6.17, when running on PowerPC, does not perform certain required access_ok checks, which allows local users to read arbitrary kernel memory on 64-bit systems (signal_64.c) and cause a denial of service (crash) and possibly read kernel memory on 32-bit systems (signal_32.c).",
"scorev2": "5.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2448"
},
{
"id": "CVE-2006-2451",
"summary": "The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service (disk consumption) and possibly gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2451"
},
{
"id": "CVE-2006-2629",
"summary": "Race condition in Linux kernel 2.6.15 to 2.6.17, when running on SMP platforms, allows local users to cause a denial of service (crash) by creating and exiting a large number of tasks, then accessing the /proc entry of a task that is exiting, which causes memory corruption that leads to a failure in the prune_dcache function or a BUG_ON error in include/linux/list.h.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2629"
},
{
"id": "CVE-2006-2932",
"summary": "A regression error in the restore_all code path of the 4/4GB split support for non-hugemem Linux kernels on Red Hat Linux Desktop and Enterprise Linux 4 allows local users to cause a denial of service (panic) via unspecified vectors.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2932",
"detail": "not-applicable-platform",
"description": "specific to RHEL"
},
{
"id": "CVE-2006-2934",
"summary": "SCTP conntrack (ip_conntrack_proto_sctp.c) in netfilter for Linux kernel 2.6.17 before 2.6.17.3 and 2.6.16 before 2.6.16.23 allows remote attackers to cause a denial of service (crash) via a packet without any chunks, which causes a variable to contain an invalid value that is later used to dereference a pointer.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2934"
},
{
"id": "CVE-2006-2935",
"summary": "The dvd_read_bca function in the DVD handling code in drivers/cdrom/cdrom.c in Linux kernel 2.2.16, and later versions, assigns the wrong value to a length variable, which allows local users to execute arbitrary code via a crafted USB Storage device that triggers a buffer overflow.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2935"
},
{
"id": "CVE-2006-2936",
"summary": "The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to 2.6.17, and possibly later versions, allows local users to cause a denial of service (memory consumption) by writing more data to the serial port than the hardware can handle, which causes the data to be queued.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2936"
},
{
"id": "CVE-2006-3085",
"summary": "xt_sctp in netfilter for Linux kernel before 2.6.17.1 allows attackers to cause a denial of service (infinite loop) via an SCTP chunk with a 0 length.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3085"
},
{
"id": "CVE-2006-3468",
"summary": "Linux kernel 2.6.x, when using both NFS and EXT3, allows remote attackers to cause a denial of service (file system panic) via a crafted UDP packet with a V2 lookup procedure that specifies a bad file handle (inode number), which triggers an error and causes an exported directory to be remounted read-only.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3468"
},
{
"id": "CVE-2006-3626",
"summary": "Race condition in Linux kernel 2.6.17.4 and earlier allows local users to gain root privileges by using prctl with PR_SET_DUMPABLE in a way that causes /proc/self/environ to become setuid root.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3626"
},
{
"id": "CVE-2006-3634",
"summary": "The (1) __futex_atomic_op and (2) futex_atomic_cmpxchg_inatomic functions in Linux kernel 2.6.17-rc4 to 2.6.18-rc2 perform the atomic futex operation in the kernel address space instead of the user address space, which allows local users to cause a denial of service (crash).",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3634"
},
{
"id": "CVE-2006-3635",
"summary": "The ia64 subsystem in the Linux kernel before 2.6.26 allows local users to cause a denial of service (stack consumption and system crash) via a crafted application that leverages the mishandling of invalid Register Stack Engine (RSE) state.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3635",
"detail": "fixed-version",
"description": "Fixed from version 2.6.26rc5"
},
{
"id": "CVE-2006-3741",
"summary": "The perfmonctl system call (sys_perfmonctl) in Linux kernel 2.4.x and 2.6 before 2.6.18, when running on Itanium systems, does not properly track the reference count for file descriptors, which allows local users to cause a denial of service (file descriptor consumption).",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3741"
},
{
"id": "CVE-2006-3745",
"summary": "Unspecified vulnerability in the sctp_make_abort_user function in the SCTP implementation in Linux 2.6.x before 2.6.17.10 and 2.4.23 up to 2.4.33 allows local users to cause a denial of service (panic) and possibly gain root privileges via unknown attack vectors.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3745"
},
{
"id": "CVE-2006-4093",
"summary": "Linux kernel 2.x.6 before 2.6.17.9 and 2.4.x before 2.4.33.1 on PowerPC PPC970 systems allows local users to cause a denial of service (crash) related to the \"HID0 attention enable on PPC970 at boot time.\"",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4093"
},
{
"id": "CVE-2006-4145",
"summary": "The Universal Disk Format (UDF) filesystem driver in Linux kernel 2.6.17 and earlier allows local users to cause a denial of service (hang and crash) via certain operations involving truncated files, as demonstrated via the dd command.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4145"
},
{
"id": "CVE-2006-4535",
"summary": "The Linux kernel 2.6.17.10 and 2.6.17.11 and 2.6.18-rc5 allows local users to cause a denial of service (crash) via an SCTP socket with a certain SO_LINGER value, possibly related to the patch for CVE-2006-3745. NOTE: older kernel versions for specific Linux distributions are also affected, due to backporting of the CVE-2006-3745 patch.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4535"
},
{
"id": "CVE-2006-4538",
"summary": "Linux kernel 2.6.17 and earlier, when running on IA64 or SPARC platforms, allows local users to cause a denial of service (crash) via a malformed ELF file that triggers memory maps that cross region boundaries.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4538"
},
{
"id": "CVE-2006-4572",
"summary": "ip6_tables in netfilter in the Linux kernel before 2.6.16.31 allows remote attackers to (1) bypass a rule that disallows a protocol, via a packet with the protocol header not located immediately after the fragment header, aka \"ip6_tables protocol bypass bug;\" and (2) bypass a rule that looks for a certain extension header, via a packet with an extension header outside the first fragment, aka \"ip6_tables extension header bypass bug.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4572"
},
{
"id": "CVE-2006-4623",
"summary": "The Unidirectional Lightweight Encapsulation (ULE) decapsulation component in dvb-core/dvb_net.c in the dvb driver in the Linux kernel 2.6.17.8 allows remote attackers to cause a denial of service (crash) via an SNDU length of 0 in a ULE packet.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4623"
},
{
"id": "CVE-2006-4663",
"summary": "The source code tar archive of the Linux kernel 2.6.16, 2.6.17.11, and possibly other versions specifies weak permissions (0666 and 0777) for certain files and directories, which might allow local users to insert Trojan horse source code that would be used during the next kernel compilation. NOTE: another researcher disputes the vulnerability, stating that he finds \"Not a single world-writable file or directory.\" CVE analysis as of 20060908 indicates that permissions will only be weak under certain unusual or insecure scenarios",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4663"
},
{
"id": "CVE-2006-4813",
"summary": "The __block_prepare_write function in fs/buffer.c for Linux kernel 2.6.x before 2.6.13 does not properly clear buffers during certain error conditions, which allows local users to read portions of files that have been unlinked.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4813"
},
{
"id": "CVE-2006-4814",
"summary": "The mincore function in the Linux kernel before 2.4.33.6 does not properly lock access to user space, which has unspecified impact and attack vectors, possibly related to a deadlock.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4814"
},
{
"id": "CVE-2006-4997",
"summary": "The clip_mkip function in net/atm/clip.c of the ATM subsystem in Linux kernel allows remote attackers to cause a denial of service (panic) via unknown vectors that cause the ATM subsystem to access the memory of socket buffers after they are freed (freed pointer dereference).",
"scorev2": "7.1",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4997"
},
{
"id": "CVE-2006-5158",
"summary": "The nlmclnt_mark_reclaim in clntlock.c in NFS lockd in Linux kernel before 2.6.16 allows remote attackers to cause a denial of service (process crash) and deny access to NFS exports via unspecified vectors that trigger a kernel oops (null dereference) and a deadlock.",
"scorev2": "3.3",
"scorev3": "7.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5158"
},
{
"id": "CVE-2006-5173",
"summary": "Linux kernel does not properly save or restore EFLAGS during a context switch, or reset the flags when creating new threads, which allows local users to cause a denial of service (process crash), as demonstrated using a process that sets the Alignment Check flag (EFLAGS 0x40000), which triggers a SIGBUS in other processes that have an unaligned access.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5173"
},
{
"id": "CVE-2006-5174",
"summary": "The copy_from_user function in the uaccess code in Linux kernel 2.6 before 2.6.19-rc1, when running on s390, does not properly clear a kernel buffer, which allows local user space programs to read portions of kernel memory by \"appending to a file from a bad address,\" which triggers a fault that prevents the unused memory from being cleared in the kernel buffer.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5174"
},
{
"id": "CVE-2006-5331",
"summary": "The altivec_unavailable_exception function in arch/powerpc/kernel/traps.c in the Linux kernel before 2.6.19 on 64-bit systems mishandles the case where CONFIG_ALTIVEC is defined and the CPU actually supports Altivec, but the Altivec support was not detected by the kernel, which allows local users to cause a denial of service (panic) by triggering execution of an Altivec instruction.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5331",
"detail": "fixed-version",
"description": "Fixed from version 2.6.19rc3"
},
{
"id": "CVE-2006-5619",
"summary": "The seqfile handling (ip6fl_get_n function in ip6_flowlabel.c) in Linux kernel 2.6 up to 2.6.18-stable allows local users to cause a denial of service (hang or oops) via unspecified manipulations that trigger an infinite loop while searching for flowlabels.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5619"
},
{
"id": "CVE-2006-5701",
"summary": "Double free vulnerability in squashfs module in the Linux kernel 2.6.x, as used in Fedora Core 5 and possibly other distributions, allows local users to cause a denial of service by mounting a crafted squashfs filesystem.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5701"
},
{
"id": "CVE-2006-5749",
"summary": "The isdn_ppp_ccp_reset_alloc_state function in drivers/isdn/isdn_ppp.c in the Linux 2.4 kernel before 2.4.34-rc4 does not call the init_timer function for the ISDN PPP CCP reset state timer, which has unknown attack vectors and results in a system crash.",
"scorev2": "1.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5749"
},
{
"id": "CVE-2006-5751",
"summary": "Integer overflow in the get_fdb_entries function in net/bridge/br_ioctl.c in the Linux kernel before 2.6.18.4 allows local users to execute arbitrary code via a large maxnum value in an ioctl request.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5751"
},
{
"id": "CVE-2006-5753",
"summary": "Unspecified vulnerability in the listxattr system call in Linux kernel, when a \"bad inode\" is present, allows local users to cause a denial of service (data corruption) and possibly gain privileges via unknown vectors.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5753"
},
{
"id": "CVE-2006-5754",
"summary": "The aio_setup_ring function in Linux kernel does not properly initialize a variable, which allows local users to cause a denial of service (crash) via an unspecified error path that causes an incorrect free operation.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5754"
},
{
"id": "CVE-2006-5755",
"summary": "Linux kernel before 2.6.18, when running on x86_64 systems, does not properly save or restore EFLAGS during a context switch, which allows local users to cause a denial of service (crash) by causing SYSENTER to set an NT flag, which can trigger a crash on the IRET of the next task.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5755"
},
{
"id": "CVE-2006-5757",
"summary": "Race condition in the __find_get_block_slow function in the ISO9660 filesystem in Linux 2.6.18 and possibly other versions allows local users to cause a denial of service (infinite loop) by mounting a crafted ISO9660 filesystem containing malformed data structures.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5757"
},
{
"id": "CVE-2006-5823",
"summary": "The zlib_inflate function in Linux kernel 2.6.x allows local users to cause a denial of service (crash) via a malformed filesystem that uses zlib compression that triggers memory corruption, as demonstrated using cramfs.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5823"
},
{
"id": "CVE-2006-5871",
"summary": "smbfs in Linux kernel 2.6.8 and other versions, and 2.4.x before 2.4.34, when UNIX extensions are enabled, ignores certain mount options, which could cause clients to use server-specified uid, gid and mode settings.",
"scorev2": "4.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5871"
},
{
"id": "CVE-2006-6053",
"summary": "The ext3fs_dirhash function in Linux kernel 2.6.x allows local users to cause a denial of service (crash) via an ext3 stream with malformed data structures.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6053"
},
{
"id": "CVE-2006-6054",
"summary": "The ext2 file system code in Linux kernel 2.6.x allows local users to cause a denial of service (crash) via an ext2 stream with malformed data structures that triggers an error in the ext2_check_page due to a length that is smaller than the minimum.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6054"
},
{
"id": "CVE-2006-6056",
"summary": "Linux kernel 2.6.x up to 2.6.18 and possibly other versions, when SELinux hooks are enabled, allows local users to cause a denial of service (crash) via a malformed file stream that triggers a NULL pointer dereference in the superblock_doinit function, as demonstrated using an HFS filesystem image.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6056"
},
{
"id": "CVE-2006-6057",
"summary": "The Linux kernel 2.6.x up to 2.6.18, and possibly other versions, on Fedora Core 6 and possibly other operating systems, allows local users to cause a denial of service (crash) via a malformed gfs2 file stream that triggers a NULL pointer dereference in the init_journal function.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6057"
},
{
"id": "CVE-2006-6058",
"summary": "The minix filesystem code in Linux kernel 2.6.x before 2.6.24, including 2.6.18, allows local users to cause a denial of service (hang) via a malformed minix file stream that triggers an infinite loop in the minix_bmap function. NOTE: this issue might be due to an integer overflow or signedness error.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6058"
},
{
"id": "CVE-2006-6060",
"summary": "The NTFS filesystem code in Linux kernel 2.6.x up to 2.6.18, and possibly other versions, allows local users to cause a denial of service (CPU consumption) via a malformed NTFS file stream that triggers an infinite loop in the __find_get_block_slow function.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6060"
},
{
"id": "CVE-2006-6106",
"summary": "Multiple buffer overflows in the cmtp_recv_interopmsg function in the Bluetooth driver (net/bluetooth/cmtp/capi.c) in the Linux kernel 2.4.22 up to 2.4.33.4 and 2.6.2 before 2.6.18.6, and 2.6.19.x, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via CAPI messages with a large value for the length of the (1) manu (manufacturer) or (2) serial (serial number) field.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6106"
},
{
"id": "CVE-2006-6128",
"summary": "The ReiserFS functionality in Linux kernel 2.6.18, and possibly other versions, allows local users to cause a denial of service via a malformed ReiserFS file system that triggers memory corruption when a sync is performed.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6128",
"detail": "fixed-version",
"description": "Fixed from version 2.6.19rc2"
},
{
"id": "CVE-2006-6304",
"summary": "The do_coredump function in fs/exec.c in the Linux kernel 2.6.19 sets the flag variable to O_EXCL but does not use it, which allows context-dependent attackers to modify arbitrary files via a rewrite attack during a core dump.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6304"
},
{
"id": "CVE-2006-6333",
"summary": "The tr_rx function in ibmtr.c for Linux kernel 2.6.19 assigns the wrong flag to the ip_summed field, which allows remote attackers to cause a denial of service (memory corruption) via crafted packets that cause the kernel to interpret another field as an offset.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6333"
},
{
"id": "CVE-2006-6535",
"summary": "The dev_queue_xmit function in Linux kernel 2.6 can fail before calling the local_bh_disable function, which could lead to data corruption and \"node lockups.\" NOTE: it is not clear whether this issue is exploitable.",
"scorev2": "9.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6535"
},
{
"id": "CVE-2006-6921",
"summary": "Unspecified versions of the Linux kernel allow local users to cause a denial of service (unrecoverable zombie process) via a program with certain instructions that prevent init from properly reaping a child whose parent has died.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6921"
},
{
"id": "CVE-2006-7051",
"summary": "The sys_timer_create function in posix-timers.c for Linux kernel 2.6.x allows local users to cause a denial of service (memory consumption) and possibly bypass memory limits or cause other processes to be killed by creating a large number of posix timers, which are allocated in kernel memory but are not treated as part of the process' memory.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7051"
},
{
"id": "CVE-2006-7203",
"summary": "The compat_sys_mount function in fs/compat.c in Linux kernel 2.6.20 and earlier allows local users to cause a denial of service (NULL pointer dereference and oops) by mounting a smbfs file system in compatibility mode (\"mount -t smbfs\").",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7203"
},
{
"id": "CVE-2006-7229",
"summary": "The skge driver 1.5 in Linux kernel 2.6.15 on Ubuntu does not properly use the spin_lock and spin_unlock functions, which allows remote attackers to cause a denial of service (machine crash) via a flood of network traffic.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7229"
},
{
"id": "CVE-2007-0006",
"summary": "The key serial number collision avoidance code in the key_alloc_serial function in Linux kernel 2.6.9 up to 2.6.20 allows local users to cause a denial of service (crash) via vectors that trigger a null dereference, as originally reported as \"spinlock CPU recursion.\"",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0006"
},
{
"id": "CVE-2007-0771",
"summary": "The utrace support in Linux kernel 2.6.18, and other versions, allows local users to cause a denial of service (system hang) related to \"MT exec + utrace_attach spin failure mode,\" as demonstrated by ptrace-thrash.c.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0771"
},
{
"id": "CVE-2007-0772",
"summary": "The Linux kernel 2.6.13 and other versions before 2.6.20.1 allows remote attackers to cause a denial of service (oops) via a crafted NFSACL 2 ACCESS request that triggers a free of an incorrect pointer.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0772"
},
{
"id": "CVE-2007-0822",
"summary": "umount, when running with the Linux 2.6.15 kernel on Slackware Linux 10.2, allows local users to trigger a NULL dereference and application crash by invoking the program with a pathname for a USB pen drive that was mounted and then physically removed, which might allow the users to obtain sensitive information, including core file contents.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0822"
},
{
"id": "CVE-2007-0958",
"summary": "Linux kernel 2.6.x before 2.6.20 allows local users to read unreadable binaries by using the interpreter (PT_INTERP) functionality and triggering a core dump, a variant of CVE-2004-1073.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0958"
},
{
"id": "CVE-2007-0997",
"summary": "Race condition in the tee (sys_tee) system call in the Linux kernel 2.6.17 through 2.6.17.6 might allow local users to cause a denial of service (system crash), obtain sensitive information (kernel memory contents), or gain privileges via unspecified vectors related to a potentially dropped ipipe lock during a race between two pipe readers.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0997"
},
{
"id": "CVE-2007-1000",
"summary": "The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1000"
},
{
"id": "CVE-2007-1217",
"summary": "Buffer overflow in the bufprint function in capiutil.c in libcapi, as used in Linux kernel 2.6.9 to 2.6.20 and isdn4k-utils, allows local users to cause a denial of service (crash) and possibly gain privileges via a crafted CAPI packet.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1217"
},
{
"id": "CVE-2007-1353",
"summary": "The setsockopt function in the L2CAP and HCI Bluetooth support in the Linux kernel before 2.4.34.3 allows context-dependent attackers to read kernel memory and obtain sensitive information via unspecified vectors involving the copy_from_user function accessing an uninitialized stack buffer.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1353"
},
{
"id": "CVE-2007-1357",
"summary": "The atalk_sum_skb function in AppleTalk for Linux kernel 2.6.x before 2.6.21, and possibly 2.4.x, allows remote attackers to cause a denial of service (crash) via an AppleTalk frame that is shorter than the specified length, which triggers a BUG_ON call when an attempt is made to perform a checksum.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1357"
},
{
"id": "CVE-2007-1388",
"summary": "The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel before 2.6.20, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which triggers a NULL pointer dereference.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1388"
},
{
"id": "CVE-2007-1496",
"summary": "nfnetlink_log in netfilter in the Linux kernel before 2.6.20.3 allows attackers to cause a denial of service (crash) via unspecified vectors involving the (1) nfulnl_recv_config function, (2) using \"multiple packets per netlink message\", and (3) bridged packets, which trigger a NULL pointer dereference.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1496"
},
{
"id": "CVE-2007-1497",
"summary": "nf_conntrack in netfilter in the Linux kernel before 2.6.20.3 does not set nfctinfo during reassembly of fragmented packets, which leaves the default value as IP_CT_ESTABLISHED and might allow remote attackers to bypass certain rulesets using IPv6 fragments.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1497"
},
{
"id": "CVE-2007-1592",
"summary": "net/ipv6/tcp_ipv6.c in Linux kernel 2.6.x up to 2.6.21-rc3 inadvertently copies the ipv6_fl_socklist from a listening TCP socket to child sockets, which allows local users to cause a denial of service (OOPS) or double free by opening a listening IPv6 socket, attaching a flow label, and connecting to that socket.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1592"
},
{
"id": "CVE-2007-1730",
"summary": "Integer signedness error in the DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later allows local users to read kernel memory or cause a denial of service (oops) via a negative optlen value.",
"scorev2": "6.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1730"
},
{
"id": "CVE-2007-1734",
"summary": "The DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later does not verify the upper bounds of the optlen value, which allows local users running on certain architectures to read kernel memory or cause a denial of service (oops), a related issue to CVE-2007-1730.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1734"
},
{
"id": "CVE-2007-1861",
"summary": "The nl_fib_lookup function in net/ipv4/fib_frontend.c in Linux Kernel before 2.6.20.8 allows attackers to cause a denial of service (kernel panic) via NETLINK_FIB_LOOKUP replies, which trigger infinite recursion and a stack overflow.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1861"
},
{
"id": "CVE-2007-2172",
"summary": "A typo in Linux kernel 2.6 before 2.6.21-rc6 and 2.4 before 2.4.35 causes RTA_MAX to be used as an array size instead of RTN_MAX, which leads to an \"out of bound access\" by the (1) dn_fib_props (dn_fib.c, DECNet) and (2) fib_props (fib_semantics.c, IPv4) functions.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2172"
},
{
"id": "CVE-2007-2451",
"summary": "Unspecified vulnerability in drivers/crypto/geode-aes.c in GEODE-AES in the Linux kernel before 2.6.21.3 allows attackers to obtain sensitive information via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2451"
},
{
"id": "CVE-2007-2453",
"summary": "The random number feature in Linux kernel 2.6 before 2.6.20.13, and 2.6.21.x before 2.6.21.4, (1) does not properly seed pools when there is no entropy, or (2) uses an incorrect cast when extracting entropy, which might cause the random number generator to provide the same values after reboots on systems without an entropy source.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2453"
},
{
"id": "CVE-2007-2480",
"summary": "The _udp_lib_get_port function in net/ipv4/udp.c in Linux kernel 2.6.21 and earlier does not prevent a bind to a port with a local address when there is already a bind to that port with a wildcard local address, which might allow local users to intercept local traffic for daemons or other applications.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2480"
},
{
"id": "CVE-2007-2525",
"summary": "Memory leak in the PPP over Ethernet (PPPoE) socket implementation in the Linux kernel before 2.6.21-git8 allows local users to cause a denial of service (memory consumption) by creating a socket using connect, and releasing it before the PPPIOCGCHAN ioctl is initialized.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2525"
},
{
"id": "CVE-2007-2764",
"summary": "The embedded Linux kernel in certain Sun-Brocade SilkWorm switches before 20070516 does not properly handle a situation in which a non-root user creates a kernel process, which allows attackers to cause a denial of service (oops and device reboot) via unspecified vectors.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2764",
"detail": "not-applicable-platform",
"description": "specific to Sun/Brocade SilkWorm switches"
},
{
"id": "CVE-2007-2875",
"summary": "Integer underflow in the cpuset_tasks_read function in the Linux kernel before 2.6.20.13, and 2.6.21.x before 2.6.21.4, when the cpuset filesystem is mounted, allows local users to obtain kernel memory contents by using a large offset when reading the /dev/cpuset/tasks file.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2875"
},
{
"id": "CVE-2007-2876",
"summary": "The sctp_new function in (1) ip_conntrack_proto_sctp.c and (2) nf_conntrack_proto_sctp.c in Netfilter in Linux kernel 2.6 before 2.6.20.13, and 2.6.21.x before 2.6.21.4, allows remote attackers to cause a denial of service by causing certain invalid states that trigger a NULL pointer dereference.",
"scorev2": "6.1",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2876"
},
{
"id": "CVE-2007-2878",
"summary": "The VFAT compat ioctls in the Linux kernel before 2.6.21.2, when run on a 64-bit system, allow local users to corrupt a kernel_dirent struct and cause a denial of service (system crash) via unknown vectors.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2878"
},
{
"id": "CVE-2007-3104",
"summary": "The sysfs_readdir function in the Linux kernel 2.6, as used in Red Hat Enterprise Linux (RHEL) 4.5 and other distributions, allows users to cause a denial of service (kernel OOPS) by dereferencing a null pointer to an inode in a dentry.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3104"
},
{
"id": "CVE-2007-3105",
"summary": "Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving \"bound check ordering\". NOTE: this issue might only cross privilege boundaries in environments that have granular assignment of privileges for root.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3105"
},
{
"id": "CVE-2007-3107",
"summary": "The signal handling in the Linux kernel before 2.6.22, including 2.6.2, when running on PowerPC systems using HTX, allows local users to cause a denial of service via unspecified vectors involving floating point corruption and concurrency, related to clearing of MSR bits.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3107"
},
{
"id": "CVE-2007-3380",
"summary": "The Distributed Lock Manager (DLM) in the cluster manager for Linux kernel 2.6.15 allows remote attackers to cause a denial of service (loss of lock services) by connecting to the DLM port, which probably prevents other processes from accessing the service.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3380"
},
{
"id": "CVE-2007-3513",
"summary": "The lcd_write function in drivers/usb/misc/usblcd.c in the Linux kernel before 2.6.22-rc7 does not limit the amount of memory used by a caller, which allows local users to cause a denial of service (memory consumption).",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3513"
},
{
"id": "CVE-2007-3642",
"summary": "The decode_choice function in net/netfilter/nf_conntrack_h323_asn1.c in the Linux kernel before 2.6.20.15, 2.6.21.x before 2.6.21.6, and before 2.6.22 allows remote attackers to cause a denial of service (crash) via an encoded, out-of-range index value for a choice field, which triggers a NULL pointer dereference.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3642"
},
{
"id": "CVE-2007-3719",
"summary": "The process scheduler in the Linux kernel 2.6.16 gives preference to \"interactive\" processes that perform voluntary sleeps, which allows local users to cause a denial of service (CPU consumption), as described in \"Secretly Monopolizing the CPU Without Superuser Privileges.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3719"
},
{
"id": "CVE-2007-3720",
"summary": "The process scheduler in the Linux kernel 2.4 performs scheduling based on CPU billing gathered from periodic process sampling ticks, which allows local users to cause a denial of service (CPU consumption) by performing voluntary nanosecond sleeps that result in the process not being active during a clock interrupt, as described in \"Secretly Monopolizing the CPU Without Superuser Privileges.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3720"
},
{
"id": "CVE-2007-3731",
"summary": "The Linux kernel 2.6.20 and 2.6.21 does not properly handle an invalid LDT segment selector in %cs (the xcs field) during ptrace single-step operations, which allows local users to cause a denial of service (NULL dereference and OOPS) via certain code that makes ptrace PTRACE_SETREGS and PTRACE_SINGLESTEP requests, related to the TRACE_IRQS_ON function, and possibly related to the arch_ptrace function.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3731"
},
{
"id": "CVE-2007-3732",
"summary": "In Linux 2.6 before 2.6.23, the TRACE_IRQS_ON function in iret_exc calls a C function without ensuring that the segments are set properly. The kernel's %fs needs to be restored before the call in TRACE_IRQS_ON and before enabling interrupts, so that \"current\" references work. Without this, \"current\" used in the window between iret_exc and the middle of error_code where %fs is reset, would crash.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3732"
},
{
"id": "CVE-2007-3740",
"summary": "The CIFS filesystem in the Linux kernel before 2.6.22, when Unix extension support is enabled, does not honor the umask of a process, which allows local users to gain privileges.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3740"
},
{
"id": "CVE-2007-3843",
"summary": "The Linux kernel before 2.6.23-rc1 checks the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3843"
},
{
"id": "CVE-2007-3848",
"summary": "Linux kernel 2.4.35 and other versions allows local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die, which delivers an attacker-controlled parent process death signal (PR_SET_PDEATHSIG).",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3848"
},
{
"id": "CVE-2007-3850",
"summary": "The eHCA driver in Linux kernel 2.6 before 2.6.22, when running on PowerPC, does not properly map userspace resources, which allows local users to read portions of physical address space.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3850"
},
{
"id": "CVE-2007-3851",
"summary": "The drm/i915 component in the Linux kernel before 2.6.22.2, when used with i965G and later chipsets, allows local users with access to an X11 session and Direct Rendering Manager (DRM) to write to arbitrary memory locations and gain privileges via a crafted batchbuffer.",
"scorev2": "6.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3851"
},
{
"id": "CVE-2007-4133",
"summary": "The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE units, which allows local users to cause a denial of service (panic) via unspecified vectors.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4133"
},
{
"id": "CVE-2007-4311",
"summary": "The xfer_secondary_pool function in drivers/char/random.c in the Linux kernel 2.4 before 2.4.35 performs reseed operations on only the first few bytes of a buffer, which might make it easier for attackers to predict the output of the random number generator, related to incorrect use of the sizeof operator.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4311"
},
{
"id": "CVE-2007-4567",
"summary": "The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel before 2.6.22 does not properly validate the hop-by-hop IPv6 extended header, which allows remote attackers to cause a denial of service (NULL pointer dereference and kernel panic) via a crafted IPv6 packet.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4567"
},
{
"id": "CVE-2007-4571",
"summary": "The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return the correct write size, which allows local users to obtain sensitive information (kernel memory contents) via a small count argument, as demonstrated by multiple reads of /proc/driver/snd-page-alloc.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4571"
},
{
"id": "CVE-2007-4573",
"summary": "The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4573"
},
{
"id": "CVE-2007-4774",
"summary": "The Linux kernel before 2.4.36-rc1 has a race condition. It was possible to bypass systrace policies by flooding the ptraced process with SIGCONT signals, which can can wake up a PTRACED process.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4774",
"detail": "fixed-version",
"description": "Fixed from version 2.6.12rc2"
},
{
"id": "CVE-2007-4997",
"summary": "Integer underflow in the ieee80211_rx function in net/ieee80211/ieee80211_rx.c in the Linux kernel 2.6.x before 2.6.23 allows remote attackers to cause a denial of service (crash) via a crafted SKB length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA flag is set, aka an \"off-by-two error.\"",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4997"
},
{
"id": "CVE-2007-4998",
"summary": "cp, when running with an option to preserve symlinks on multiple OSes, allows local, user-assisted attackers to overwrite arbitrary files via a symlink attack using crafted directories containing multiple source files that are copied to the same destination.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4998",
"detail": "cpe-incorrect",
"description": "a historic cp bug, no longer an issue as per https://bugzilla.redhat.com/show_bug.cgi?id=356471#c5"
},
{
"id": "CVE-2007-5087",
"summary": "The ATM module in the Linux kernel before 2.4.35.3, when CLIP support is enabled, allows local users to cause a denial of service (kernel panic) by reading /proc/net/atm/arp before the CLIP module has been loaded.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5087"
},
{
"id": "CVE-2007-5093",
"summary": "The disconnect method in the Philips USB Webcam (pwc) driver in Linux kernel 2.6.x before 2.6.22.6 \"relies on user space to close the device,\" which allows user-assisted local attackers to cause a denial of service (USB subsystem hang and CPU consumption in khubd) by not closing the device after the disconnect is invoked. NOTE: this rarely crosses privilege boundaries, unless the attacker can convince the victim to unplug the affected device.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5093"
},
{
"id": "CVE-2007-5498",
"summary": "The Xen hypervisor block backend driver for Linux kernel 2.6.18, when running on a 64-bit host with a 32-bit paravirtualized guest, allows local privileged users in the guest OS to cause a denial of service (host OS crash) via a request that specifies a large number of blocks.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5498"
},
{
"id": "CVE-2007-5500",
"summary": "The wait_task_stopped function in the Linux kernel before 2.6.23.8 checks a TASK_TRACED bit instead of an exit_state value, which allows local users to cause a denial of service (machine crash) via unspecified vectors. NOTE: some of these details are obtained from third party information.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5500"
},
{
"id": "CVE-2007-5501",
"summary": "The tcp_sacktag_write_queue function in net/ipv4/tcp_input.c in Linux kernel 2.6.21 through 2.6.23.7, and 2.6.24-rc through 2.6.24-rc2, allows remote attackers to cause a denial of service (crash) via crafted ACK responses that trigger a NULL pointer dereference.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5501"
},
{
"id": "CVE-2007-5904",
"summary": "Multiple buffer overflows in CIFS VFS in Linux kernel 2.6.23 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5904"
},
{
"id": "CVE-2007-5966",
"summary": "Integer overflow in the hrtimer_start function in kernel/hrtimer.c in the Linux kernel before 2.6.23.10 allows local users to execute arbitrary code or cause a denial of service (panic) via a large relative timeout value. NOTE: some of these details are obtained from third party information.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5966"
},
{
"id": "CVE-2007-6063",
"summary": "Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux kernel 2.6.23 allows local users to have an unknown impact via a crafted argument to the isdn_ioctl function.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6063"
},
{
"id": "CVE-2007-6151",
"summary": "The isdn_ioctl function in isdn_common.c in Linux kernel 2.6.23 allows local users to cause a denial of service via a crafted ioctl struct in which iocts is not null terminated, which triggers a buffer overflow.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6151"
},
{
"id": "CVE-2007-6206",
"summary": "The do_coredump function in fs/exec.c in Linux kernel 2.4.x and 2.6.x up to 2.6.24-rc3, and possibly other versions, does not change the UID of a core dump file if it exists before a root process creates a core dump in the same location, which might allow local users to obtain sensitive information.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6206"
},
{
"id": "CVE-2007-6417",
"summary": "The shmem_getpage function (mm/shmem.c) in Linux kernel 2.6.11 through 2.6.23 does not properly clear allocated memory in some rare circumstances related to tmpfs, which might allow local users to read sensitive kernel data or cause a denial of service (crash).",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6417"
},
{
"id": "CVE-2007-6434",
"summary": "Linux kernel 2.6.23 allows local users to create low pages in virtual userspace memory and bypass mmap_min_addr protection via a crafted executable file that calls the do_brk function.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6434"
},
{
"id": "CVE-2007-6694",
"summary": "The chrp_show_cpuinfo function (chrp/setup.c) in Linux kernel 2.4.21 through 2.6.18-53, when running on PowerPC, might allow local users to cause a denial of service (crash) via unknown vectors that cause the of_get_property function to fail, which triggers a NULL pointer dereference.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6694"
},
{
"id": "CVE-2007-6712",
"summary": "Integer overflow in the hrtimer_forward function (hrtimer.c) in Linux kernel 2.6.21-rc4, when running on 64-bit systems, allows local users to cause a denial of service (infinite loop) via a timer with a large expiry value, which causes the timer to always be expired.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6712"
},
{
"id": "CVE-2007-6716",
"summary": "fs/direct-io.c in the dio subsystem in the Linux kernel before 2.6.23 does not properly zero out the dio struct, which allows local users to cause a denial of service (OOPS), as demonstrated by a certain fio test.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6716"
},
{
"id": "CVE-2007-6733",
"summary": "The nfs_lock function in fs/nfs/file.c in the Linux kernel 2.6.9 does not properly remove POSIX locks on files that are setgid without group-execute permission, which allows local users to cause a denial of service (BUG and system crash) by locking a file on an NFS filesystem and then changing this file's permissions, a related issue to CVE-2010-0727.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6733"
},
{
"id": "CVE-2007-6761",
"summary": "drivers/media/video/videobuf-vmalloc.c in the Linux kernel before 2.6.24 does not initialize videobuf_mapping data structures, which allows local users to trigger an incorrect count value and videobuf leak via unspecified vectors, a different vulnerability than CVE-2010-5321.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6761",
"detail": "fixed-version",
"description": "Fixed from version 2.6.24rc6"
},
{
"id": "CVE-2007-6762",
"summary": "In the Linux kernel before 2.6.20, there is an off-by-one bug in net/netlabel/netlabel_cipso_v4.c where it is possible to overflow the doi_def->tags[] array.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6762",
"detail": "fixed-version",
"description": "Fixed from version 2.6.20rc5"
},
{
"id": "CVE-2008-0001",
"summary": "VFS in the Linux kernel before 2.6.22.16, and 2.6.23.x before 2.6.23.14, performs tests of access mode by using the flag variable instead of the acc_mode variable, which might allow local users to bypass intended permissions and remove directories.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0001"
},
{
"id": "CVE-2008-0007",
"summary": "Linux kernel before 2.6.22.17, when using certain drivers that register a fault handler that does not perform range checks, allows local users to access kernel memory via an out-of-range offset.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0007"
},
{
"id": "CVE-2008-0009",
"summary": "The vmsplice_to_user function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which might allow local users to access arbitrary kernel memory locations.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0009"
},
{
"id": "CVE-2008-0010",
"summary": "The copy_from_user_mmap_sem function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which allow local users to read from arbitrary kernel memory locations.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0010"
},
{
"id": "CVE-2008-0163",
"summary": "Linux kernel 2.6, when using vservers, allows local users to access resources of other vservers via a symlink attack in /proc.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0163"
},
{
"id": "CVE-2008-0352",
"summary": "The Linux kernel 2.6.20 through 2.6.21.1 allows remote attackers to cause a denial of service (panic) via a certain IPv6 packet, possibly involving the Jumbo Payload hop-by-hop option (jumbogram).",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0352"
},
{
"id": "CVE-2008-0598",
"summary": "Unspecified vulnerability in the 32-bit and 64-bit emulation in the Linux kernel 2.6.9, 2.6.18, and probably other versions allows local users to read uninitialized memory via unknown vectors involving a crafted binary.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0598"
},
{
"id": "CVE-2008-0600",
"summary": "The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0600"
},
{
"id": "CVE-2008-1294",
"summary": "Linux kernel 2.6.17, and other versions before 2.6.22, does not check when a user attempts to set RLIMIT_CPU to 0 until after the change is made, which allows local users to bypass intended resource limits.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1294"
},
{
"id": "CVE-2008-1375",
"summary": "Race condition in the directory notification subsystem (dnotify) in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1, allows local users to cause a denial of service (OOPS) and possibly gain privileges via unspecified vectors.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1375"
},
{
"id": "CVE-2008-1514",
"summary": "arch/s390/kernel/ptrace.c in Linux kernel 2.6.9, and other versions before 2.6.27-rc6, on s390 platforms allows local users to cause a denial of service (kernel panic) via the user-area-padding test from the ptrace testsuite in 31-bit mode, which triggers an invalid dereference.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1514"
},
{
"id": "CVE-2008-1669",
"summary": "Linux kernel before 2.6.25.2 does not apply a certain protection mechanism for fcntl functionality, which allows local users to (1) execute code in parallel or (2) exploit a race condition to obtain \"re-ordered access to the descriptor table.\"",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1669"
},
{
"id": "CVE-2008-1673",
"summary": "The asn1 implementation in (a) the Linux kernel 2.4 before 2.4.36.6 and 2.6 before 2.6.25.5, as used in the cifs and ip_nat_snmp_basic modules; and (b) the gxsnmp package; does not properly validate length values during decoding of ASN.1 BER data, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via (1) a length greater than the working buffer, which can lead to an unspecified overflow; (2) an oid length of zero, which can lead to an off-by-one error; or (3) an indefinite length for a primitive encoding.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1673"
},
{
"id": "CVE-2008-1675",
"summary": "The bdx_ioctl_priv function in the tehuti driver (tehuti.c) in Linux kernel 2.6.x before 2.6.25.1 does not properly check certain information related to register size, which has unspecified impact and local attack vectors, probably related to reading or writing kernel memory.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1675"
},
{
"id": "CVE-2008-2136",
"summary": "Memory leak in the ipip6_rcv function in net/ipv6/sit.c in the Linux kernel 2.4 before 2.4.36.5 and 2.6 before 2.6.25.3 allows remote attackers to cause a denial of service (memory consumption) via network traffic to a Simple Internet Transition (SIT) tunnel interface, related to the pskb_may_pull and kfree_skb functions, and management of an skb reference count.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2136"
},
{
"id": "CVE-2008-2137",
"summary": "The (1) sparc_mmap_check function in arch/sparc/kernel/sys_sparc.c and the (2) sparc64_mmap_check function in arch/sparc64/kernel/sys_sparc.c, in the Linux kernel 2.4 before 2.4.36.5 and 2.6 before 2.6.25.3, omit some virtual-address range (aka span) checks when the mmap MAP_FIXED bit is not set, which allows local users to cause a denial of service (panic) via unspecified mmap calls.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2137"
},
{
"id": "CVE-2008-2148",
"summary": "The utimensat system call (sys_utimensat) in Linux kernel 2.6.22 and other versions before 2.6.25.3 does not check file permissions when certain UTIME_NOW and UTIME_OMIT combinations are used, which allows local users to modify file times of arbitrary files, possibly leading to a denial of service.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2148"
},
{
"id": "CVE-2008-2358",
"summary": "Integer overflow in the dccp_feat_change function in net/dccp/feat.c in the Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.18, and 2.6.17 through 2.6.20, allows local users to gain privileges via an invalid feature length, which leads to a heap-based buffer overflow.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2358"
},
{
"id": "CVE-2008-2365",
"summary": "Race condition in the ptrace and utrace support in the Linux kernel 2.6.9 through 2.6.25, as used in Red Hat Enterprise Linux (RHEL) 4, allows local users to cause a denial of service (oops) via a long series of PTRACE_ATTACH ptrace calls to another user's process that trigger a conflict between utrace_detach and report_quiescent, related to \"late ptrace_may_attach() check\" and \"race around &dead_engine_ops setting,\" a different vulnerability than CVE-2007-0771 and CVE-2008-1514. NOTE: this issue might only affect kernel versions before 2.6.16.x.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2365"
},
{
"id": "CVE-2008-2372",
"summary": "The Linux kernel 2.6.24 and 2.6.25 before 2.6.25.9 allows local users to cause a denial of service (memory consumption) via a large number of calls to the get_user_pages function, which lacks a ZERO_PAGE optimization and results in allocation of \"useless newly zeroed pages.\"",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2372"
},
{
"id": "CVE-2008-2544",
"summary": "Mounting /proc filesystem via chroot command silently mounts it in read-write mode. The user could bypass the chroot environment and gain write access to files, he would never have otherwise.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2544",
"detail": "disputed",
"description": "not an issue as per https://bugzilla.redhat.com/show_bug.cgi?id=449089#c22"
},
{
"id": "CVE-2008-2729",
"summary": "arch/x86_64/lib/copy_user.S in the Linux kernel before 2.6.19 on some AMD64 systems does not erase destination memory locations after an exception during kernel memory copy, which allows local users to obtain sensitive information.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2729"
},
{
"id": "CVE-2008-2750",
"summary": "The pppol2tp_recvmsg function in drivers/net/pppol2tp.c in the Linux kernel 2.6 before 2.6.26-rc6 allows remote attackers to cause a denial of service (kernel heap memory corruption and system crash) and possibly have unspecified other impact via a crafted PPPOL2TP packet that results in a large value for a certain length variable.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2750"
},
{
"id": "CVE-2008-2812",
"summary": "The Linux kernel before 2.6.25.10 does not properly perform tty operations, which allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving NULL pointer dereference of function pointers in (1) hamradio/6pack.c, (2) hamradio/mkiss.c, (3) irda/irtty-sir.c, (4) ppp_async.c, (5) ppp_synctty.c, (6) slip.c, (7) wan/x25_asy.c, and (8) wireless/strip.c in drivers/net/.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2812"
},
{
"id": "CVE-2008-2826",
"summary": "Integer overflow in the sctp_getsockopt_local_addrs_old function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) functionality in the Linux kernel before 2.6.25.9 allows local users to cause a denial of service (resource consumption and system outage) via vectors involving a large addr_num field in an sctp_getaddrs_old data structure.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2826"
},
{
"id": "CVE-2008-2931",
"summary": "The do_change_type function in fs/namespace.c in the Linux kernel before 2.6.22 does not verify that the caller has the CAP_SYS_ADMIN capability, which allows local users to gain privileges or cause a denial of service by modifying the properties of a mountpoint.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2931"
},
{
"id": "CVE-2008-2944",
"summary": "Double free vulnerability in the utrace support in the Linux kernel, probably 2.6.18, in Red Hat Enterprise Linux (RHEL) 5 and Fedora Core 6 (FC6) allows local users to cause a denial of service (oops), as demonstrated by a crash when running the GNU GDB testsuite, a different vulnerability than CVE-2008-2365.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2944"
},
{
"id": "CVE-2008-3077",
"summary": "arch/x86/kernel/ptrace.c in the Linux kernel before 2.6.25.10 on the x86_64 platform leaks task_struct references into the sys32_ptrace function, which allows local users to cause a denial of service (system crash) or have unspecified other impact via unknown vectors, possibly a use-after-free vulnerability.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3077"
},
{
"id": "CVE-2008-3247",
"summary": "The LDT implementation in the Linux kernel 2.6.25.x before 2.6.25.11 on x86_64 platforms uses an incorrect size for ldt_desc, which allows local users to cause a denial of service (system crash) or possibly gain privileges via unspecified vectors.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3247"
},
{
"id": "CVE-2008-3272",
"summary": "The snd_seq_oss_synth_make_info function in sound/core/seq/oss/seq_oss_synth.c in the sound subsystem in the Linux kernel before 2.6.27-rc2 does not verify that the device number is within the range defined by max_synthdev before returning certain data to the caller, which allows local users to obtain sensitive information.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3272"
},
{
"id": "CVE-2008-3275",
"summary": "The (1) real_lookup and (2) __lookup_hash functions in fs/namei.c in the vfs implementation in the Linux kernel before 2.6.25.15 do not prevent creation of a child dentry for a deleted (aka S_DEAD) directory, which allows local users to cause a denial of service (\"overflow\" of the UBIFS orphan area) via a series of attempted file creations within deleted directories.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3275"
},
{
"id": "CVE-2008-3276",
"summary": "Integer overflow in the dccp_setsockopt_change function in net/dccp/proto.c in the Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.17-rc1 through 2.6.26.2 allows remote attackers to cause a denial of service (panic) via a crafted integer value, related to Change L and Change R options without at least one byte in the dccpsf_val field.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3276"
},
{
"id": "CVE-2008-3496",
"summary": "Buffer overflow in format descriptor parsing in the uvc_parse_format function in drivers/media/video/uvc/uvc_driver.c in uvcvideo in the video4linux (V4L) implementation in the Linux kernel before 2.6.26.1 has unknown impact and attack vectors.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3496"
},
{
"id": "CVE-2008-3525",
"summary": "The sbni_ioctl function in drivers/net/wan/sbni.c in the wan subsystem in the Linux kernel 2.6.26.3 does not check for the CAP_NET_ADMIN capability before processing a (1) SIOCDEVRESINSTATS, (2) SIOCDEVSHWSTATE, (3) SIOCDEVENSLAVE, or (4) SIOCDEVEMANSIPATE ioctl request, which allows local users to bypass intended capability restrictions.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3525"
},
{
"id": "CVE-2008-3526",
"summary": "Integer overflow in the sctp_setsockopt_auth_key function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel 2.6.24-rc1 through 2.6.26.3 allows remote attackers to cause a denial of service (panic) or possibly have unspecified other impact via a crafted sca_keylength field associated with the SCTP_AUTH_KEY option.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3526"
},
{
"id": "CVE-2008-3527",
"summary": "arch/i386/kernel/sysenter.c in the Virtual Dynamic Shared Objects (vDSO) implementation in the Linux kernel before 2.6.21 does not properly check boundaries, which allows local users to gain privileges or cause a denial of service via unspecified vectors, related to the install_special_mapping, syscall, and syscall32_nopage functions.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3527"
},
{
"id": "CVE-2008-3528",
"summary": "The error-reporting functionality in (1) fs/ext2/dir.c, (2) fs/ext3/dir.c, and possibly (3) fs/ext4/dir.c in the Linux kernel 2.6.26.5 does not limit the number of printk console messages that report directory corruption, which allows physically proximate attackers to cause a denial of service (temporary system hang) by mounting a filesystem that has corrupted dir->i_size and dir->i_blocks values and performing (a) read or (b) write operations. NOTE: there are limited scenarios in which this crosses privilege boundaries.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3528"
},
{
"id": "CVE-2008-3534",
"summary": "The shmem_delete_inode function in mm/shmem.c in the tmpfs implementation in the Linux kernel before 2.6.26.1 allows local users to cause a denial of service (system crash) via a certain sequence of file create, remove, and overwrite operations, as demonstrated by the insserv program, related to allocation of \"useless pages\" and improper maintenance of the i_blocks count.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3534"
},
{
"id": "CVE-2008-3535",
"summary": "Off-by-one error in the iov_iter_advance function in mm/filemap.c in the Linux kernel before 2.6.27-rc2 allows local users to cause a denial of service (system crash) via a certain sequence of file I/O operations with readv and writev, as demonstrated by testcases/kernel/fs/ftest/ftest03 from the Linux Test Project.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3535"
},
{
"id": "CVE-2008-3686",
"summary": "The rt6_fill_node function in net/ipv6/route.c in Linux kernel 2.6.26-rc4, 2.6.26.2, and possibly other 2.6.26 versions, allows local users to cause a denial of service (kernel OOPS) via IPv6 requests when no IPv6 input device is in use, which triggers a NULL pointer dereference.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3686"
},
{
"id": "CVE-2008-3792",
"summary": "net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4 does not verify that the SCTP-AUTH extension is enabled before proceeding with SCTP-AUTH API functions, which allows attackers to cause a denial of service (NULL pointer dereference and panic) via vectors that result in calls to (1) sctp_setsockopt_auth_chunk, (2) sctp_setsockopt_hmac_ident, (3) sctp_setsockopt_auth_key, (4) sctp_setsockopt_active_key, (5) sctp_setsockopt_del_key, (6) sctp_getsockopt_maxburst, (7) sctp_getsockopt_active_key, (8) sctp_getsockopt_peer_auth_chunks, or (9) sctp_getsockopt_local_auth_chunks.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3792"
},
{
"id": "CVE-2008-3831",
"summary": "The i915 driver in (1) drivers/char/drm/i915_dma.c in the Linux kernel 2.6.24 on Debian GNU/Linux and (2) sys/dev/pci/drm/i915_drv.c in OpenBSD does not restrict the DRM_I915_HWS_ADDR ioctl to the Direct Rendering Manager (DRM) master, which allows local users to cause a denial of service (memory corruption) via a crafted ioctl call, related to absence of the DRM_MASTER and DRM_ROOT_ONLY flags in the ioctl's configuration.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3831"
},
{
"id": "CVE-2008-3833",
"summary": "The generic_file_splice_write function in fs/splice.c in the Linux kernel before 2.6.19 does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by splicing into an inode in order to create an executable file in a setgid directory, a different vulnerability than CVE-2008-4210.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3833"
},
{
"id": "CVE-2008-3911",
"summary": "The proc_do_xprt function in net/sunrpc/sysctl.c in the Linux kernel 2.6.26.3 does not check the length of a certain buffer obtained from userspace, which allows local users to overflow a stack-based buffer and have unspecified other impact via a crafted read system call for the /proc/sys/sunrpc/transports file.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3911"
},
{
"id": "CVE-2008-3915",
"summary": "Buffer overflow in nfsd in the Linux kernel before 2.6.26.4, when NFSv4 is enabled, allows remote attackers to have an unknown impact via vectors related to decoding an NFSv4 acl.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3915"
},
{
"id": "CVE-2008-4113",
"summary": "The sctp_getsockopt_hmac_ident function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4, when the SCTP-AUTH extension is enabled, relies on an untrusted length value to limit copying of data from kernel memory, which allows local users to obtain sensitive information via a crafted SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4113"
},
{
"id": "CVE-2008-4210",
"summary": "fs/open.c in the Linux kernel before 2.6.22 does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by creating an executable file in a setgid directory through the (1) truncate or (2) ftruncate function in conjunction with memory-mapped I/O.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4210"
},
{
"id": "CVE-2008-4302",
"summary": "fs/splice.c in the splice subsystem in the Linux kernel before 2.6.22.2 does not properly handle a failure of the add_to_page_cache_lru function, and subsequently attempts to unlock a page that was not locked, which allows local users to cause a denial of service (kernel BUG and system crash), as demonstrated by the fio I/O tool.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4302"
},
{
"id": "CVE-2008-4307",
"summary": "Race condition in the do_setlk function in fs/nfs/file.c in the Linux kernel before 2.6.26 allows local users to cause a denial of service (crash) via vectors resulting in an interrupted RPC call that leads to a stray FL_POSIX lock, related to improper handling of a race between fcntl and close in the EINTR case.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4307"
},
{
"id": "CVE-2008-4395",
"summary": "Multiple buffer overflows in the ndiswrapper module 1.53 for the Linux kernel 2.6 allow remote attackers to execute arbitrary code by sending packets over a local wireless network that specify long ESSIDs.",
"scorev2": "8.3",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4395"
},
{
"id": "CVE-2008-4410",
"summary": "The vmi_write_ldt_entry function in arch/x86/kernel/vmi_32.c in the Virtual Machine Interface (VMI) in the Linux kernel 2.6.26.5 invokes write_idt_entry where write_ldt_entry was intended, which allows local users to cause a denial of service (persistent application failure) via crafted function calls, related to the Java Runtime Environment (JRE) experiencing improper LDT selector state, a different vulnerability than CVE-2008-3247.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4410"
},
{
"id": "CVE-2008-4445",
"summary": "The sctp_auth_ep_set_hmacs function in net/sctp/auth.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4, when the SCTP-AUTH extension is enabled, does not verify that the identifier index is within the bounds established by SCTP_AUTH_HMAC_ID_MAX, which allows local users to obtain sensitive information via a crafted SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function, a different vulnerability than CVE-2008-4113.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4445"
},
{
"id": "CVE-2008-4554",
"summary": "The do_splice_from function in fs/splice.c in the Linux kernel before 2.6.27 does not reject file descriptors that have the O_APPEND flag set, which allows local users to bypass append mode and make arbitrary changes to other locations in the file.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4554"
},
{
"id": "CVE-2008-4576",
"summary": "sctp in Linux kernel before 2.6.25.18 allows remote attackers to cause a denial of service (OOPS) via an INIT-ACK that states the peer does not support AUTH, which causes the sctp_process_init function to clean up active transports and triggers the OOPS when the T1-Init timer expires.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4576"
},
{
"id": "CVE-2008-4609",
"summary": "The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4609"
},
{
"id": "CVE-2008-4618",
"summary": "The Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.27 does not properly handle a protocol violation in which a parameter has an invalid length, which allows attackers to cause a denial of service (panic) via unspecified vectors, related to sctp_sf_violation_paramlen, sctp_sf_abort_violation, sctp_make_abort_violation, and incorrect data types in function calls.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4618"
},
{
"id": "CVE-2008-4933",
"summary": "Buffer overflow in the hfsplus_find_cat function in fs/hfsplus/catalog.c in the Linux kernel before 2.6.28-rc1 allows attackers to cause a denial of service (memory corruption or system crash) via an hfsplus filesystem image with an invalid catalog namelength field, related to the hfsplus_cat_build_key_uni function.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4933"
},
{
"id": "CVE-2008-4934",
"summary": "The hfsplus_block_allocate function in fs/hfsplus/bitmap.c in the Linux kernel before 2.6.28-rc1 does not check a certain return value from the read_mapping_page function before calling kmap, which allows attackers to cause a denial of service (system crash) via a crafted hfsplus filesystem image.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4934"
},
{
"id": "CVE-2008-5025",
"summary": "Stack-based buffer overflow in the hfs_cat_find_brec function in fs/hfs/catalog.c in the Linux kernel before 2.6.28-rc1 allows attackers to cause a denial of service (memory corruption or system crash) via an hfs filesystem image with an invalid catalog namelength field, a related issue to CVE-2008-4933.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5025"
},
{
"id": "CVE-2008-5029",
"summary": "The __scm_destroy function in net/core/scm.c in the Linux kernel 2.6.27.4, 2.6.26, and earlier makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5029"
},
{
"id": "CVE-2008-5033",
"summary": "The chip_command function in drivers/media/video/tvaudio.c in the Linux kernel 2.6.25.x before 2.6.25.19, 2.6.26.x before 2.6.26.7, and 2.6.27.x before 2.6.27.3 allows attackers to cause a denial of service (NULL function pointer dereference and OOPS) via unknown vectors.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5033"
},
{
"id": "CVE-2008-5079",
"summary": "net/atm/svc.c in the ATM subsystem in the Linux kernel 2.6.27.8 and earlier allows local users to cause a denial of service (kernel infinite loop) by making two calls to svc_listen for the same socket, and then reading a /proc/net/atm/*vc file, related to corruption of the vcc table.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5079"
},
{
"id": "CVE-2008-5134",
"summary": "Buffer overflow in the lbs_process_bss function in drivers/net/wireless/libertas/scan.c in the libertas subsystem in the Linux kernel before 2.6.27.5 allows remote attackers to have an unknown impact via an \"invalid beacon/probe response.\"",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5134"
},
{
"id": "CVE-2008-5182",
"summary": "The inotify functionality in Linux kernel 2.6 before 2.6.28-rc5 might allow local users to gain privileges via unknown vectors related to race conditions in inotify watch removal and umount.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5182"
},
{
"id": "CVE-2008-5300",
"summary": "Linux kernel 2.6.28 allows local users to cause a denial of service (\"soft lockup\" and process loss) via a large number of sendmsg function calls, which does not block during AF_UNIX garbage collection and triggers an OOM condition, a different vulnerability than CVE-2008-5029.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5300"
},
{
"id": "CVE-2008-5395",
"summary": "The parisc_show_stack function in arch/parisc/kernel/traps.c in the Linux kernel before 2.6.28-rc7 on PA-RISC allows local users to cause a denial of service (system crash) via vectors associated with an attempt to unwind a stack that contains userspace addresses.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5395"
},
{
"id": "CVE-2008-5700",
"summary": "libata in the Linux kernel before 2.6.27.9 does not set minimum timeouts for SG_IO requests, which allows local users to cause a denial of service (Programmed I/O mode on drives) via multiple simultaneous invocations of an unspecified test program.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5700"
},
{
"id": "CVE-2008-5701",
"summary": "Array index error in arch/mips/kernel/scall64-o32.S in the Linux kernel before 2.6.28-rc8 on 64-bit MIPS platforms allows local users to cause a denial of service (system crash) via an o32 syscall with a small syscall number, which leads to an attempted read operation outside the bounds of the syscall table.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5701"
},
{
"id": "CVE-2008-5702",
"summary": "Buffer underflow in the ibwdt_ioctl function in drivers/watchdog/ib700wdt.c in the Linux kernel before 2.6.28-rc1 might allow local users to have an unknown impact via a certain /dev/watchdog WDIOC_SETTIMEOUT IOCTL call.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5702"
},
{
"id": "CVE-2008-5713",
"summary": "The __qdisc_run function in net/sched/sch_generic.c in the Linux kernel before 2.6.25 on SMP machines allows local users to cause a denial of service (soft lockup) by sending a large amount of network traffic, as demonstrated by multiple simultaneous invocations of the Netperf benchmark application in UDP_STREAM mode.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5713"
},
{
"id": "CVE-2008-6107",
"summary": "The (1) sys32_mremap function in arch/sparc64/kernel/sys_sparc32.c, the (2) sparc_mmap_check function in arch/sparc/kernel/sys_sparc.c, and the (3) sparc64_mmap_check function in arch/sparc64/kernel/sys_sparc.c, in the Linux kernel before 2.6.25.4, omit some virtual-address range (aka span) checks when the mremap MREMAP_FIXED bit is not set, which allows local users to cause a denial of service (panic) via unspecified mremap calls, a related issue to CVE-2008-2137.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-6107"
},
{
"id": "CVE-2008-7256",
"summary": "mm/shmem.c in the Linux kernel before 2.6.28-rc8, when strict overcommit is enabled and CONFIG_SECURITY is disabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-1643.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-7256"
},
{
"id": "CVE-2008-7316",
"summary": "mm/filemap.c in the Linux kernel before 2.6.25 allows local users to cause a denial of service (infinite loop) via a writev system call that triggers an iovec of zero length, followed by a page fault for an iovec of nonzero length.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-7316",
"detail": "fixed-version",
"description": "Fixed from version 2.6.25rc1"
},
{
"id": "CVE-2009-0024",
"summary": "The sys_remap_file_pages function in mm/fremap.c in the Linux kernel before 2.6.24.1 allows local users to cause a denial of service or gain privileges via unspecified vectors, related to the vm_file structure member, and the mmap_region and do_munmap functions.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0024"
},
{
"id": "CVE-2009-0028",
"summary": "The clone system call in the Linux kernel 2.6.28 and earlier allows local users to send arbitrary signals to a parent process from an unprivileged child process by launching an additional child process with the CLONE_PARENT flag, and then letting this new process exit.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0028"
},
{
"id": "CVE-2009-0029",
"summary": "The ABI in the Linux kernel 2.6.28 and earlier on s390, powerpc, sparc64, and mips 64-bit platforms requires that a 32-bit argument in a 64-bit register was properly sign extended when sent from a user-mode application, but cannot verify this, which allows local users to cause a denial of service (crash) or possibly gain privileges via a crafted system call.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0029"
},
{
"id": "CVE-2009-0031",
"summary": "Memory leak in the keyctl_join_session_keyring function (security/keys/keyctl.c) in Linux kernel 2.6.29-rc2 and earlier allows local users to cause a denial of service (kernel memory consumption) via unknown vectors related to a \"missing kfree.\"",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0031"
},
{
"id": "CVE-2009-0065",
"summary": "Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.28-git8 allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0065"
},
{
"id": "CVE-2009-0269",
"summary": "fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel before 2.6.28.1 allows local users to cause a denial of service (fault or memory corruption), or possibly have unspecified other impact, via a readlink call that results in an error, leading to use of a -1 return value as an array index.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0269"
},
{
"id": "CVE-2009-0322",
"summary": "drivers/firmware/dell_rbu.c in the Linux kernel before 2.6.27.13, and 2.6.28.x before 2.6.28.2, allows local users to cause a denial of service (system crash) via a read system call that specifies zero bytes from the (1) image_type or (2) packet_size file in /sys/devices/platform/dell_rbu/.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0322"
},
{
"id": "CVE-2009-0605",
"summary": "Stack consumption vulnerability in the do_page_fault function in arch/x86/mm/fault.c in the Linux kernel before 2.6.28.5 allows local users to cause a denial of service (memory corruption) or possibly gain privileges via unspecified vectors that trigger page faults on a machine that has a registered Kprobes probe.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0605"
},
{
"id": "CVE-2009-0675",
"summary": "The skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux kernel before 2.6.28.6 permits SKFP_CLR_STATS requests only when the CAP_NET_ADMIN capability is absent, instead of when this capability is present, which allows local users to reset the driver statistics, related to an \"inverted logic\" issue.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0675"
},
{
"id": "CVE-2009-0676",
"summary": "The sock_getsockopt function in net/core/sock.c in the Linux kernel before 2.6.28.6 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel memory via an SO_BSDCOMPAT getsockopt request.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0676"
},
{
"id": "CVE-2009-0745",
"summary": "The ext4_group_add function in fs/ext4/resize.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not properly initialize the group descriptor during a resize (aka resize2fs) operation, which might allow local users to cause a denial of service (OOPS) by arranging for crafted values to be present in available memory.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0745"
},
{
"id": "CVE-2009-0746",
"summary": "The make_indexed_dir function in fs/ext4/namei.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not validate a certain rec_len field, which allows local users to cause a denial of service (OOPS) by attempting to mount a crafted ext4 filesystem.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0746"
},
{
"id": "CVE-2009-0747",
"summary": "The ext4_isize function in fs/ext4/ext4.h in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 uses the i_size_high structure member during operations on arbitrary types of files, which allows local users to cause a denial of service (CPU consumption and error-message flood) by attempting to mount a crafted ext4 filesystem.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0747"
},
{
"id": "CVE-2009-0748",
"summary": "The ext4_fill_super function in fs/ext4/super.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not validate the superblock configuration, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) by attempting to mount a crafted ext4 filesystem.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0748"
},
{
"id": "CVE-2009-0778",
"summary": "The icmp_send function in net/ipv4/icmp.c in the Linux kernel before 2.6.25, when configured as a router with a REJECT route, does not properly manage the Protocol Independent Destination Cache (aka DST) in some situations involving transmission of an ICMP Host Unreachable message, which allows remote attackers to cause a denial of service (connectivity outage) by sending a large series of packets to many destination IP addresses within this REJECT route, related to an \"rt_cache leak.\"",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0778"
},
{
"id": "CVE-2009-0787",
"summary": "The ecryptfs_write_metadata_to_contents function in the eCryptfs functionality in the Linux kernel 2.6.28 before 2.6.28.9 uses an incorrect size when writing kernel memory to an eCryptfs file header, which triggers an out-of-bounds read and allows local users to obtain portions of kernel memory.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0787"
},
{
"id": "CVE-2009-0834",
"summary": "The audit_syscall_entry function in the Linux kernel 2.6.28.7 and earlier on the x86_64 platform does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass certain syscall audit configurations via crafted syscalls, a related issue to CVE-2009-0342 and CVE-2009-0343.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0834"
},
{
"id": "CVE-2009-0835",
"summary": "The __secure_computing function in kernel/seccomp.c in the seccomp subsystem in the Linux kernel 2.6.28.7 and earlier on the x86_64 platform, when CONFIG_SECCOMP is enabled, does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass intended access restrictions via crafted syscalls that are misinterpreted as (a) stat or (b) chmod, a related issue to CVE-2009-0342 and CVE-2009-0343.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0835"
},
{
"id": "CVE-2009-0859",
"summary": "The shm_get_stat function in ipc/shm.c in the shm subsystem in the Linux kernel before 2.6.28.5, when CONFIG_SHMEM is disabled, misinterprets the data type of an inode, which allows local users to cause a denial of service (system hang) via an SHM_INFO shmctl call, as demonstrated by running the ipcs program.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0859"
},
{
"id": "CVE-2009-0935",
"summary": "The inotify_read function in the Linux kernel 2.6.27 to 2.6.27.13, 2.6.28 to 2.6.28.2, and 2.6.29-rc3 allows local users to cause a denial of service (OOPS) via a read with an invalid address to an inotify instance, which causes the device's event list mutex to be unlocked twice and prevents proper synchronization of a data structure for the inotify instance.",
"scorev2": "4.7",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0935"
},
{
"id": "CVE-2009-1046",
"summary": "The console selection feature in the Linux kernel 2.6.28 before 2.6.28.4, 2.6.25, and possibly earlier versions, when the UTF-8 console is used, allows physically proximate attackers to cause a denial of service (memory corruption) by selecting a small number of 3-byte UTF-8 characters, which triggers an \"off-by-two memory error.\" NOTE: it is not clear whether this issue crosses privilege boundaries.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1046"
},
{
"id": "CVE-2009-1072",
"summary": "nfsd in the Linux kernel before 2.6.28.9 does not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1072"
},
{
"id": "CVE-2009-1184",
"summary": "The selinux_ip_postroute_iptables_compat function in security/selinux/hooks.c in the SELinux subsystem in the Linux kernel before 2.6.27.22, and 2.6.28.x before 2.6.28.10, when compat_net is enabled, omits calls to avc_has_perm for the (1) node and (2) port, which allows local users to bypass intended restrictions on network traffic. NOTE: this was incorrectly reported as an issue fixed in 2.6.27.21.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1184"
},
{
"id": "CVE-2009-1192",
"summary": "The (1) agp_generic_alloc_page and (2) agp_generic_alloc_pages functions in drivers/char/agp/generic.c in the agp subsystem in the Linux kernel before 2.6.30-rc3 do not zero out pages that may later be available to a user-space process, which allows local users to obtain sensitive information by reading these pages.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1192"
},
{
"id": "CVE-2009-1242",
"summary": "The vmx_set_msr function in arch/x86/kvm/vmx.c in the VMX implementation in the KVM subsystem in the Linux kernel before 2.6.29.1 on the i386 platform allows guest OS users to cause a denial of service (OOPS) by setting the EFER_LME (aka \"Long mode enable\") bit in the Extended Feature Enable Register (EFER) model-specific register, which is specific to the x86_64 platform.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1242"
},
{
"id": "CVE-2009-1243",
"summary": "net/ipv4/udp.c in the Linux kernel before 2.6.29.1 performs an unlocking step in certain incorrect circumstances, which allows local users to cause a denial of service (panic) by reading zero bytes from the /proc/net/udp file and unspecified other files, related to the \"udp seq_file infrastructure.\"",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1243"
},
{
"id": "CVE-2009-1265",
"summary": "Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux kernel 2.6.24.4, and other versions before 2.6.30-rc1, might allow remote attackers to obtain sensitive information via a large length value, which causes \"garbage\" memory to be sent.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1265"
},
{
"id": "CVE-2009-1298",
"summary": "The ip_frag_reasm function in net/ipv4/ip_fragment.c in the Linux kernel 2.6.32-rc8, and 2.6.29 and later versions before 2.6.32, calls IP_INC_STATS_BH with an incorrect argument, which allows remote attackers to cause a denial of service (NULL pointer dereference and hang) via long IP packets, possibly related to the ip_defrag function.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1298"
},
{
"id": "CVE-2009-1336",
"summary": "fs/nfs/client.c in the Linux kernel before 2.6.23 does not properly initialize a certain structure member that stores the maximum NFS filename length, which allows local users to cause a denial of service (OOPS) via a long filename, related to the encode_lookup function.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1336"
},
{
"id": "CVE-2009-1337",
"summary": "The exit_notify function in kernel/exit.c in the Linux kernel before 2.6.30-rc1 does not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1337"
},
{
"id": "CVE-2009-1338",
"summary": "The kill_something_info function in kernel/signal.c in the Linux kernel before 2.6.28 does not consider PID namespaces when processing signals directed to PID -1, which allows local users to bypass the intended namespace isolation, and send arbitrary signals to all processes in all namespaces, via a kill command.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1338"
},
{
"id": "CVE-2009-1360",
"summary": "The __inet6_check_established function in net/ipv6/inet6_hashtables.c in the Linux kernel before 2.6.29, when Network Namespace Support (aka NET_NS) is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via vectors involving IPv6 packets.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1360"
},
{
"id": "CVE-2009-1385",
"summary": "Integer underflow in the e1000_clean_rx_irq function in drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel before 2.6.30-rc8, the e1000e driver in the Linux kernel, and Intel Wired Ethernet (aka e1000) before 7.5.5 allows remote attackers to cause a denial of service (panic) via a crafted frame size.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1385"
},
{
"id": "CVE-2009-1388",
"summary": "The ptrace_start function in kernel/ptrace.c in the Linux kernel 2.6.18 does not properly handle simultaneous execution of the do_coredump function, which allows local users to cause a denial of service (deadlock) via vectors involving the ptrace system call and a coredumping thread.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1388"
},
{
"id": "CVE-2009-1389",
"summary": "Buffer overflow in the RTL8169 NIC driver (drivers/net/r8169.c) in the Linux kernel before 2.6.30 allows remote attackers to cause a denial of service (kernel memory corruption and crash) via a long packet.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1389"
},
{
"id": "CVE-2009-1439",
"summary": "Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.29 and earlier allows remote attackers to cause a denial of service (crash) via a long nativeFileSystem field in a Tree Connect response to an SMB mount request.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1439"
},
{
"id": "CVE-2009-1527",
"summary": "Race condition in the ptrace_attach function in kernel/ptrace.c in the Linux kernel before 2.6.30-rc4 allows local users to gain privileges via a PTRACE_ATTACH ptrace call during an exec system call that is launching a setuid application, related to locking an incorrect cred_exec_mutex object.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1527"
},
{
"id": "CVE-2009-1630",
"summary": "The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel 2.6.29.3 and earlier, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1630"
},
{
"id": "CVE-2009-1633",
"summary": "Multiple buffer overflows in the cifs subsystem in the Linux kernel before 2.6.29.4 allow remote CIFS servers to cause a denial of service (memory corruption) and possibly have unspecified other impact via (1) a malformed Unicode string, related to Unicode string area alignment in fs/cifs/sess.c; or (2) long Unicode characters, related to fs/cifs/cifssmb.c and the cifs_readdir function in fs/cifs/readdir.c.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1633"
},
{
"id": "CVE-2009-1883",
"summary": "The z90crypt_unlocked_ioctl function in the z90crypt driver in the Linux kernel 2.6.9 does not perform a capability check for the Z90QUIESCE operation, which allows local users to leverage euid 0 privileges to force a driver outage.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1883"
},
{
"id": "CVE-2009-1895",
"summary": "The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to (1) conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr protection mechanism, or (3) defeat address space layout randomization (ASLR).",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1895"
},
{
"id": "CVE-2009-1897",
"summary": "The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in the Linux kernel 2.6.30 and 2.6.30.1, when the -fno-delete-null-pointer-checks gcc option is omitted, allows local users to gain privileges via vectors involving a NULL pointer dereference and an mmap of /dev/net/tun, a different vulnerability than CVE-2009-1894.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1897"
},
{
"id": "CVE-2009-1914",
"summary": "The pci_register_iommu_region function in arch/sparc/kernel/pci_common.c in the Linux kernel before 2.6.29 on the sparc64 platform allows local users to cause a denial of service (system crash) by reading the /proc/iomem file, related to uninitialized pointers and the request_resource function.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1914"
},
{
"id": "CVE-2009-1961",
"summary": "The inode double locking code in fs/ocfs2/file.c in the Linux kernel 2.6.30 before 2.6.30-rc3, 2.6.27 before 2.6.27.24, 2.6.29 before 2.6.29.4, and possibly other versions down to 2.6.19 allows local users to cause a denial of service (prevention of file creation and removal) via a series of splice system calls that trigger a deadlock between the generic_file_splice_write, splice_from_pipe, and ocfs2_file_splice_write functions.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1961"
},
{
"id": "CVE-2009-2287",
"summary": "The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel 2.6 before 2.6.30, when running on x86 systems, does not validate the page table root in a KVM_SET_SREGS call, which allows local users to cause a denial of service (crash or hang) via a crafted cr3 value, which triggers a NULL pointer dereference in the gfn_to_rmap function.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2287"
},
{
"id": "CVE-2009-2406",
"summary": "Stack-based buffer overflow in the parse_tag_11_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to not ensuring that the key signature length in a Tag 11 packet is compatible with the key signature buffer size.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2406"
},
{
"id": "CVE-2009-2407",
"summary": "Heap-based buffer overflow in the parse_tag_3_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to a large encrypted key size in a Tag 3 packet.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2407"
},
{
"id": "CVE-2009-2584",
"summary": "Off-by-one error in the options_write function in drivers/misc/sgi-gru/gruprocfs.c in the SGI GRU driver in the Linux kernel 2.6.30.2 and earlier on ia64 and x86 platforms might allow local users to overwrite arbitrary memory locations and gain privileges via a crafted count argument, which triggers a stack-based buffer overflow.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2584"
},
{
"id": "CVE-2009-2691",
"summary": "The mm_for_maps function in fs/proc/base.c in the Linux kernel 2.6.30.4 and earlier allows local users to read (1) maps and (2) smaps files under proc/ via vectors related to ELF loading, a setuid process, and a race condition.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2691"
},
{
"id": "CVE-2009-2692",
"summary": "The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2692",
"detail": "fixed-version",
"description": "Fixed from version 2.6.31rc6"
},
{
"id": "CVE-2009-2695",
"summary": "The Linux kernel before 2.6.31-rc7 does not properly prevent mmap operations that target page zero and other low memory addresses, which allows local users to gain privileges by exploiting NULL pointer dereference vulnerabilities, related to (1) the default configuration of the allow_unconfined_mmap_low boolean in SELinux on Red Hat Enterprise Linux (RHEL) 5, (2) an error that causes allow_unconfined_mmap_low to be ignored in the unconfined_t domain, (3) lack of a requirement for the CAP_SYS_RAWIO capability for these mmap operations, and (4) interaction between the mmap_min_addr protection mechanism and certain application programs.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2695"
},
{
"id": "CVE-2009-2698",
"summary": "The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2698"
},
{
"id": "CVE-2009-2767",
"summary": "The init_posix_timers function in kernel/posix-timers.c in the Linux kernel before 2.6.31-rc6 allows local users to cause a denial of service (OOPS) or possibly gain privileges via a CLOCK_MONOTONIC_RAW clock_nanosleep call that triggers a NULL pointer dereference.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2767"
},
{
"id": "CVE-2009-2768",
"summary": "The load_flat_shared_library function in fs/binfmt_flat.c in the flat subsystem in the Linux kernel before 2.6.31-rc6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by executing a shared flat binary, which triggers an access of an \"uninitialized cred pointer.\"",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2768"
},
{
"id": "CVE-2009-2844",
"summary": "cfg80211 in net/wireless/scan.c in the Linux kernel 2.6.30-rc1 and other versions before 2.6.31-rc6 allows remote attackers to cause a denial of service (crash) via a sequence of beacon frames in which one frame omits an SSID Information Element (IE) and the subsequent frame contains an SSID IE, which triggers a NULL pointer dereference in the cmp_ies function. NOTE: a potential weakness in the is_mesh function was also addressed, but the relevant condition did not exist in the code, so it is not a vulnerability.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2844"
},
{
"id": "CVE-2009-2846",
"summary": "The eisa_eeprom_read function in the parisc isa-eeprom component (drivers/parisc/eisa_eeprom.c) in the Linux kernel before 2.6.31-rc6 allows local users to access restricted memory via a negative ppos argument, which bypasses a check that assumes that ppos is positive and causes an out-of-bounds read in the readb function.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2846"
},
{
"id": "CVE-2009-2847",
"summary": "The do_sigaltstack function in kernel/signal.c in Linux kernel 2.4 through 2.4.37 and 2.6 before 2.6.31-rc5, when running on 64-bit systems, does not clear certain padding bytes from a structure, which allows local users to obtain sensitive information from the kernel stack via the sigaltstack function.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2847"
},
{
"id": "CVE-2009-2848",
"summary": "The execve function in the Linux kernel, possibly 2.6.30-rc6 and earlier, does not properly clear the current->clear_child_tid pointer, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a clone system call with CLONE_CHILD_SETTID or CLONE_CHILD_CLEARTID enabled, which is not properly handled during thread creation and exit.",
"scorev2": "5.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2848"
},
{
"id": "CVE-2009-2849",
"summary": "The md driver (drivers/md/md.c) in the Linux kernel before 2.6.30.2 might allow local users to cause a denial of service (NULL pointer dereference) via vectors related to \"suspend_* sysfs attributes\" and the (1) suspend_lo_store or (2) suspend_hi_store functions. NOTE: this is only a vulnerability when sysfs is writable by an attacker.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2849"
},
{
"id": "CVE-2009-2903",
"summary": "Memory leak in the appletalk subsystem in the Linux kernel 2.4.x through 2.4.37.6 and 2.6.x through 2.6.31, when the appletalk and ipddp modules are loaded but the ipddp\"N\" device is not found, allows remote attackers to cause a denial of service (memory consumption) via IP-DDP datagrams.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2903"
},
{
"id": "CVE-2009-2908",
"summary": "The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux kernel 2.6.31 allows local users to cause a denial of service (kernel OOPS) and possibly execute arbitrary code via unspecified vectors that cause a \"negative dentry\" and trigger a NULL pointer dereference, as demonstrated via a Mutt temporary directory in an eCryptfs mount.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2908"
},
{
"id": "CVE-2009-2909",
"summary": "Integer signedness error in the ax25_setsockopt function in net/ax25/af_ax25.c in the ax25 subsystem in the Linux kernel before 2.6.31.2 allows local users to cause a denial of service (OOPS) via a crafted optlen value in an SO_BINDTODEVICE operation.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2909"
},
{
"id": "CVE-2009-2910",
"summary": "arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.31.4 on the x86_64 platform does not clear certain kernel registers before a return to user mode, which allows local users to read register values from an earlier process by switching an ia32 process to 64-bit mode.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2910"
},
{
"id": "CVE-2009-3001",
"summary": "The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel 2.6.31-rc7 and earlier does not initialize a certain data structure, which allows local users to read the contents of some kernel memory locations by calling getsockname on an AF_LLC socket.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3001"
},
{
"id": "CVE-2009-3002",
"summary": "The Linux kernel before 2.6.31-rc7 does not initialize certain data structures within getname functions, which allows local users to read the contents of some kernel memory locations by calling getsockname on (1) an AF_APPLETALK socket, related to the atalk_getname function in net/appletalk/ddp.c; (2) an AF_IRDA socket, related to the irda_getname function in net/irda/af_irda.c; (3) an AF_ECONET socket, related to the econet_getname function in net/econet/af_econet.c; (4) an AF_NETROM socket, related to the nr_getname function in net/netrom/af_netrom.c; (5) an AF_ROSE socket, related to the rose_getname function in net/rose/af_rose.c; or (6) a raw CAN socket, related to the raw_getname function in net/can/raw.c.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3002"
},
{
"id": "CVE-2009-3043",
"summary": "The tty_ldisc_hangup function in drivers/char/tty_ldisc.c in the Linux kernel 2.6.31-rc before 2.6.31-rc8 allows local users to cause a denial of service (system crash, sometimes preceded by a NULL pointer dereference) or possibly gain privileges via certain pseudo-terminal I/O activity, as demonstrated by KernelTtyTest.c.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3043"
},
{
"id": "CVE-2009-3080",
"summary": "Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3080"
},
{
"id": "CVE-2009-3228",
"summary": "The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure members, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3228"
},
{
"id": "CVE-2009-3234",
"summary": "Buffer overflow in the perf_copy_attr function in kernel/perf_counter.c in the Linux kernel 2.6.31-rc1 allows local users to cause a denial of service (crash) and execute arbitrary code via a \"big size data\" to the perf_counter_open system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3234"
},
{
"id": "CVE-2009-3238",
"summary": "The get_random_int function in drivers/char/random.c in the Linux kernel before 2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the function's tendency to \"return the same value over and over again for long stretches of time.\"",
"scorev2": "7.8",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3238"
},
{
"id": "CVE-2009-3280",
"summary": "Integer signedness error in the find_ie function in net/wireless/scan.c in the cfg80211 subsystem in the Linux kernel before 2.6.31.1-rc1 allows remote attackers to cause a denial of service (soft lockup) via malformed packets.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3280"
},
{
"id": "CVE-2009-3286",
"summary": "NFSv4 in the Linux kernel 2.6.18, and possibly other versions, does not properly clean up an inode when an O_EXCL create fails, which causes files to be created with insecure settings such as setuid bits, and possibly allows local users to gain privileges, related to the execution of the do_open_permission function even when a create fails.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3286"
},
{
"id": "CVE-2009-3288",
"summary": "The sg_build_indirect function in drivers/scsi/sg.c in Linux kernel 2.6.28-rc1 through 2.6.31-rc8 uses an incorrect variable when accessing an array, which allows local users to cause a denial of service (kernel OOPS and NULL pointer dereference), as demonstrated by using xcdroast to duplicate a CD. NOTE: this is only exploitable by users who can open the cdrom device.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3288"
},
{
"id": "CVE-2009-3290",
"summary": "The kvm_emulate_hypercall function in arch/x86/kvm/x86.c in KVM in the Linux kernel 2.6.25-rc1, and other versions before 2.6.31, when running on x86 systems, does not prevent access to MMU hypercalls from ring 0, which allows local guest OS users to cause a denial of service (guest kernel crash) and read or write guest kernel memory via unspecified \"random addresses.\"",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3290"
},
{
"id": "CVE-2009-3547",
"summary": "Multiple race conditions in fs/pipe.c in the Linux kernel before 2.6.32-rc6 allow local users to cause a denial of service (NULL pointer dereference and system crash) or gain privileges by attempting to open an anonymous pipe via a /proc/*/fd/ pathname.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3547"
},
{
"id": "CVE-2009-3556",
"summary": "A certain Red Hat configuration step for the qla2xxx driver in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5, when N_Port ID Virtualization (NPIV) hardware is used, sets world-writable permissions for the (1) vport_create and (2) vport_delete files under /sys/class/scsi_host/, which allows local users to make arbitrary changes to SCSI host attributes by modifying these files.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3556"
},
{
"id": "CVE-2009-3612",
"summary": "The tcf_fill_node function in net/sched/cls_api.c in the netlink subsystem in the Linux kernel 2.6.x before 2.6.32-rc5, and 2.4.37.6 and earlier, does not initialize a certain tcm__pad2 structure member, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. NOTE: this issue exists because of an incomplete fix for CVE-2005-4881.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3612"
},
{
"id": "CVE-2009-3613",
"summary": "The swiotlb functionality in the r8169 driver in drivers/net/r8169.c in the Linux kernel before 2.6.27.22 allows remote attackers to cause a denial of service (IOMMU space exhaustion and system crash) by using jumbo frames for a large amount of network traffic, as demonstrated by a flood ping.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3613"
},
{
"id": "CVE-2009-3620",
"summary": "The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-git11 does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls.",
"scorev2": "4.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3620"
},
{
"id": "CVE-2009-3621",
"summary": "net/unix/af_unix.c in the Linux kernel 2.6.31.4 and earlier allows local users to cause a denial of service (system hang) by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown operation on this socket, and then performing a series of connect operations to this socket.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3621"
},
{
"id": "CVE-2009-3623",
"summary": "The lookup_cb_cred function in fs/nfsd/nfs4callback.c in the nfsd4 subsystem in the Linux kernel before 2.6.31.2 attempts to access a credentials cache even when a client specifies the AUTH_NULL authentication flavor, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an NFSv4 mount request.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3623"
},
{
"id": "CVE-2009-3624",
"summary": "The get_instantiation_keyring function in security/keys/keyctl.c in the KEYS subsystem in the Linux kernel before 2.6.32-rc5 does not properly maintain the reference count of a keyring, which allows local users to gain privileges or cause a denial of service (OOPS) via vectors involving calls to this function without specifying a keyring by ID, as demonstrated by a series of keyctl request2 and keyctl list commands.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3624"
},
{
"id": "CVE-2009-3638",
"summary": "Integer overflow in the kvm_dev_ioctl_get_supported_cpuid function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.31.4 allows local users to have an unspecified impact via a KVM_GET_SUPPORTED_CPUID request to the kvm_arch_dev_ioctl function.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3638"
},
{
"id": "CVE-2009-3640",
"summary": "The update_cr8_intercept function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.32-rc1 does not properly handle the absence of an Advanced Programmable Interrupt Controller (APIC), which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via a call to the kvm_vcpu_ioctl function.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3640"
},
{
"id": "CVE-2009-3722",
"summary": "The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 2.6.31.1 does not properly verify the Current Privilege Level (CPL) before accessing a debug register, which allows guest OS users to cause a denial of service (trap) on the host OS via a crafted application.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3722"
},
{
"id": "CVE-2009-3725",
"summary": "The connector layer in the Linux kernel before 2.6.31.5 does not require the CAP_SYS_ADMIN capability for certain interaction with the (1) uvesafb, (2) pohmelfs, (3) dst, or (4) dm subsystem, which allows local users to bypass intended access restrictions and gain privileges via calls to functions in these subsystems.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3725"
},
{
"id": "CVE-2009-3726",
"summary": "The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client in the Linux kernel before 2.6.31-rc4 allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) by sending a certain response containing incorrect file attributes, which trigger attempted use of an open file that lacks NFSv4 state.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3726"
},
{
"id": "CVE-2009-3888",
"summary": "The do_mmap_pgoff function in mm/nommu.c in the Linux kernel before 2.6.31.6, when the CPU lacks a memory management unit, allows local users to cause a denial of service (OOPS) via an application that attempts to allocate a large amount of memory.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3888"
},
{
"id": "CVE-2009-3889",
"summary": "The dbg_lvl file for the megaraid_sas driver in the Linux kernel before 2.6.27 has world-writable permissions, which allows local users to change the (1) behavior and (2) logging level of the driver by modifying this file.",
"scorev2": "6.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3889"
},
{
"id": "CVE-2009-3939",
"summary": "The poll_mode_io file for the megaraid_sas driver in the Linux kernel 2.6.31.6 and earlier has world-writable permissions, which allows local users to change the I/O mode of the driver by modifying this file.",
"scorev2": "6.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3939"
},
{
"id": "CVE-2009-4004",
"summary": "Buffer overflow in the kvm_vcpu_ioctl_x86_setup_mce function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.32-rc7 allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a KVM_X86_SETUP_MCE IOCTL request that specifies a large number of Machine Check Exception (MCE) banks.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4004"
},
{
"id": "CVE-2009-4005",
"summary": "The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the Linux kernel before 2.6.32-rc7 allows attackers to have an unspecified impact via a crafted HDLC packet that arrives over ISDN and triggers a buffer under-read.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4005"
},
{
"id": "CVE-2009-4020",
"summary": "Stack-based buffer overflow in the hfs subsystem in the Linux kernel 2.6.32 allows remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem, related to the hfs_readdir function in fs/hfs/dir.c.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4020"
},
{
"id": "CVE-2009-4021",
"summary": "The fuse_direct_io function in fs/fuse/file.c in the fuse subsystem in the Linux kernel before 2.6.32-rc7 might allow attackers to cause a denial of service (invalid pointer dereference and OOPS) via vectors possibly related to a memory-consumption attack.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4021"
},
{
"id": "CVE-2009-4026",
"summary": "The mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next-20091201 allows remote attackers to cause a denial of service (panic) via a crafted Delete Block ACK (aka DELBA) packet, related to an erroneous \"code shuffling patch.\"",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4026"
},
{
"id": "CVE-2009-4027",
"summary": "Race condition in the mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next-20091201 allows remote attackers to cause a denial of service (system crash) via a Delete Block ACK (aka DELBA) packet that triggers a certain state change in the absence of an aggregation session.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4027"
},
{
"id": "CVE-2009-4031",
"summary": "The do_insn_fetch function in arch/x86/kvm/emulate.c in the x86 emulator in the KVM subsystem in the Linux kernel before 2.6.32-rc8-next-20091125 tries to interpret instructions that contain too many bytes to be valid, which allows guest OS users to cause a denial of service (increased scheduling latency) on the host OS via unspecified manipulations related to SMP support.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4031"
},
{
"id": "CVE-2009-4067",
"summary": "Buffer overflow in the auerswald_probe function in the Auerswald Linux USB driver for the Linux kernel before 2.6.27 allows physically proximate attackers to execute arbitrary code, cause a denial of service via a crafted USB device, or take full control of the system.",
"scorev2": "7.2",
"scorev3": "6.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4067"
},
{
"id": "CVE-2009-4131",
"summary": "The EXT4_IOC_MOVE_EXT (aka move extents) ioctl implementation in the ext4 filesystem in the Linux kernel before 2.6.32-git6 allows local users to overwrite arbitrary files via a crafted request, related to insufficient checks for file permissions.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4131"
},
{
"id": "CVE-2009-4138",
"summary": "drivers/firewire/ohci.c in the Linux kernel before 2.6.32-git9, when packet-per-buffer mode is used, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unknown other impact via an unspecified ioctl associated with receiving an ISO packet that contains zero in the payload-length field.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4138"
},
{
"id": "CVE-2009-4141",
"summary": "Use-after-free vulnerability in the fasync_helper function in fs/fcntl.c in the Linux kernel before 2.6.33-rc4-git1 allows local users to gain privileges via vectors that include enabling O_ASYNC (aka FASYNC or FIOASYNC) on a locked file, and then closing this file.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4141"
},
{
"id": "CVE-2009-4271",
"summary": "The Linux kernel 2.6.9 through 2.6.17 on the x86_64 and amd64 platforms allows local users to cause a denial of service (panic) via a 32-bit application that calls mprotect on its Virtual Dynamic Shared Object (VDSO) page and then triggers a segmentation fault.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4271"
},
{
"id": "CVE-2009-4272",
"summary": "A certain Red Hat patch for net/ipv4/route.c in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5 allows remote attackers to cause a denial of service (deadlock) via crafted packets that force collisions in the IPv4 routing hash table, and trigger a routing \"emergency\" in which a hash chain is too long. NOTE: this is related to an issue in the Linux kernel before 2.6.31, when the kernel routing cache is disabled, involving an uninitialized pointer and a panic.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4272"
},
{
"id": "CVE-2009-4306",
"summary": "Unspecified vulnerability in the EXT4_IOC_MOVE_EXT (aka move extents) ioctl implementation in the ext4 filesystem in the Linux kernel 2.6.32-git6 and earlier allows local users to cause a denial of service (filesystem corruption) via unknown vectors, a different vulnerability than CVE-2009-4131.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4306"
},
{
"id": "CVE-2009-4307",
"summary": "The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kernel before 2.6.32-git6 allows user-assisted remote attackers to cause a denial of service (divide-by-zero error and panic) via a malformed ext4 filesystem containing a super block with a large FLEX_BG group size (aka s_log_groups_per_flex value).",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4307"
},
{
"id": "CVE-2009-4308",
"summary": "The ext4_decode_error function in fs/ext4/super.c in the ext4 filesystem in the Linux kernel before 2.6.32 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a crafted read-only filesystem that lacks a journal.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4308"
},
{
"id": "CVE-2009-4410",
"summary": "The fuse_ioctl_copy_user function in the ioctl handler in fs/fuse/file.c in the Linux kernel 2.6.29-rc1 through 2.6.30.y uses the wrong variable in an argument to the kunmap function, which allows local users to cause a denial of service (panic) via unknown vectors.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4410"
},
{
"id": "CVE-2009-4536",
"summary": "drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel 2.6.32.3 and earlier handles Ethernet frames that exceed the MTU by processing certain trailing payload data as if it were a complete frame, which allows remote attackers to bypass packet filters via a large packet with a crafted payload. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1385.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4536"
},
{
"id": "CVE-2009-4537",
"summary": "drivers/net/r8169.c in the r8169 driver in the Linux kernel 2.6.32.3 and earlier does not properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to (1) cause a denial of service (temporary network outage) via a packet with a crafted size, in conjunction with certain packets containing A characters and certain packets containing E characters; or (2) cause a denial of service (system crash) via a packet with a crafted size, in conjunction with certain packets containing '\\0' characters, related to the value of the status register and erroneous behavior associated with the RxMaxSize register. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1389.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4537"
},
{
"id": "CVE-2009-4538",
"summary": "drivers/net/e1000e/netdev.c in the e1000e driver in the Linux kernel 2.6.32.3 and earlier does not properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to have an unspecified impact via crafted packets, a related issue to CVE-2009-4537.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4538"
},
{
"id": "CVE-2009-4895",
"summary": "Race condition in the tty_fasync function in drivers/char/tty_io.c in the Linux kernel before 2.6.32.6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via unknown vectors, related to the put_tty_queue and __f_setown functions. NOTE: the vulnerability was addressed in a different way in 2.6.32.9.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4895"
},
{
"id": "CVE-2010-0003",
"summary": "The print_fatal_signal function in kernel/signal.c in the Linux kernel before 2.6.32.4 on the i386 platform, when print-fatal-signals is enabled, allows local users to discover the contents of arbitrary memory locations by jumping to an address and then reading a log file, and might allow local users to cause a denial of service (system slowdown or crash) by jumping to an address.",
"scorev2": "5.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0003"
},
{
"id": "CVE-2010-0006",
"summary": "The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel before 2.6.32.4, when network namespaces are enabled, allows remote attackers to cause a denial of service (NULL pointer dereference) via an invalid IPv6 jumbogram, a related issue to CVE-2007-4567.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0006"
},
{
"id": "CVE-2010-0007",
"summary": "net/bridge/netfilter/ebtables.c in the ebtables module in the netfilter framework in the Linux kernel before 2.6.33-rc4 does not require the CAP_NET_ADMIN capability for setting or modifying rules, which allows local users to bypass intended access restrictions and configure arbitrary network-traffic filtering via a modified ebtables application.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0007"
},
{
"id": "CVE-2010-0008",
"summary": "The sctp_rcv_ootb function in the SCTP implementation in the Linux kernel before 2.6.23 allows remote attackers to cause a denial of service (infinite loop) via (1) an Out Of The Blue (OOTB) chunk or (2) a chunk of zero length.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0008",
"detail": "fixed-version",
"description": "Fixed from version 2.6.23rc9"
},
{
"id": "CVE-2010-0291",
"summary": "The Linux kernel before 2.6.32.4 allows local users to gain privileges or cause a denial of service (panic) by calling the (1) mmap or (2) mremap function, aka the \"do_mremap() mess\" or \"mremap/mmap mess.\"",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0291"
},
{
"id": "CVE-2010-0298",
"summary": "The x86 emulator in KVM 83 does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) in determining the memory access available to CPL3 code, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, a related issue to CVE-2010-0306.",
"scorev2": "6.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0298",
"detail": "fixed-version",
"description": "2.6.34 (1871c6)"
},
{
"id": "CVE-2010-0307",
"summary": "The load_elf_binary function in fs/binfmt_elf.c in the Linux kernel before 2.6.32.8 on the x86_64 platform does not ensure that the ELF interpreter is available before a call to the SET_PERSONALITY macro, which allows local users to cause a denial of service (system crash) via a 32-bit application that attempts to execute a 64-bit application and then triggers a segmentation fault, as demonstrated by amd64_killer, related to the flush_old_exec function.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0307"
},
{
"id": "CVE-2010-0410",
"summary": "drivers/connector/connector.c in the Linux kernel before 2.6.32.8 allows local users to cause a denial of service (memory consumption and system crash) by sending the kernel many NETLINK_CONNECTOR messages.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0410"
},
{
"id": "CVE-2010-0415",
"summary": "The do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7 does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel's node set.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0415"
},
{
"id": "CVE-2010-0437",
"summary": "The ip6_dst_lookup_tail function in net/ipv6/ip6_output.c in the Linux kernel before 2.6.27 does not properly handle certain circumstances involving an IPv6 TUN network interface and a large number of neighbors, which allows attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via unknown vectors.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0437"
},
{
"id": "CVE-2010-0622",
"summary": "The wake_futex_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0622"
},
{
"id": "CVE-2010-0623",
"summary": "The futex_lock_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly manage a certain reference count, which allows local users to cause a denial of service (OOPS) via vectors involving an unmount of an ext3 filesystem.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0623"
},
{
"id": "CVE-2010-0727",
"summary": "The gfs2_lock function in the Linux kernel before 2.6.34-rc1-next-20100312, and the gfs_lock function in the Linux kernel on Red Hat Enterprise Linux (RHEL) 5 and 6, does not properly remove POSIX locks on files that are setgid without group-execute permission, which allows local users to cause a denial of service (BUG and system crash) by locking a file on a (1) GFS or (2) GFS2 filesystem, and then changing this file's permissions.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0727"
},
{
"id": "CVE-2010-0741",
"summary": "The virtio_net_bad_features function in hw/virtio-net.c in the virtio-net driver in the Linux kernel before 2.6.26, when used on a guest OS in conjunction with qemu-kvm 0.11.0 or KVM 83, allows remote attackers to cause a denial of service (guest OS crash, and an associated qemu-kvm process exit) by sending a large amount of network traffic to a TCP port on the guest OS, related to a virtio-net whitelist that includes an improper implementation of TCP Segment Offloading (TSO).",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0741"
},
{
"id": "CVE-2010-1083",
"summary": "The processcompl_compat function in drivers/usb/core/devio.c in Linux kernel 2.6.x through 2.6.32, and possibly other versions, does not clear the transfer buffer before returning to userspace when a USB command fails, which might make it easier for physically proximate attackers to obtain sensitive information (kernel memory).",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1083"
},
{
"id": "CVE-2010-1084",
"summary": "Linux kernel 2.6.18 through 2.6.33, and possibly other versions, allows remote attackers to cause a denial of service (memory corruption) via a large number of Bluetooth sockets, related to the size of sysfs files in (1) net/bluetooth/l2cap.c, (2) net/bluetooth/rfcomm/core.c, (3) net/bluetooth/rfcomm/sock.c, and (4) net/bluetooth/sco.c.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1084"
},
{
"id": "CVE-2010-1085",
"summary": "The azx_position_ok function in hda_intel.c in Linux kernel 2.6.33-rc4 and earlier, when running on the AMD780V chip set, allows context-dependent attackers to cause a denial of service (crash) via unknown manipulations that trigger a divide-by-zero error.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1085"
},
{
"id": "CVE-2010-1086",
"summary": "The ULE decapsulation functionality in drivers/media/dvb/dvb-core/dvb_net.c in dvb-core in Linux kernel 2.6.33 and earlier allows attackers to cause a denial of service (infinite loop) via a crafted MPEG2-TS frame, related to an invalid Payload Pointer ULE.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1086"
},
{
"id": "CVE-2010-1087",
"summary": "The nfs_wait_on_request function in fs/nfs/pagelist.c in Linux kernel 2.6.x through 2.6.33-rc5 allows attackers to cause a denial of service (Oops) via unknown vectors related to truncating a file and an operation that is not interruptible.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1087"
},
{
"id": "CVE-2010-1088",
"summary": "fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always follow NFS automount \"symlinks,\" which allows attackers to have an unknown impact, related to LOOKUP_FOLLOW.",
"scorev2": "5.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1088"
},
{
"id": "CVE-2010-1146",
"summary": "The Linux kernel 2.6.33.2 and earlier, when a ReiserFS filesystem exists, does not restrict read or write access to the .reiserfs_priv directory, which allows local users to gain privileges by modifying (1) extended attributes or (2) ACLs, as demonstrated by deleting a file under .reiserfs_priv/xattrs/.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1146"
},
{
"id": "CVE-2010-1148",
"summary": "The cifs_create function in fs/cifs/dir.c in the Linux kernel 2.6.33.2 and earlier allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a NULL nameidata (aka nd) field in a POSIX file-creation request to a server that supports UNIX extensions.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1148"
},
{
"id": "CVE-2010-1162",
"summary": "The release_one_tty function in drivers/char/tty_io.c in the Linux kernel before 2.6.34-rc4 omits certain required calls to the put_pid function, which has unspecified impact and local attack vectors.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1162"
},
{
"id": "CVE-2010-1173",
"summary": "The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1173"
},
{
"id": "CVE-2010-1187",
"summary": "The Transparent Inter-Process Communication (TIPC) functionality in Linux kernel 2.6.16-rc1 through 2.6.33, and possibly other versions, allows local users to cause a denial of service (kernel OOPS) by sending datagrams through AF_TIPC before entering network mode, which triggers a NULL pointer dereference.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1187"
},
{
"id": "CVE-2010-1188",
"summary": "Use-after-free vulnerability in net/ipv4/tcp_input.c in the Linux kernel 2.6 before 2.6.20, when IPV6_RECVPKTINFO is set on a listening socket, allows remote attackers to cause a denial of service (kernel panic) via a SYN packet while the socket is in a listening (TCP_LISTEN) state, which is not properly handled and causes the skb structure to be freed.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1188"
},
{
"id": "CVE-2010-1436",
"summary": "gfs2 in the Linux kernel 2.6.18, and possibly other versions, does not properly handle when the gfs2_quota struct occupies two separate pages, which allows local users to cause a denial of service (kernel panic) via certain manipulations that cause an out-of-bounds write, as demonstrated by writing from an ext3 file system to a gfs2 file system.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1436"
},
{
"id": "CVE-2010-1437",
"summary": "Race condition in the find_keyring_by_name function in security/keys/keyring.c in the Linux kernel 2.6.34-rc5 and earlier allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via keyctl session commands that trigger access to a dead keyring that is undergoing deletion by the key_cleanup function.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1437"
},
{
"id": "CVE-2010-1446",
"summary": "arch/powerpc/mm/fsl_booke_mmu.c in KGDB in the Linux kernel 2.6.30 and other versions before 2.6.33, when running on PowerPC, does not properly perform a security check for access to a kernel page, which allows local users to overwrite arbitrary kernel memory, related to Fsl booke.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1446"
},
{
"id": "CVE-2010-1451",
"summary": "The TSB I-TLB load implementation in arch/sparc/kernel/tsb.S in the Linux kernel before 2.6.33 on the SPARC platform does not properly obtain the value of a certain _PAGE_EXEC_4U bit and consequently does not properly implement a non-executable stack, which makes it easier for context-dependent attackers to exploit stack-based buffer overflows via a crafted application.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1451"
},
{
"id": "CVE-2010-1488",
"summary": "The proc_oom_score function in fs/proc/base.c in the Linux kernel before 2.6.34-rc4 uses inappropriate data structures during selection of a candidate for the OOM killer, which might allow local users to cause a denial of service via unspecified patterns of task creation.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1488"
},
{
"id": "CVE-2010-1636",
"summary": "The btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the btrfs functionality in the Linux kernel 2.6.29 through 2.6.32, and possibly other versions, does not ensure that a cloned file descriptor has been opened for reading, which allows local users to read sensitive information from a write-only file descriptor.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1636"
},
{
"id": "CVE-2010-1641",
"summary": "The do_gfs2_set_flags function in fs/gfs2/file.c in the Linux kernel before 2.6.34-git10 does not verify the ownership of a file, which allows local users to bypass intended access restrictions via a SETFLAGS ioctl request.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1641"
},
{
"id": "CVE-2010-1643",
"summary": "mm/shmem.c in the Linux kernel before 2.6.28-rc3, when strict overcommit is enabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1643"
},
{
"id": "CVE-2010-2066",
"summary": "The mext_check_arguments function in fs/ext4/move_extent.c in the Linux kernel before 2.6.35 allows local users to overwrite an append-only file via a MOVE_EXT ioctl call that specifies this file as a donor.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2066"
},
{
"id": "CVE-2010-2071",
"summary": "The btrfs_xattr_set_acl function in fs/btrfs/acl.c in btrfs in the Linux kernel 2.6.34 and earlier does not check file ownership before setting an ACL, which allows local users to bypass file permissions by setting arbitrary ACLs, as demonstrated using setfacl.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2071"
},
{
"id": "CVE-2010-2226",
"summary": "The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel before 2.6.35 does not properly check the file descriptors passed to the SWAPEXT ioctl, which allows local users to leverage write access and obtain read access by swapping one file into another file.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2226"
},
{
"id": "CVE-2010-2240",
"summary": "The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2240"
},
{
"id": "CVE-2010-2243",
"summary": "A vulnerability exists in kernel/time/clocksource.c in the Linux kernel before 2.6.34 where on non-GENERIC_TIME systems (GENERIC_TIME=n), accessing /sys/devices/system/clocksource/clocksource0/current_clocksource results in an OOPS.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2243"
},
{
"id": "CVE-2010-2248",
"summary": "fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel before 2.6.34-rc4 allows remote attackers to cause a denial of service (panic) via an SMB response packet with an invalid CountHigh value, as demonstrated by a response from an OS/2 server, related to the CIFSSMBWrite and CIFSSMBWrite2 functions.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2248"
},
{
"id": "CVE-2010-2478",
"summary": "Integer overflow in the ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel before 2.6.33.7 on 32-bit platforms allows local users to cause a denial of service or possibly have unspecified other impact via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value that triggers a buffer overflow, a different vulnerability than CVE-2010-3084.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2478"
},
{
"id": "CVE-2010-2492",
"summary": "Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux kernel before 2.6.35 might allow local users to gain privileges or cause a denial of service (system crash) via unspecified vectors.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2492"
},
{
"id": "CVE-2010-2495",
"summary": "The pppol2tp_xmit function in drivers/net/pppol2tp.c in the L2TP implementation in the Linux kernel before 2.6.34 does not properly validate certain values associated with an interface, which allows attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via vectors related to a routing change.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2495"
},
{
"id": "CVE-2010-2521",
"summary": "Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel before 2.6.34-rc6 allow remote attackers to cause a denial of service (panic) or possibly execute arbitrary code via a crafted NFSv4 compound WRITE request, related to the read_buf and nfsd4_decode_compound functions.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2521"
},
{
"id": "CVE-2010-2524",
"summary": "The DNS resolution functionality in the CIFS implementation in the Linux kernel before 2.6.35, when CONFIG_CIFS_DFS_UPCALL is enabled, relies on a user's keyring for the dns_resolver upcall in the cifs.upcall userspace helper, which allows local users to spoof the results of DNS queries and perform arbitrary CIFS mounts via vectors involving an add_key call, related to a \"cache stuffing\" issue and MS-DFS referrals.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2524"
},
{
"id": "CVE-2010-2525",
"summary": "A flaw was discovered in gfs2 file system\u2019s handling of acls (access control lists). An unprivileged local attacker could exploit this flaw to gain access or execute any file stored in the gfs2 file system.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2525"
},
{
"id": "CVE-2010-2537",
"summary": "The btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the Linux kernel before 2.6.35 allows local users to overwrite an append-only file via a (1) BTRFS_IOC_CLONE or (2) BTRFS_IOC_CLONE_RANGE ioctl call that specifies this file as a donor.",
"scorev2": "6.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2537"
},
{
"id": "CVE-2010-2538",
"summary": "Integer overflow in the btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the Linux kernel before 2.6.35 might allow local users to obtain sensitive information via a BTRFS_IOC_CLONE_RANGE ioctl call.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2538"
},
{
"id": "CVE-2010-2653",
"summary": "Race condition in the hvc_close function in drivers/char/hvc_console.c in the Linux kernel before 2.6.34 allows local users to cause a denial of service or possibly have unspecified other impact by closing a Hypervisor Virtual Console device, related to the hvc_open and hvc_remove functions.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2653"
},
{
"id": "CVE-2010-2798",
"summary": "The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kernel before 2.6.35 uses an incorrect size value in calculations associated with sentinel directory entries, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact by renaming a file in a GFS2 filesystem, related to the gfs2_rename function in fs/gfs2/ops_inode.c.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2798"
},
{
"id": "CVE-2010-2803",
"summary": "The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows local users to obtain potentially sensitive information from kernel memory by requesting a large memory-allocation amount.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2803"
},
{
"id": "CVE-2010-2938",
"summary": "arch/x86/hvm/vmx/vmcs.c in the virtual-machine control structure (VMCS) implementation in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5, when an Intel platform without Extended Page Tables (EPT) functionality is used, accesses VMCS fields without verifying hardware support for these fields, which allows local users to cause a denial of service (host OS crash) by requesting a VMCS dump for a fully virtualized Xen guest.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2938"
},
{
"id": "CVE-2010-2942",
"summary": "The actions implementation in the network queueing functionality in the Linux kernel before 2.6.36-rc2 does not properly initialize certain structure members when performing dump operations, which allows local users to obtain potentially sensitive information from kernel memory via vectors related to (1) the tcf_gact_dump function in net/sched/act_gact.c, (2) the tcf_mirred_dump function in net/sched/act_mirred.c, (3) the tcf_nat_dump function in net/sched/act_nat.c, (4) the tcf_simp_dump function in net/sched/act_simple.c, and (5) the tcf_skbedit_dump function in net/sched/act_skbedit.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2942"
},
{
"id": "CVE-2010-2943",
"summary": "The xfs implementation in the Linux kernel before 2.6.35 does not look up inode allocation btrees before reading inode buffers, which allows remote authenticated users to read unlinked files, or read or overwrite disk blocks that are currently assigned to an active file but were previously assigned to an unlinked file, by accessing a stale NFS filehandle.",
"scorev2": "6.4",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2943"
},
{
"id": "CVE-2010-2946",
"summary": "fs/jfs/xattr.c in the Linux kernel before 2.6.35.2 does not properly handle a certain legacy format for storage of extended attributes, which might allow local users by bypass intended xattr namespace restrictions via an \"os2.\" substring at the beginning of a name.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2946"
},
{
"id": "CVE-2010-2954",
"summary": "The irda_bind function in net/irda/af_irda.c in the Linux kernel before 2.6.36-rc3-next-20100901 does not properly handle failure of the irda_open_tsap function, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact via multiple unsuccessful calls to bind on an AF_IRDA (aka PF_IRDA) socket.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2954"
},
{
"id": "CVE-2010-2955",
"summary": "The cfg80211_wext_giwessid function in net/wireless/wext-compat.c in the Linux kernel before 2.6.36-rc3-next-20100831 does not properly initialize certain structure members, which allows local users to leverage an off-by-one error in the ioctl_standard_iw_point function in net/wireless/wext-core.c, and obtain potentially sensitive information from kernel heap memory, via vectors involving an SIOCGIWESSID ioctl call that specifies a large buffer size.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2955"
},
{
"id": "CVE-2010-2959",
"summary": "Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) implementation in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows attackers to execute arbitrary code or cause a denial of service (system crash) via crafted CAN traffic.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2959"
},
{
"id": "CVE-2010-2960",
"summary": "The keyctl_session_to_parent function in security/keys/keyctl.c in the Linux kernel 2.6.35.4 and earlier expects that a certain parent session keyring exists, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a KEYCTL_SESSION_TO_PARENT argument to the keyctl function.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2960"
},
{
"id": "CVE-2010-2962",
"summary": "drivers/gpu/drm/i915/i915_gem.c in the Graphics Execution Manager (GEM) in the Intel i915 driver in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.36 does not properly validate pointers to blocks of memory, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via crafted use of the ioctl interface, related to (1) pwrite and (2) pread operations.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2962"
},
{
"id": "CVE-2010-2963",
"summary": "drivers/media/video/v4l2-compat-ioctl32.c in the Video4Linux (V4L) implementation in the Linux kernel before 2.6.36 on 64-bit platforms does not validate the destination of a memory copy operation, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via a VIDIOCSTUNER ioctl call on a /dev/video device, followed by a VIDIOCSMICROCODE ioctl call on this device.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2963"
},
{
"id": "CVE-2010-3015",
"summary": "Integer overflow in the ext4_ext_get_blocks function in fs/ext4/extents.c in the Linux kernel before 2.6.34 allows local users to cause a denial of service (BUG and system crash) via a write operation on the last block of a large file, followed by a sync operation.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3015"
},
{
"id": "CVE-2010-3066",
"summary": "The io_submit_one function in fs/aio.c in the Linux kernel before 2.6.23 allows local users to cause a denial of service (NULL pointer dereference) via a crafted io_submit system call with an IOCB_FLAG_RESFD flag.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3066"
},
{
"id": "CVE-2010-3067",
"summary": "Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel before 2.6.36-rc4-next-20100915 allows local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3067"
},
{
"id": "CVE-2010-3078",
"summary": "The xfs_ioc_fsgetxattr function in fs/xfs/linux-2.6/xfs_ioctl.c in the Linux kernel before 2.6.36-rc4 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an ioctl call.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3078"
},
{
"id": "CVE-2010-3079",
"summary": "kernel/trace/ftrace.c in the Linux kernel before 2.6.35.5, when debugfs is enabled, does not properly handle interaction between mutex possession and llseek operations, which allows local users to cause a denial of service (NULL pointer dereference and outage of all function tracing files) via an lseek call on a file descriptor associated with the set_ftrace_filter file.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3079"
},
{
"id": "CVE-2010-3080",
"summary": "Double free vulnerability in the snd_seq_oss_open function in sound/core/seq/oss/seq_oss_init.c in the Linux kernel before 2.6.36-rc4 might allow local users to cause a denial of service or possibly have unspecified other impact via an unsuccessful attempt to open the /dev/sequencer device.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3080"
},
{
"id": "CVE-2010-3081",
"summary": "The compat_alloc_user_space functions in include/asm/compat.h files in the Linux kernel before 2.6.36-rc4-git2 on 64-bit platforms do not properly allocate the userspace memory required for the 32-bit compatibility layer, which allows local users to gain privileges by leveraging the ability of the compat_mc_getsockopt function (aka the MCAST_MSFILTER getsockopt support) to control a certain length value, related to a \"stack pointer underflow\" issue, as exploited in the wild in September 2010.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3081"
},
{
"id": "CVE-2010-3084",
"summary": "Buffer overflow in the niu_get_ethtool_tcam_all function in drivers/net/niu.c in the Linux kernel before 2.6.36-rc4 allows local users to cause a denial of service or possibly have unspecified other impact via the ETHTOOL_GRXCLSRLALL ethtool command.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3084"
},
{
"id": "CVE-2010-3086",
"summary": "include/asm-x86/futex.h in the Linux kernel before 2.6.25 does not properly implement exception fixup, which allows local users to cause a denial of service (panic) via an invalid application that triggers a page fault.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3086"
},
{
"id": "CVE-2010-3296",
"summary": "The cxgb_extension_ioctl function in drivers/net/cxgb3/cxgb3_main.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a CHELSIO_GET_QSET_NUM ioctl call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3296"
},
{
"id": "CVE-2010-3297",
"summary": "The eql_g_master_cfg function in drivers/net/eql.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an EQL_GETMASTRCFG ioctl call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3297"
},
{
"id": "CVE-2010-3298",
"summary": "The hso_get_count function in drivers/net/usb/hso.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3298"
},
{
"id": "CVE-2010-3301",
"summary": "The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3301"
},
{
"id": "CVE-2010-3310",
"summary": "Multiple integer signedness errors in net/rose/af_rose.c in the Linux kernel before 2.6.36-rc5-next-20100923 allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a rose_getname function call, related to the rose_bind and rose_connect functions.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3310"
},
{
"id": "CVE-2010-3432",
"summary": "The sctp_packet_config function in net/sctp/output.c in the Linux kernel before 2.6.35.6 performs extraneous initializations of packet data structures, which allows remote attackers to cause a denial of service (panic) via a certain sequence of SCTP traffic.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3432",
"detail": "fixed-version",
"description": "Fixed from version 2.6.36rc5"
},
{
"id": "CVE-2010-3437",
"summary": "Integer signedness error in the pkt_find_dev_from_minor function in drivers/block/pktcdvd.c in the Linux kernel before 2.6.36-rc6 allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and system crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call.",
"scorev2": "6.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3437"
},
{
"id": "CVE-2010-3442",
"summary": "Multiple integer overflows in the snd_ctl_new function in sound/core/control.c in the Linux kernel before 2.6.36-rc5-next-20100929 allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3442"
},
{
"id": "CVE-2010-3448",
"summary": "drivers/platform/x86/thinkpad_acpi.c in the Linux kernel before 2.6.34 on ThinkPad devices, when the X.Org X server is used, does not properly restrict access to the video output control state, which allows local users to cause a denial of service (system hang) via a (1) read or (2) write operation.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3448"
},
{
"id": "CVE-2010-3477",
"summary": "The tcf_act_police_dump function in net/sched/act_police.c in the actions implementation in the network queueing functionality in the Linux kernel before 2.6.36-rc4 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel memory via vectors involving a dump operation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-2942.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3477"
},
{
"id": "CVE-2010-3698",
"summary": "The KVM implementation in the Linux kernel before 2.6.36 does not properly reload the FS and GS segment registers, which allows host OS users to cause a denial of service (host OS crash) via a KVM_RUN ioctl call in conjunction with a modified Local Descriptor Table (LDT).",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3698"
},
{
"id": "CVE-2010-3705",
"summary": "The sctp_auth_asoc_get_hmac function in net/sctp/auth.c in the Linux kernel before 2.6.36 does not properly validate the hmac_ids array of an SCTP peer, which allows remote attackers to cause a denial of service (memory corruption and panic) via a crafted value in the last element of this array.",
"scorev2": "8.3",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3705"
},
{
"id": "CVE-2010-3848",
"summary": "Stack-based buffer overflow in the econet_sendmsg function in net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an econet address is configured, allows local users to gain privileges by providing a large number of iovec structures.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3848"
},
{
"id": "CVE-2010-3849",
"summary": "The econet_sendmsg function in net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an econet address is configured, allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a sendmsg call that specifies a NULL value for the remote address field.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3849"
},
{
"id": "CVE-2010-3850",
"summary": "The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel before 2.6.36.2 does not require the CAP_NET_ADMIN capability, which allows local users to bypass intended access restrictions and configure econet addresses via an SIOCSIFADDR ioctl call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3850"
},
{
"id": "CVE-2010-3858",
"summary": "The setup_arg_pages function in fs/exec.c in the Linux kernel before 2.6.36, when CONFIG_STACK_GROWSDOWN is used, does not properly restrict the stack memory consumption of the (1) arguments and (2) environment for a 32-bit application on a 64-bit platform, which allows local users to cause a denial of service (system crash) via a crafted exec system call, a related issue to CVE-2010-2240.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3858"
},
{
"id": "CVE-2010-3859",
"summary": "Multiple integer signedness errors in the TIPC implementation in the Linux kernel before 2.6.36.2 allow local users to gain privileges via a crafted sendmsg call that triggers a heap-based buffer overflow, related to the tipc_msg_build function in net/tipc/msg.c and the verify_iovec function in net/core/iovec.c.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3859"
},
{
"id": "CVE-2010-3861",
"summary": "The ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel before 2.6.36 does not initialize a certain block of heap memory, which allows local users to obtain potentially sensitive information via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value, a different vulnerability than CVE-2010-2478.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3861"
},
{
"id": "CVE-2010-3865",
"summary": "Integer overflow in the rds_rdma_pages function in net/rds/rdma.c in the Linux kernel allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a crafted iovec struct in a Reliable Datagram Sockets (RDS) request, which triggers a buffer overflow.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3865"
},
{
"id": "CVE-2010-3873",
"summary": "The X.25 implementation in the Linux kernel before 2.6.36.2 does not properly parse facilities, which allows remote attackers to cause a denial of service (heap memory corruption and panic) or possibly have unspecified other impact via malformed (1) X25_FAC_CALLING_AE or (2) X25_FAC_CALLED_AE data, related to net/x25/x25_facilities.c and net/x25/x25_in.c, a different vulnerability than CVE-2010-4164.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3873"
},
{
"id": "CVE-2010-3874",
"summary": "Heap-based buffer overflow in the bcm_connect function in net/can/bcm.c (aka the Broadcast Manager) in the Controller Area Network (CAN) implementation in the Linux kernel before 2.6.36.2 on 64-bit platforms might allow local users to cause a denial of service (memory corruption) via a connect operation.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3874"
},
{
"id": "CVE-2010-3875",
"summary": "The ax25_getname function in net/ax25/af_ax25.c in the Linux kernel before 2.6.37-rc2 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3875"
},
{
"id": "CVE-2010-3876",
"summary": "net/packet/af_packet.c in the Linux kernel before 2.6.37-rc2 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_RAW capability to read copies of the applicable structures.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3876"
},
{
"id": "CVE-2010-3877",
"summary": "The get_name function in net/tipc/socket.c in the Linux kernel before 2.6.37-rc2 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3877"
},
{
"id": "CVE-2010-3880",
"summary": "net/ipv4/inet_diag.c in the Linux kernel before 2.6.37-rc2 does not properly audit INET_DIAG bytecode, which allows local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message that contains multiple attribute elements, as demonstrated by INET_DIAG_BC_JMP instructions.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3880"
},
{
"id": "CVE-2010-3881",
"summary": "arch/x86/kvm/x86.c in the Linux kernel before 2.6.36.2 does not initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory via read operations on the /dev/kvm device.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3881"
},
{
"id": "CVE-2010-3904",
"summary": "The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3904"
},
{
"id": "CVE-2010-4072",
"summary": "The copy_shmid_to_user function in ipc/shm.c in the Linux kernel before 2.6.37-rc1 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the shmctl system call and the \"old shm interface.\"",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4072"
},
{
"id": "CVE-2010-4073",
"summary": "The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not initialize certain structures, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in ipc/compat.c; and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr functions in ipc/compat_mq.c.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4073"
},
{
"id": "CVE-2010-4074",
"summary": "The USB subsystem in the Linux kernel before 2.6.36-rc5 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to TIOCGICOUNT ioctl calls, and the (1) mos7720_ioctl function in drivers/usb/serial/mos7720.c and (2) mos7840_ioctl function in drivers/usb/serial/mos7840.c.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4074"
},
{
"id": "CVE-2010-4075",
"summary": "The uart_get_count function in drivers/serial/serial_core.c in the Linux kernel before 2.6.37-rc1 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4075"
},
{
"id": "CVE-2010-4076",
"summary": "The rs_ioctl function in drivers/char/amiserial.c in the Linux kernel 2.6.36.1 and earlier does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4076"
},
{
"id": "CVE-2010-4077",
"summary": "The ntty_ioctl_tiocgicount function in drivers/char/nozomi.c in the Linux kernel 2.6.36.1 and earlier does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4077"
},
{
"id": "CVE-2010-4078",
"summary": "The sisfb_ioctl function in drivers/video/sis/sis_main.c in the Linux kernel before 2.6.36-rc6 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4078"
},
{
"id": "CVE-2010-4079",
"summary": "The ivtvfb_ioctl function in drivers/media/video/ivtv/ivtvfb.c in the Linux kernel before 2.6.36-rc8 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4079"
},
{
"id": "CVE-2010-4080",
"summary": "The snd_hdsp_hwdep_ioctl function in sound/pci/rme9652/hdsp.c in the Linux kernel before 2.6.36-rc6 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4080"
},
{
"id": "CVE-2010-4081",
"summary": "The snd_hdspm_hwdep_ioctl function in sound/pci/rme9652/hdspm.c in the Linux kernel before 2.6.36-rc6 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO ioctl call.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4081"
},
{
"id": "CVE-2010-4082",
"summary": "The viafb_ioctl_get_viafb_info function in drivers/video/via/ioctl.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a VIAFB_GET_INFO ioctl call.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4082"
},
{
"id": "CVE-2010-4083",
"summary": "The copy_semid_to_user function in ipc/sem.c in the Linux kernel before 2.6.36 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) IPC_INFO, (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a semctl system call.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4083"
},
{
"id": "CVE-2010-4157",
"summary": "Integer overflow in the ioc_general function in drivers/scsi/gdth.c in the Linux kernel before 2.6.36.1 on 64-bit platforms allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large argument in an ioctl call.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4157"
},
{
"id": "CVE-2010-4158",
"summary": "The sk_run_filter function in net/core/filter.c in the Linux kernel before 2.6.36.2 does not check whether a certain memory location has been initialized before executing a (1) BPF_S_LD_MEM or (2) BPF_S_LDX_MEM instruction, which allows local users to obtain potentially sensitive information from kernel stack memory via a crafted socket filter.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4158"
},
{
"id": "CVE-2010-4160",
"summary": "Multiple integer overflows in the (1) pppol2tp_sendmsg function in net/l2tp/l2tp_ppp.c, and the (2) l2tp_ip_sendmsg function in net/l2tp/l2tp_ip.c, in the PPPoL2TP and IPoL2TP implementations in the Linux kernel before 2.6.36.2 allow local users to cause a denial of service (heap memory corruption and panic) or possibly gain privileges via a crafted sendto call.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4160"
},
{
"id": "CVE-2010-4161",
"summary": "The udp_queue_rcv_skb function in net/ipv4/udp.c in a certain Red Hat build of the Linux kernel 2.6.18 in Red Hat Enterprise Linux (RHEL) 5 allows attackers to cause a denial of service (deadlock and system hang) by sending UDP traffic to a socket that has a crafted socket filter, a related issue to CVE-2010-4158.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4161"
},
{
"id": "CVE-2010-4162",
"summary": "Multiple integer overflows in fs/bio.c in the Linux kernel before 2.6.36.2 allow local users to cause a denial of service (system crash) via a crafted device ioctl to a SCSI device.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4162"
},
{
"id": "CVE-2010-4163",
"summary": "The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 2.6.36.2 allows local users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4163"
},
{
"id": "CVE-2010-4164",
"summary": "Multiple integer underflows in the x25_parse_facilities function in net/x25/x25_facilities.c in the Linux kernel before 2.6.36.2 allow remote attackers to cause a denial of service (system crash) via malformed X.25 (1) X25_FAC_CLASS_A, (2) X25_FAC_CLASS_B, (3) X25_FAC_CLASS_C, or (4) X25_FAC_CLASS_D facility data, a different vulnerability than CVE-2010-3873.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4164"
},
{
"id": "CVE-2010-4165",
"summary": "The do_tcp_setsockopt function in net/ipv4/tcp.c in the Linux kernel before 2.6.37-rc2 does not properly restrict TCP_MAXSEG (aka MSS) values, which allows local users to cause a denial of service (OOPS) via a setsockopt call that specifies a small value, leading to a divide-by-zero error or incorrect use of a signed integer.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4165"
},
{
"id": "CVE-2010-4169",
"summary": "Use-after-free vulnerability in mm/mprotect.c in the Linux kernel before 2.6.37-rc2 allows local users to cause a denial of service via vectors involving an mprotect system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4169"
},
{
"id": "CVE-2010-4175",
"summary": "Integer overflow in the rds_cmsg_rdma_args function (net/rds/rdma.c) in Linux kernel 2.6.35 allows local users to cause a denial of service (crash) and possibly trigger memory corruption via a crafted Reliable Datagram Sockets (RDS) request, a different vulnerability than CVE-2010-3865.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4175"
},
{
"id": "CVE-2010-4242",
"summary": "The hci_uart_tty_open function in the HCI UART driver (drivers/bluetooth/hci_ldisc.c) in the Linux kernel 2.6.36, and possibly other versions, does not verify whether the tty has a write operation, which allows local users to cause a denial of service (NULL pointer dereference) via vectors related to the Bluetooth driver.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4242"
},
{
"id": "CVE-2010-4243",
"summary": "fs/exec.c in the Linux kernel before 2.6.37 does not enable the OOM Killer to assess use of stack memory by arrays representing the (1) arguments and (2) environment, which allows local users to cause a denial of service (memory consumption) via a crafted exec system call, aka an \"OOM dodging issue,\" a related issue to CVE-2010-3858.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4243"
},
{
"id": "CVE-2010-4248",
"summary": "Race condition in the __exit_signal function in kernel/exit.c in the Linux kernel before 2.6.37-rc2 allows local users to cause a denial of service via vectors related to multithreaded exec, the use of a thread group leader in kernel/posix-cpu-timers.c, and the selection of a new thread group leader in the de_thread function in fs/exec.c.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4248"
},
{
"id": "CVE-2010-4249",
"summary": "The wait_for_unix_gc function in net/unix/garbage.c in the Linux kernel before 2.6.37-rc3-next-20101125 does not properly select times for garbage collection of inflight sockets, which allows local users to cause a denial of service (system hang) via crafted use of the socketpair and sendmsg system calls for SOCK_SEQPACKET sockets.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4249"
},
{
"id": "CVE-2010-4250",
"summary": "Memory leak in the inotify_init1 function in fs/notify/inotify/inotify_user.c in the Linux kernel before 2.6.37 allows local users to cause a denial of service (memory consumption) via vectors involving failed attempts to create files.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4250"
},
{
"id": "CVE-2010-4251",
"summary": "The socket implementation in net/core/sock.c in the Linux kernel before 2.6.34 does not properly manage a backlog of received packets, which allows remote attackers to cause a denial of service (memory consumption) by sending a large amount of network traffic, as demonstrated by netperf UDP tests.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4251"
},
{
"id": "CVE-2010-4256",
"summary": "The pipe_fcntl function in fs/pipe.c in the Linux kernel before 2.6.37 does not properly determine whether a file is a named pipe, which allows local users to cause a denial of service via an F_SETPIPE_SZ fcntl call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4256"
},
{
"id": "CVE-2010-4258",
"summary": "The do_exit function in kernel/exit.c in the Linux kernel before 2.6.36.2 does not properly handle a KERNEL_DS get_fs value, which allows local users to bypass intended access_ok restrictions, overwrite arbitrary kernel memory locations, and gain privileges by leveraging a (1) BUG, (2) NULL pointer dereference, or (3) page fault, as demonstrated by vectors involving the clear_child_tid feature and the splice system call.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4258"
},
{
"id": "CVE-2010-4263",
"summary": "The igb_receive_skb function in drivers/net/igb/igb_main.c in the Intel Gigabit Ethernet (aka igb) subsystem in the Linux kernel before 2.6.34, when Single Root I/O Virtualization (SR-IOV) and promiscuous mode are enabled but no VLANs are registered, allows remote attackers to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact via a VLAN tagged frame.",
"scorev2": "7.9",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4263"
},
{
"id": "CVE-2010-4342",
"summary": "The aun_incoming function in net/econet/af_econet.c in the Linux kernel before 2.6.37-rc6, when Econet is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending an Acorn Universal Networking (AUN) packet over UDP.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4342"
},
{
"id": "CVE-2010-4343",
"summary": "drivers/scsi/bfa/bfa_core.c in the Linux kernel before 2.6.35 does not initialize a certain port data structure, which allows local users to cause a denial of service (system crash) via read operations on an fc_host statistics file.",
"scorev2": "4.7",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4343"
},
{
"id": "CVE-2010-4346",
"summary": "The install_special_mapping function in mm/mmap.c in the Linux kernel before 2.6.37-rc6 does not make an expected security_file_mmap function call, which allows local users to bypass intended mmap_min_addr restrictions and possibly conduct NULL pointer dereference attacks via a crafted assembly-language application.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4346"
},
{
"id": "CVE-2010-4347",
"summary": "The ACPI subsystem in the Linux kernel before 2.6.36.2 uses 0222 permissions for the debugfs custom_method file, which allows local users to gain privileges by placing a custom ACPI method in the ACPI interpreter tables, related to the acpi_debugfs_init function in drivers/acpi/debugfs.c.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4347"
},
{
"id": "CVE-2010-4525",
"summary": "Linux kernel 2.6.33 and 2.6.34.y does not initialize the kvm_vcpu_events->interrupt.pad structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via unspecified vectors.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4525"
},
{
"id": "CVE-2010-4526",
"summary": "Race condition in the sctp_icmp_proto_unreachable function in net/sctp/input.c in Linux kernel 2.6.11-rc2 through 2.6.33 allows remote attackers to cause a denial of service (panic) via an ICMP unreachable message to a socket that is already locked by a user, which causes the socket to be freed and triggers list corruption, related to the sctp_wait_for_connect function.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4526"
},
{
"id": "CVE-2010-4527",
"summary": "The load_mixer_volumes function in sound/oss/soundcard.c in the OSS sound subsystem in the Linux kernel before 2.6.37 incorrectly expects that a certain name field ends with a '\\0' character, which allows local users to conduct buffer overflow attacks and gain privileges, or possibly obtain sensitive information from kernel memory, via a SOUND_MIXER_SETLEVELS ioctl call.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4527"
},
{
"id": "CVE-2010-4529",
"summary": "Integer underflow in the irda_getsockopt function in net/irda/af_irda.c in the Linux kernel before 2.6.37 on platforms other than x86 allows local users to obtain potentially sensitive information from kernel heap memory via an IRLMP_ENUMDEVICES getsockopt call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4529"
},
{
"id": "CVE-2010-4563",
"summary": "The Linux kernel, when using IPv6, allows remote attackers to determine whether a host is sniffing the network by sending an ICMPv6 Echo Request to a multicast address and determining whether an Echo Reply is sent, as demonstrated by thcping.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4563"
},
{
"id": "CVE-2010-4565",
"summary": "The bcm_connect function in net/can/bcm.c (aka the Broadcast Manager) in the Controller Area Network (CAN) implementation in the Linux kernel 2.6.36 and earlier creates a publicly accessible file with a filename containing a kernel memory address, which allows local users to obtain potentially sensitive information about kernel memory use by listing this filename.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4565"
},
{
"id": "CVE-2010-4648",
"summary": "The orinoco_ioctl_set_auth function in drivers/net/wireless/orinoco/wext.c in the Linux kernel before 2.6.37 does not properly implement a TKIP protection mechanism, which makes it easier for remote attackers to obtain access to a Wi-Fi network by reading Wi-Fi frames.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4648",
"detail": "fixed-version",
"description": "Fixed from version 2.6.37rc6"
},
{
"id": "CVE-2010-4649",
"summary": "Integer overflow in the ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large value of a certain structure member.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4649"
},
{
"id": "CVE-2010-4650",
"summary": "Buffer overflow in the fuse_do_ioctl function in fs/fuse/file.c in the Linux kernel before 2.6.37 allows local users to cause a denial of service or possibly have unspecified other impact by leveraging the ability to operate a CUSE server.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4650"
},
{
"id": "CVE-2010-4655",
"summary": "net/core/ethtool.c in the Linux kernel before 2.6.36 does not initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability for an ethtool ioctl call.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4655"
},
{
"id": "CVE-2010-4656",
"summary": "The iowarrior_write function in drivers/usb/misc/iowarrior.c in the Linux kernel before 2.6.37 does not properly allocate memory, which might allow local users to trigger a heap-based buffer overflow, and consequently cause a denial of service or gain privileges, via a long report.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4656"
},
{
"id": "CVE-2010-4668",
"summary": "The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 2.6.37-rc7 allows local users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device, related to an unaligned map. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4163.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4668"
},
{
"id": "CVE-2010-4805",
"summary": "The socket implementation in net/core/sock.c in the Linux kernel before 2.6.35 does not properly manage a backlog of received packets, which allows remote attackers to cause a denial of service by sending a large amount of network traffic, related to the sk_add_backlog function and the sk_rmem_alloc socket field. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4251.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4805"
},
{
"id": "CVE-2010-5313",
"summary": "Race condition in arch/x86/kvm/x86.c in the Linux kernel before 2.6.38 allows L2 guest OS users to cause a denial of service (L1 guest OS crash) via a crafted instruction that triggers an L2 emulation failure report, a similar issue to CVE-2014-7842.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5313",
"detail": "fixed-version",
"description": "Fixed from version 2.6.38rc1"
},
{
"id": "CVE-2010-5321",
"summary": "Memory leak in drivers/media/video/videobuf-core.c in the videobuf subsystem in the Linux kernel 2.6.x through 4.x allows local users to cause a denial of service (memory consumption) by leveraging /dev/video access for a series of mmap calls that require new allocations, a different vulnerability than CVE-2007-6761. NOTE: as of 2016-06-18, this affects only 11 drivers that have not been updated to use videobuf2 instead of videobuf.",
"scorev2": "4.9",
"scorev3": "4.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5321"
},
{
"id": "CVE-2010-5328",
"summary": "include/linux/init_task.h in the Linux kernel before 2.6.35 does not prevent signals with a process group ID of zero from reaching the swapper process, which allows local users to cause a denial of service (system crash) by leveraging access to this process group.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5328",
"detail": "fixed-version",
"description": "Fixed from version 2.6.35rc1"
},
{
"id": "CVE-2010-5329",
"summary": "The video_usercopy function in drivers/media/video/v4l2-ioctl.c in the Linux kernel before 2.6.39 relies on the count value of a v4l2_ext_controls data structure to determine a kmalloc size, which might allow local users to cause a denial of service (memory consumption) via a large value.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5329",
"detail": "fixed-version",
"description": "Fixed from version 2.6.39rc1"
},
{
"id": "CVE-2010-5331",
"summary": "In the Linux kernel before 2.6.34, a range check issue in drivers/gpu/drm/radeon/atombios.c could cause an off by one (buffer overflow) problem. NOTE: At least one Linux maintainer believes that this CVE is incorrectly assigned and should be rejected because the value is hard coded and are not user-controllable where it is used",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5331",
"detail": "fixed-version",
"description": "Fixed from version 2.6.34rc7"
},
{
"id": "CVE-2010-5332",
"summary": "In the Linux kernel before 2.6.37, an out of bounds array access happened in drivers/net/mlx4/port.c. When searching for a free entry in either mlx4_register_vlan() or mlx4_register_mac(), and there is no free entry, the loop terminates without updating the local variable free thus causing out of array bounds access.",
"scorev2": "4.6",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5332",
"detail": "fixed-version",
"description": "Fixed from version 2.6.37rc1"
},
{
"id": "CVE-2011-0006",
"summary": "The ima_lsm_rule_init function in security/integrity/ima/ima_policy.c in the Linux kernel before 2.6.37, when the Linux Security Modules (LSM) framework is disabled, allows local users to bypass Integrity Measurement Architecture (IMA) rules in opportunistic circumstances by leveraging an administrator's addition of an IMA rule for LSM.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0006"
},
{
"id": "CVE-2011-0463",
"summary": "The ocfs2_prepare_page_for_write function in fs/ocfs2/aops.c in the Oracle Cluster File System 2 (OCFS2) subsystem in the Linux kernel before 2.6.39-rc1 does not properly handle holes that cross page boundaries, which allows local users to obtain potentially sensitive information from uninitialized disk locations by reading a file.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0463"
},
{
"id": "CVE-2011-0521",
"summary": "The dvb_ca_ioctl function in drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel before 2.6.38-rc2 does not check the sign of a certain integer field, which allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a negative value.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0521"
},
{
"id": "CVE-2011-0695",
"summary": "Race condition in the cm_work_handler function in the InfiniBand driver (drivers/infiniband/core/cma.c) in Linux kernel 2.6.x allows remote attackers to cause a denial of service (panic) by sending an InfiniBand request while other request handlers are still running, which triggers an invalid pointer dereference.",
"scorev2": "5.7",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0695"
},
{
"id": "CVE-2011-0699",
"summary": "Integer signedness error in the btrfs_ioctl_space_info function in the Linux kernel 2.6.37 allows local users to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted slot value.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0699"
},
{
"id": "CVE-2011-0709",
"summary": "The br_mdb_ip_get function in net/bridge/br_multicast.c in the Linux kernel before 2.6.35-rc5 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an IGMP packet, related to lack of a multicast table.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0709"
},
{
"id": "CVE-2011-0710",
"summary": "The task_show_regs function in arch/s390/kernel/traps.c in the Linux kernel before 2.6.38-rc4-next-20110216 on the s390 platform allows local users to obtain the values of the registers of an arbitrary process by reading a status file under /proc/.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0710"
},
{
"id": "CVE-2011-0711",
"summary": "The xfs_fs_geometry function in fs/xfs/xfs_fsops.c in the Linux kernel before 2.6.38-rc6-git3 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FSGEOMETRY_V1 ioctl call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0711"
},
{
"id": "CVE-2011-0712",
"summary": "Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel before 2.6.38-rc4-next-20110215 might allow attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0712"
},
{
"id": "CVE-2011-0714",
"summary": "Use-after-free vulnerability in a certain Red Hat patch for the RPC server sockets functionality in the Linux kernel 2.6.32 on Red Hat Enterprise Linux (RHEL) 6 might allow remote attackers to cause a denial of service (crash) via malformed data in a packet, related to lockd and the svc_xprt_received function.",
"scorev2": "5.7",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0714"
},
{
"id": "CVE-2011-0716",
"summary": "The br_multicast_add_group function in net/bridge/br_multicast.c in the Linux kernel before 2.6.38, when a certain Ethernet bridge configuration is used, allows local users to cause a denial of service (memory corruption and system crash) by sending IGMP packets to a local interface.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0716"
},
{
"id": "CVE-2011-0726",
"summary": "The do_task_stat function in fs/proc/array.c in the Linux kernel before 2.6.39-rc1 does not perform an expected uid check, which makes it easier for local users to defeat the ASLR protection mechanism by reading the start_code and end_code fields in the /proc/#####/stat file for a process executing a PIE binary.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0726"
},
{
"id": "CVE-2011-0999",
"summary": "mm/huge_memory.c in the Linux kernel before 2.6.38-rc5 does not prevent creation of a transparent huge page (THP) during the existence of a temporary stack for an exec system call, which allows local users to cause a denial of service (memory consumption) or possibly have unspecified other impact via a crafted application.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0999"
},
{
"id": "CVE-2011-1010",
"summary": "Buffer overflow in the mac_partition function in fs/partitions/mac.c in the Linux kernel before 2.6.37.2 allows local users to cause a denial of service (panic) or possibly have unspecified other impact via a malformed Mac OS partition table.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1010"
},
{
"id": "CVE-2011-1012",
"summary": "The ldm_parse_vmdb function in fs/partitions/ldm.c in the Linux kernel before 2.6.38-rc6-git6 does not validate the VBLK size value in the VMDB structure in an LDM partition table, which allows local users to cause a denial of service (divide-by-zero error and OOPS) via a crafted partition table.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1012"
},
{
"id": "CVE-2011-1013",
"summary": "Integer signedness error in the drm_modeset_ctl function in (1) drivers/gpu/drm/drm_irq.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.38 and (2) sys/dev/pci/drm/drm_irq.c in the kernel in OpenBSD before 4.9 allows local users to trigger out-of-bounds write operations, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via a crafted num_crtcs (aka vb_num) structure member in an ioctl argument.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1013"
},
{
"id": "CVE-2011-1016",
"summary": "The Radeon GPU drivers in the Linux kernel before 2.6.38-rc5 do not properly validate data related to the AA resolve registers, which allows local users to write to arbitrary memory locations associated with (1) Video RAM (aka VRAM) or (2) the Graphics Translation Table (GTT) via crafted values.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1016"
},
{
"id": "CVE-2011-1017",
"summary": "Heap-based buffer overflow in the ldm_frag_add function in fs/partitions/ldm.c in the Linux kernel 2.6.37.2 and earlier might allow local users to gain privileges or obtain sensitive information via a crafted LDM partition table.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1017"
},
{
"id": "CVE-2011-1019",
"summary": "The dev_load function in net/core/dev.c in the Linux kernel before 2.6.38 allows local users to bypass an intended CAP_SYS_MODULE capability requirement and load arbitrary modules by leveraging the CAP_NET_ADMIN capability.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1019"
},
{
"id": "CVE-2011-1020",
"summary": "The proc filesystem implementation in the Linux kernel 2.6.37 and earlier does not restrict access to the /proc directory tree of a process after this process performs an exec of a setuid program, which allows local users to obtain sensitive information or cause a denial of service via open, lseek, read, and write system calls.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1020"
},
{
"id": "CVE-2011-1021",
"summary": "drivers/acpi/debugfs.c in the Linux kernel before 3.0 allows local users to modify arbitrary kernel memory locations by leveraging root privileges to write to the /sys/kernel/debug/acpi/custom_method file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4347.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1021"
},
{
"id": "CVE-2011-1023",
"summary": "The Reliable Datagram Sockets (RDS) subsystem in the Linux kernel before 2.6.38 does not properly handle congestion map updates, which allows local users to cause a denial of service (BUG_ON and system crash) via vectors involving (1) a loopback (aka loop) transmit operation or (2) an InfiniBand (aka ib) transmit operation.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1023"
},
{
"id": "CVE-2011-1044",
"summary": "The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 does not initialize a certain response buffer, which allows local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1044"
},
{
"id": "CVE-2011-1076",
"summary": "net/dns_resolver/dns_key.c in the Linux kernel before 2.6.38 allows remote DNS servers to cause a denial of service (NULL pointer dereference and OOPS) by not providing a valid response to a DNS query, as demonstrated by an erroneous grand.centrall.org query, which triggers improper handling of error data within a DNS resolver key.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1076"
},
{
"id": "CVE-2011-1078",
"summary": "The sco_sock_getsockopt_old function in net/bluetooth/sco.c in the Linux kernel before 2.6.39 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via the SCO_CONNINFO option.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1078"
},
{
"id": "CVE-2011-1079",
"summary": "The bnep_sock_ioctl function in net/bluetooth/bnep/sock.c in the Linux kernel before 2.6.39 does not ensure that a certain device field ends with a '\\0' character, which allows local users to obtain potentially sensitive information from kernel stack memory, or cause a denial of service (BUG and system crash), via a BNEPCONNADD command.",
"scorev2": "5.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1079"
},
{
"id": "CVE-2011-1080",
"summary": "The do_replace function in net/bridge/netfilter/ebtables.c in the Linux kernel before 2.6.39 does not ensure that a certain name field ends with a '\\0' character, which allows local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability to replace a table, and then reading a modprobe command line.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1080"
},
{
"id": "CVE-2011-1082",
"summary": "fs/eventpoll.c in the Linux kernel before 2.6.38 places epoll file descriptors within other epoll data structures without properly checking for (1) closed loops or (2) deep chains, which allows local users to cause a denial of service (deadlock or stack memory consumption) via a crafted application that makes epoll_create and epoll_ctl system calls.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1082"
},
{
"id": "CVE-2011-1083",
"summary": "The epoll implementation in the Linux kernel 2.6.37.2 and earlier does not properly traverse a tree of epoll file descriptors, which allows local users to cause a denial of service (CPU consumption) via a crafted application that makes epoll_create and epoll_ctl system calls.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1083"
},
{
"id": "CVE-2011-1090",
"summary": "The __nfs4_proc_set_acl function in fs/nfs/nfs4proc.c in the Linux kernel before 2.6.38 stores NFSv4 ACL data in memory that is allocated by kmalloc but not properly freed, which allows local users to cause a denial of service (panic) via a crafted attempt to set an ACL.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1090"
},
{
"id": "CVE-2011-1093",
"summary": "The dccp_rcv_state_process function in net/dccp/input.c in the Datagram Congestion Control Protocol (DCCP) implementation in the Linux kernel before 2.6.38 does not properly handle packets for a CLOSED endpoint, which allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending a DCCP-Close packet followed by a DCCP-Reset packet.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1093"
},
{
"id": "CVE-2011-1160",
"summary": "The tpm_open function in drivers/char/tpm/tpm.c in the Linux kernel before 2.6.39 does not initialize a certain buffer, which allows local users to obtain potentially sensitive information from kernel memory via unspecified vectors.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1160"
},
{
"id": "CVE-2011-1162",
"summary": "The tpm_read function in the Linux kernel 2.6 does not properly clear memory, which might allow local users to read the results of the previous TPM command.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1162"
},
{
"id": "CVE-2011-1163",
"summary": "The osf_partition function in fs/partitions/osf.c in the Linux kernel before 2.6.38 does not properly handle an invalid number of partitions, which might allow local users to obtain potentially sensitive information from kernel heap memory via vectors related to partition-table parsing.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1163"
},
{
"id": "CVE-2011-1169",
"summary": "Array index error in the asihpi_hpi_ioctl function in sound/pci/asihpi/hpioctl.c in the AudioScience HPI driver in the Linux kernel before 2.6.38.1 might allow local users to cause a denial of service (memory corruption) or possibly gain privileges via a crafted adapter index value that triggers access to an invalid kernel pointer.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1169"
},
{
"id": "CVE-2011-1170",
"summary": "net/ipv4/netfilter/arp_tables.c in the IPv4 implementation in the Linux kernel before 2.6.39 does not place the expected '\\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1170"
},
{
"id": "CVE-2011-1171",
"summary": "net/ipv4/netfilter/ip_tables.c in the IPv4 implementation in the Linux kernel before 2.6.39 does not place the expected '\\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1171"
},
{
"id": "CVE-2011-1172",
"summary": "net/ipv6/netfilter/ip6_tables.c in the IPv6 implementation in the Linux kernel before 2.6.39 does not place the expected '\\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1172"
},
{
"id": "CVE-2011-1173",
"summary": "The econet_sendmsg function in net/econet/af_econet.c in the Linux kernel before 2.6.39 on the x86_64 platform allows remote attackers to obtain potentially sensitive information from kernel stack memory by reading uninitialized data in the ah field of an Acorn Universal Networking (AUN) packet.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1173"
},
{
"id": "CVE-2011-1180",
"summary": "Multiple stack-based buffer overflows in the iriap_getvaluebyclass_indication function in net/irda/iriap.c in the Linux kernel before 2.6.39 allow remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging connectivity to an IrDA infrared network and sending a large integer value for a (1) name length or (2) attribute length.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1180"
},
{
"id": "CVE-2011-1182",
"summary": "kernel/signal.c in the Linux kernel before 2.6.39 allows local users to spoof the uid and pid of a signal sender via a sigqueueinfo system call.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1182"
},
{
"id": "CVE-2011-1474",
"summary": "A locally locally exploitable DOS vulnerability was found in pax-linux versions 2.6.32.33-test79.patch, 2.6.38-test3.patch, and 2.6.37.4-test14.patch. A bad bounds check in arch_get_unmapped_area_topdown triggered by programs doing an mmap after a MAP_GROWSDOWN mmap will create an infinite loop condition without releasing the VM semaphore eventually leading to a system crash.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1474"
},
{
"id": "CVE-2011-1476",
"summary": "Integer underflow in the Open Sound System (OSS) subsystem in the Linux kernel before 2.6.39 on unspecified non-x86 platforms allows local users to cause a denial of service (memory corruption) by leveraging write access to /dev/sequencer.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1476"
},
{
"id": "CVE-2011-1477",
"summary": "Multiple array index errors in sound/oss/opl3.c in the Linux kernel before 2.6.39 allow local users to cause a denial of service (heap memory corruption) or possibly gain privileges by leveraging write access to /dev/sequencer.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1477"
},
{
"id": "CVE-2011-1478",
"summary": "The napi_reuse_skb function in net/core/dev.c in the Generic Receive Offload (GRO) implementation in the Linux kernel before 2.6.38 does not reset the values of certain structure members, which might allow remote attackers to cause a denial of service (NULL pointer dereference) via a malformed VLAN frame.",
"scorev2": "5.7",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1478"
},
{
"id": "CVE-2011-1479",
"summary": "Double free vulnerability in the inotify subsystem in the Linux kernel before 2.6.39 allows local users to cause a denial of service (system crash) via vectors involving failed attempts to create files. NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-4250.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1479"
},
{
"id": "CVE-2011-1493",
"summary": "Array index error in the rose_parse_national function in net/rose/rose_subr.c in the Linux kernel before 2.6.39 allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact by composing FAC_NATIONAL_DIGIS data that specifies a large number of digipeaters, and then sending this data to a ROSE socket.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1493"
},
{
"id": "CVE-2011-1494",
"summary": "Integer overflow in the _ctl_do_mpt_command function in drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel 2.6.38 and earlier might allow local users to gain privileges or cause a denial of service (memory corruption) via an ioctl call specifying a crafted value that triggers a heap-based buffer overflow.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1494"
},
{
"id": "CVE-2011-1495",
"summary": "drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel 2.6.38 and earlier does not validate (1) length and (2) offset values before performing memory copy operations, which might allow local users to gain privileges, cause a denial of service (memory corruption), or obtain sensitive information from kernel memory via a crafted ioctl call, related to the _ctl_do_mpt_command and _ctl_diag_read_buffer functions.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1495"
},
{
"id": "CVE-2011-1573",
"summary": "net/sctp/sm_make_chunk.c in the Linux kernel before 2.6.34, when addip_enable and auth_enable are used, does not consider the amount of zero padding during calculation of chunk lengths for (1) INIT and (2) INIT ACK chunks, which allows remote attackers to cause a denial of service (OOPS) via crafted packet data.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1573"
},
{
"id": "CVE-2011-1576",
"summary": "The Generic Receive Offload (GRO) implementation in the Linux kernel 2.6.18 on Red Hat Enterprise Linux 5 and 2.6.32 on Red Hat Enterprise Linux 6, as used in Red Hat Enterprise Virtualization (RHEV) Hypervisor and other products, allows remote attackers to cause a denial of service via crafted VLAN packets that are processed by the napi_reuse_skb function, leading to (1) a memory leak or (2) memory corruption, a different vulnerability than CVE-2011-1478.",
"scorev2": "5.7",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1576"
},
{
"id": "CVE-2011-1577",
"summary": "Heap-based buffer overflow in the is_gpt_valid function in fs/partitions/efi.c in the Linux kernel 2.6.38 and earlier allows physically proximate attackers to cause a denial of service (OOPS) or possibly have unspecified other impact via a crafted size of the EFI GUID partition-table header on removable media.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1577"
},
{
"id": "CVE-2011-1581",
"summary": "The bond_select_queue function in drivers/net/bonding/bond_main.c in the Linux kernel before 2.6.39, when a network device with a large number of receive queues is installed but the default tx_queues setting is used, does not properly restrict queue indexes, which allows remote attackers to cause a denial of service (BUG and system crash) or possibly have unspecified other impact by sending network traffic.",
"scorev2": "9.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1581"
},
{
"id": "CVE-2011-1585",
"summary": "The cifs_find_smb_ses function in fs/cifs/connect.c in the Linux kernel before 2.6.36 does not properly determine the associations between users and sessions, which allows local users to bypass CIFS share authentication by leveraging a mount of a share by a different user.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1585"
},
{
"id": "CVE-2011-1593",
"summary": "Multiple integer overflows in the next_pidmap function in kernel/pid.c in the Linux kernel before 2.6.38.4 allow local users to cause a denial of service (system crash) via a crafted (1) getdents or (2) readdir system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1593"
},
{
"id": "CVE-2011-1598",
"summary": "The bcm_release function in net/can/bcm.c in the Linux kernel before 2.6.39-rc6 does not properly validate a socket data structure, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1598"
},
{
"id": "CVE-2011-1745",
"summary": "Integer overflow in the agp_generic_insert_memory function in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 allows local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_BIND agp_ioctl ioctl call.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1745"
},
{
"id": "CVE-2011-1746",
"summary": "Multiple integer overflows in the (1) agp_allocate_memory and (2) agp_create_user_memory functions in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 allow local users to trigger buffer overflows, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via vectors related to calls that specify a large number of memory pages.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1746"
},
{
"id": "CVE-2011-1747",
"summary": "The agp subsystem in the Linux kernel 2.6.38.5 and earlier does not properly restrict memory allocation by the (1) AGPIOC_RESERVE and (2) AGPIOC_ALLOCATE ioctls, which allows local users to cause a denial of service (memory consumption) by making many calls to these ioctls.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1747"
},
{
"id": "CVE-2011-1748",
"summary": "The raw_release function in net/can/raw.c in the Linux kernel before 2.6.39-rc6 does not properly validate a socket data structure, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1748"
},
{
"id": "CVE-2011-1759",
"summary": "Integer overflow in the sys_oabi_semtimedop function in arch/arm/kernel/sys_oabi-compat.c in the Linux kernel before 2.6.39 on the ARM platform, when CONFIG_OABI_COMPAT is enabled, allows local users to gain privileges or cause a denial of service (heap memory corruption) by providing a crafted argument and leveraging a race condition.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1759"
},
{
"id": "CVE-2011-1767",
"summary": "net/ipv4/ip_gre.c in the Linux kernel before 2.6.34, when ip_gre is configured as a module, allows remote attackers to cause a denial of service (OOPS) by sending a packet during module loading.",
"scorev2": "5.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1767"
},
{
"id": "CVE-2011-1768",
"summary": "The tunnels implementation in the Linux kernel before 2.6.34, when tunnel functionality is configured as a module, allows remote attackers to cause a denial of service (OOPS) by sending a packet during module loading.",
"scorev2": "5.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1768"
},
{
"id": "CVE-2011-1770",
"summary": "Integer underflow in the dccp_parse_options function (net/dccp/options.c) in the Linux kernel before 2.6.33.14 allows remote attackers to cause a denial of service via a Datagram Congestion Control Protocol (DCCP) packet with an invalid feature options length, which triggers a buffer over-read.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1770"
},
{
"id": "CVE-2011-1771",
"summary": "The cifs_close function in fs/cifs/file.c in the Linux kernel before 2.6.39 allows local users to cause a denial of service (NULL pointer dereference and BUG) or possibly have unspecified other impact by setting the O_DIRECT flag during an attempt to open a file on a CIFS filesystem.",
"scorev2": "4.4",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1771"
},
{
"id": "CVE-2011-1776",
"summary": "The is_gpt_valid function in fs/partitions/efi.c in the Linux kernel before 2.6.39 does not check the size of an Extensible Firmware Interface (EFI) GUID Partition Table (GPT) entry, which allows physically proximate attackers to cause a denial of service (heap-based buffer overflow and OOPS) or obtain sensitive information from kernel heap memory by connecting a crafted GPT storage device, a different vulnerability than CVE-2011-1577.",
"scorev2": "5.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1776"
},
{
"id": "CVE-2011-1833",
"summary": "Race condition in the ecryptfs_mount function in fs/ecryptfs/main.c in the eCryptfs subsystem in the Linux kernel before 3.1 allows local users to bypass intended file permissions via a mount.ecryptfs_private mount with a mismatched uid.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1833"
},
{
"id": "CVE-2011-1927",
"summary": "The ip_expire function in net/ipv4/ip_fragment.c in the Linux kernel before 2.6.39 does not properly construct ICMP_TIME_EXCEEDED packets after a timeout, which allows remote attackers to cause a denial of service (invalid pointer dereference) via crafted fragmented packets.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1927"
},
{
"id": "CVE-2011-2022",
"summary": "The agp_generic_remove_memory function in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 does not validate a certain start parameter, which allows local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_UNBIND agp_ioctl ioctl call, a different vulnerability than CVE-2011-1745.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2022"
},
{
"id": "CVE-2011-2182",
"summary": "The ldm_frag_add function in fs/partitions/ldm.c in the Linux kernel before 2.6.39.1 does not properly handle memory allocation for non-initial fragments, which might allow local users to conduct buffer overflow attacks, and gain privileges or obtain sensitive information, via a crafted LDM partition table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1017.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2182"
},
{
"id": "CVE-2011-2183",
"summary": "Race condition in the scan_get_next_rmap_item function in mm/ksm.c in the Linux kernel before 2.6.39.3, when Kernel SamePage Merging (KSM) is enabled, allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted application.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2183"
},
{
"id": "CVE-2011-2184",
"summary": "The key_replace_session_keyring function in security/keys/process_keys.c in the Linux kernel before 2.6.39.1 does not initialize a certain structure member, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a KEYCTL_SESSION_TO_PARENT argument to the keyctl function, a different vulnerability than CVE-2010-2960.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2184"
},
{
"id": "CVE-2011-2189",
"summary": "net/core/net_namespace.c in the Linux kernel 2.6.32 and earlier does not properly handle a high rate of creation and cleanup of network namespaces, which makes it easier for remote attackers to cause a denial of service (memory consumption) via requests to a daemon that requires a separate namespace per connection, as demonstrated by vsftpd.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2189"
},
{
"id": "CVE-2011-2203",
"summary": "The hfs_find_init function in the Linux kernel 2.6 allows local users to cause a denial of service (NULL pointer dereference and Oops) by mounting an HFS file system with a malformed MDB extent record.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2203"
},
{
"id": "CVE-2011-2208",
"summary": "Integer signedness error in the osf_getdomainname function in arch/alpha/kernel/osf_sys.c in the Linux kernel before 2.6.39.4 on the Alpha platform allows local users to obtain sensitive information from kernel memory via a crafted call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2208"
},
{
"id": "CVE-2011-2209",
"summary": "Integer signedness error in the osf_sysinfo function in arch/alpha/kernel/osf_sys.c in the Linux kernel before 2.6.39.4 on the Alpha platform allows local users to obtain sensitive information from kernel memory via a crafted call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2209"
},
{
"id": "CVE-2011-2210",
"summary": "The osf_getsysinfo function in arch/alpha/kernel/osf_sys.c in the Linux kernel before 2.6.39.4 on the Alpha platform does not properly restrict the data size for GSI_GET_HWRPB operations, which allows local users to obtain sensitive information from kernel memory via a crafted call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2210"
},
{
"id": "CVE-2011-2211",
"summary": "The osf_wait4 function in arch/alpha/kernel/osf_sys.c in the Linux kernel before 2.6.39.4 on the Alpha platform uses an incorrect pointer, which allows local users to gain privileges by writing a certain integer value to kernel memory.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2211"
},
{
"id": "CVE-2011-2213",
"summary": "The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel before 2.6.39.3 does not properly audit INET_DIAG bytecode, which allows local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a different vulnerability than CVE-2010-3880.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2213"
},
{
"id": "CVE-2011-2479",
"summary": "The Linux kernel before 2.6.39 does not properly create transparent huge pages in response to a MAP_PRIVATE mmap system call on /dev/zero, which allows local users to cause a denial of service (system crash) via a crafted application.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2479"
},
{
"id": "CVE-2011-2482",
"summary": "A certain Red Hat patch to the sctp_sock_migrate function in net/sctp/socket.c in the Linux kernel before 2.6.21, as used in Red Hat Enterprise Linux (RHEL) 5, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted SCTP packet.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2482"
},
{
"id": "CVE-2011-2484",
"summary": "The add_del_listener function in kernel/taskstats.c in the Linux kernel 2.6.39.1 and earlier does not prevent multiple registrations of exit handlers, which allows local users to cause a denial of service (memory and CPU consumption), and bypass the OOM Killer, via a crafted application.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2484"
},
{
"id": "CVE-2011-2491",
"summary": "The Network Lock Manager (NLM) protocol implementation in the NFS client functionality in the Linux kernel before 3.0 allows local users to cause a denial of service (system hang) via a LOCK_UN flock system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2491"
},
{
"id": "CVE-2011-2492",
"summary": "The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2492"
},
{
"id": "CVE-2011-2493",
"summary": "The ext4_fill_super function in fs/ext4/super.c in the Linux kernel before 2.6.39 does not properly initialize a certain error-report data structure, which allows local users to cause a denial of service (OOPS) by attempting to mount a crafted ext4 filesystem.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2493"
},
{
"id": "CVE-2011-2494",
"summary": "kernel/taskstats.c in the Linux kernel before 3.1 allows local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another user's password.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2494"
},
{
"id": "CVE-2011-2495",
"summary": "fs/proc/base.c in the Linux kernel before 2.6.39.4 does not properly restrict access to /proc/#####/io files, which allows local users to obtain sensitive I/O statistics by polling a file, as demonstrated by discovering the length of another user's password.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2495"
},
{
"id": "CVE-2011-2496",
"summary": "Integer overflow in the vma_to_resize function in mm/mremap.c in the Linux kernel before 2.6.39 allows local users to cause a denial of service (BUG_ON and system crash) via a crafted mremap system call that expands a memory mapping.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2496"
},
{
"id": "CVE-2011-2497",
"summary": "Integer underflow in the l2cap_config_req function in net/bluetooth/l2cap_core.c in the Linux kernel before 3.0 allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a small command-size value within the command header of a Logical Link Control and Adaptation Protocol (L2CAP) configuration request, leading to a buffer overflow.",
"scorev2": "8.3",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2497"
},
{
"id": "CVE-2011-2498",
"summary": "The Linux kernel from v2.3.36 before v2.6.39 allows local unprivileged users to cause a denial of service (memory consumption) by triggering creation of PTE pages.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2498"
},
{
"id": "CVE-2011-2517",
"summary": "Multiple buffer overflows in net/wireless/nl80211.c in the Linux kernel before 2.6.39.2 allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability during scan operations with a long SSID value.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2517"
},
{
"id": "CVE-2011-2518",
"summary": "The tomoyo_mount_acl function in security/tomoyo/mount.c in the Linux kernel before 2.6.39.2 calls the kern_path function with arguments taken directly from a mount system call, which allows local users to cause a denial of service (OOPS) or possibly have unspecified other impact via a NULL value for the device name.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2518"
},
{
"id": "CVE-2011-2521",
"summary": "The x86_assign_hw_event function in arch/x86/kernel/cpu/perf_event.c in the Performance Events subsystem in the Linux kernel before 2.6.39 does not properly calculate counter values, which allows local users to cause a denial of service (panic) via the perf program.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2521"
},
{
"id": "CVE-2011-2525",
"summary": "The qdisc_notify function in net/sched/sch_api.c in the Linux kernel before 2.6.35 does not prevent tc_fill_qdisc function calls referencing builtin (aka CQ_F_BUILTIN) Qdisc structures, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted call.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2525"
},
{
"id": "CVE-2011-2534",
"summary": "Buffer overflow in the clusterip_proc_write function in net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel before 2.6.39 might allow local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating '\\0' character.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2534"
},
{
"id": "CVE-2011-2689",
"summary": "The gfs2_fallocate function in fs/gfs2/file.c in the Linux kernel before 3.0-rc1 does not ensure that the size of a chunk allocation is a multiple of the block size, which allows local users to cause a denial of service (BUG and system crash) by arranging for all resource groups to have too little free space.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2689"
},
{
"id": "CVE-2011-2695",
"summary": "Multiple off-by-one errors in the ext4 subsystem in the Linux kernel before 3.0-rc5 allow local users to cause a denial of service (BUG_ON and system crash) by accessing a sparse file in extent format with a write operation involving a block number corresponding to the largest possible 32-bit unsigned integer.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2695"
},
{
"id": "CVE-2011-2699",
"summary": "The IPv6 implementation in the Linux kernel before 3.1 does not generate Fragment Identification values separately for each destination, which makes it easier for remote attackers to cause a denial of service (disrupted networking) by predicting these values and sending crafted packets.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2699"
},
{
"id": "CVE-2011-2700",
"summary": "Multiple buffer overflows in the si4713_write_econtrol_string function in drivers/media/radio/si4713-i2c.c in the Linux kernel before 2.6.39.4 on the N900 platform might allow local users to cause a denial of service or have unspecified other impact via a crafted s_ext_ctrls operation with a (1) V4L2_CID_RDS_TX_PS_NAME or (2) V4L2_CID_RDS_TX_RADIO_TEXT control ID.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2700"
},
{
"id": "CVE-2011-2707",
"summary": "The ptrace_setxregs function in arch/xtensa/kernel/ptrace.c in the Linux kernel before 3.1 does not validate user-space pointers, which allows local users to obtain sensitive information from kernel memory locations via a crafted PTRACE_SETXTREGS request.",
"scorev2": "3.6",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2707"
},
{
"id": "CVE-2011-2723",
"summary": "The skb_gro_header_slow function in include/linux/netdevice.h in the Linux kernel before 2.6.39.4, when Generic Receive Offload (GRO) is enabled, resets certain fields in incorrect situations, which allows remote attackers to cause a denial of service (system crash) via crafted network traffic.",
"scorev2": "5.7",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2723"
},
{
"id": "CVE-2011-2898",
"summary": "net/packet/af_packet.c in the Linux kernel before 2.6.39.3 does not properly restrict user-space access to certain packet data structures associated with VLAN Tag Control Information, which allows local users to obtain potentially sensitive information via a crafted application.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2898"
},
{
"id": "CVE-2011-2905",
"summary": "Untrusted search path vulnerability in the perf_config function in tools/perf/util/config.c in perf, as distributed in the Linux kernel before 3.1, allows local users to overwrite arbitrary files via a crafted config file in the current working directory.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2905"
},
{
"id": "CVE-2011-2906",
"summary": "Integer signedness error in the pmcraid_ioctl_passthrough function in drivers/scsi/pmcraid.c in the Linux kernel before 3.1 might allow local users to cause a denial of service (memory consumption or memory corruption) via a negative size value in an ioctl call. NOTE: this may be a vulnerability only in unusual environments that provide a privileged program for obtaining the required file descriptor.",
"scorev2": "4.7",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2906"
},
{
"id": "CVE-2011-2909",
"summary": "The do_devinfo_ioctl function in drivers/staging/comedi/comedi_fops.c in the Linux kernel before 3.1 allows local users to obtain sensitive information from kernel memory via a copy of a short string.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2909"
},
{
"id": "CVE-2011-2918",
"summary": "The Performance Events subsystem in the Linux kernel before 3.1 does not properly handle event overflows associated with PERF_COUNT_SW_CPU_CLOCK events, which allows local users to cause a denial of service (system hang) via a crafted application.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2918"
},
{
"id": "CVE-2011-2928",
"summary": "The befs_follow_link function in fs/befs/linuxvfs.c in the Linux kernel before 3.1-rc3 does not validate the length attribute of long symlinks, which allows local users to cause a denial of service (incorrect pointer dereference and OOPS) by accessing a long symlink on a malformed Be filesystem.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2928"
},
{
"id": "CVE-2011-2942",
"summary": "A certain Red Hat patch to the __br_deliver function in net/bridge/br_forward.c in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging connectivity to a network interface that uses an Ethernet bridge device.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2942"
},
{
"id": "CVE-2011-3188",
"summary": "The (1) IPv4 and (2) IPv6 implementations in the Linux kernel before 3.1 use a modified MD4 algorithm to generate sequence numbers and Fragment Identification values, which makes it easier for remote attackers to cause a denial of service (disrupted networking) or hijack network sessions by predicting these values and sending crafted packets.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3188"
},
{
"id": "CVE-2011-3191",
"summary": "Integer signedness error in the CIFSFindNext function in fs/cifs/cifssmb.c in the Linux kernel before 3.1 allows remote CIFS servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large length value in a response to a read request for a directory.",
"scorev2": "8.3",
"scorev3": "8.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3191"
},
{
"id": "CVE-2011-3209",
"summary": "The div_long_long_rem implementation in include/asm-x86/div64.h in the Linux kernel before 2.6.26 on the x86 platform allows local users to cause a denial of service (Divide Error Fault and panic) via a clock_gettime system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3209"
},
{
"id": "CVE-2011-3353",
"summary": "Buffer overflow in the fuse_notify_inval_entry function in fs/fuse/dev.c in the Linux kernel before 3.1 allows local users to cause a denial of service (BUG_ON and system crash) by leveraging the ability to mount a FUSE filesystem.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3353"
},
{
"id": "CVE-2011-3359",
"summary": "The dma_rx function in drivers/net/wireless/b43/dma.c in the Linux kernel before 2.6.39 does not properly allocate receive buffers, which allows remote attackers to cause a denial of service (system crash) via a crafted frame.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3359"
},
{
"id": "CVE-2011-3363",
"summary": "The setup_cifs_sb function in fs/cifs/connect.c in the Linux kernel before 2.6.39 does not properly handle DFS referrals, which allows remote CIFS servers to cause a denial of service (system crash) by placing a referral at the root of a share.",
"scorev2": "6.1",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3363"
},
{
"id": "CVE-2011-3593",
"summary": "A certain Red Hat patch to the vlan_hwaccel_do_receive function in net/8021q/vlan_core.c in the Linux kernel 2.6.32 on Red Hat Enterprise Linux (RHEL) 6 allows remote attackers to cause a denial of service (system crash) via priority-tagged VLAN frames.",
"scorev2": "5.7",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3593"
},
{
"id": "CVE-2011-3619",
"summary": "The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel before 3.0 does not properly handle invalid parameters, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact by writing to a /proc/#####/attr/current file.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3619"
},
{
"id": "CVE-2011-3637",
"summary": "The m_stop function in fs/proc/task_mmu.c in the Linux kernel before 2.6.39 allows local users to cause a denial of service (OOPS) via vectors that trigger an m_start error.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3637"
},
{
"id": "CVE-2011-3638",
"summary": "fs/ext4/extents.c in the Linux kernel before 3.0 does not mark a modified extent as dirty in certain cases of extent splitting, which allows local users to cause a denial of service (system crash) via vectors involving ext4 umount and mount operations.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3638"
},
{
"id": "CVE-2011-4077",
"summary": "Buffer overflow in the xfs_readlink function in fs/xfs/xfs_vnodeops.c in XFS in the Linux kernel 2.6, when CONFIG_XFS_DEBUG is disabled, allows local users to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via an XFS image containing a symbolic link with a long pathname.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4077"
},
{
"id": "CVE-2011-4080",
"summary": "The sysrq_sysctl_handler function in kernel/sysctl.c in the Linux kernel before 2.6.39 does not require the CAP_SYS_ADMIN capability to modify the dmesg_restrict value, which allows local users to bypass intended access restrictions and read the kernel ring buffer by leveraging root privileges, as demonstrated by a root user in a Linux Containers (aka LXC) environment.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4080"
},
{
"id": "CVE-2011-4081",
"summary": "crypto/ghash-generic.c in the Linux kernel before 3.1 allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact by triggering a failed or missing ghash_setkey function call, followed by a (1) ghash_update function call or (2) ghash_final function call, as demonstrated by a write operation on an AF_ALG socket.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4081"
},
{
"id": "CVE-2011-4086",
"summary": "The journal_unmap_buffer function in fs/jbd2/transaction.c in the Linux kernel before 3.3.1 does not properly handle the _Delay and _Unwritten buffer head states, which allows local users to cause a denial of service (system crash) by leveraging the presence of an ext4 filesystem that was mounted with a journal.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4086"
},
{
"id": "CVE-2011-4087",
"summary": "The br_parse_ip_options function in net/bridge/br_netfilter.c in the Linux kernel before 2.6.39 does not properly initialize a certain data structure, which allows remote attackers to cause a denial of service by leveraging connectivity to a network interface that uses an Ethernet bridge device.",
"scorev2": "4.3",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4087"
},
{
"id": "CVE-2011-4097",
"summary": "Integer overflow in the oom_badness function in mm/oom_kill.c in the Linux kernel before 3.1.8 on 64-bit platforms allows local users to cause a denial of service (memory consumption or process termination) by using a certain large amount of memory.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4097"
},
{
"id": "CVE-2011-4098",
"summary": "The fallocate implementation in the GFS2 filesystem in the Linux kernel before 3.2 relies on the page cache, which might allow local users to cause a denial of service by preallocating blocks in certain situations involving insufficient memory.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4098",
"detail": "fixed-version",
"description": "Fixed from version 3.2rc1"
},
{
"id": "CVE-2011-4110",
"summary": "The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allows local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and \"updating a negative key into a fully instantiated key.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4110"
},
{
"id": "CVE-2011-4112",
"summary": "The net subsystem in the Linux kernel before 3.1 does not properly restrict use of the IFF_TX_SKB_SHARING flag, which allows local users to cause a denial of service (panic) by leveraging the CAP_NET_ADMIN capability to access /proc/net/pktgen/pgctrl, and then using the pktgen package in conjunction with a bridge device for a VLAN interface.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4112"
},
{
"id": "CVE-2011-4127",
"summary": "The Linux kernel before 3.2.2 does not properly restrict SG_IO ioctl calls, which allows local users to bypass intended restrictions on disk read and write operations by sending a SCSI command to (1) a partition block device or (2) an LVM volume.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4127"
},
{
"id": "CVE-2011-4131",
"summary": "The NFSv4 implementation in the Linux kernel before 3.2.2 does not properly handle bitmap sizes in GETACL replies, which allows remote NFS servers to cause a denial of service (OOPS) by sending an excessive number of bitmap words.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4131",
"detail": "fixed-version",
"description": "Fixed from version 3.3rc1"
},
{
"id": "CVE-2011-4132",
"summary": "The cleanup_journal_tail function in the Journaling Block Device (JBD) functionality in the Linux kernel 2.6 allows local users to cause a denial of service (assertion error and kernel oops) via an ext3 or ext4 image with an \"invalid log first block value.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4132"
},
{
"id": "CVE-2011-4324",
"summary": "The encode_share_access function in fs/nfs/nfs4xdr.c in the Linux kernel before 2.6.29 allows local users to cause a denial of service (BUG and system crash) by using the mknod system call with a pathname on an NFSv4 filesystem.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4324"
},
{
"id": "CVE-2011-4325",
"summary": "The NFS implementation in Linux kernel before 2.6.31-rc6 calls certain functions without properly initializing certain data, which allows local users to cause a denial of service (NULL pointer dereference and O_DIRECT oops), as demonstrated using diotest4 from LTP.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4325"
},
{
"id": "CVE-2011-4326",
"summary": "The udp6_ufo_fragment function in net/ipv6/udp.c in the Linux kernel before 2.6.39, when a certain UDP Fragmentation Offload (UFO) configuration is enabled, allows remote attackers to cause a denial of service (system crash) by sending fragmented IPv6 UDP packets to a bridge device.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4326"
},
{
"id": "CVE-2011-4330",
"summary": "Stack-based buffer overflow in the hfs_mac2asc function in fs/hfs/trans.c in the Linux kernel 2.6 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via an HFS image with a crafted len field.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4330"
},
{
"id": "CVE-2011-4347",
"summary": "The kvm_vm_ioctl_assign_device function in virt/kvm/assigned-dev.c in the KVM subsystem in the Linux kernel before 3.1.10 does not verify permission to access PCI configuration space and BAR resources, which allows host OS users to assign PCI devices and cause a denial of service (host OS crash) via a KVM_ASSIGN_PCI_DEVICE operation.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4347"
},
{
"id": "CVE-2011-4348",
"summary": "Race condition in the sctp_rcv function in net/sctp/input.c in the Linux kernel before 2.6.29 allows remote attackers to cause a denial of service (system hang) via SCTP packets. NOTE: in some environments, this issue exists because of an incomplete fix for CVE-2011-2482.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4348"
},
{
"id": "CVE-2011-4594",
"summary": "The __sys_sendmsg function in net/socket.c in the Linux kernel before 3.1 allows local users to cause a denial of service (system crash) via crafted use of the sendmmsg system call, leading to an incorrect pointer dereference.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4594"
},
{
"id": "CVE-2011-4604",
"summary": "The bat_socket_read function in net/batman-adv/icmp_socket.c in the Linux kernel before 3.3 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted batman-adv ICMP packet.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4604"
},
{
"id": "CVE-2011-4611",
"summary": "Integer overflow in the perf_event_interrupt function in arch/powerpc/kernel/perf_event.c in the Linux kernel before 2.6.39 on powerpc platforms allows local users to cause a denial of service (unhandled performance monitor exception) via vectors that trigger certain outcomes of performance events.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4611"
},
{
"id": "CVE-2011-4621",
"summary": "The Linux kernel before 2.6.37 does not properly implement a certain clock-update optimization, which allows local users to cause a denial of service (system hang) via an application that executes code in a loop.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4621"
},
{
"id": "CVE-2011-4913",
"summary": "The rose_parse_ccitt function in net/rose/rose_subr.c in the Linux kernel before 2.6.39 does not validate the FAC_CCITT_DEST_NSAP and FAC_CCITT_SRC_NSAP fields, which allows remote attackers to (1) cause a denial of service (integer underflow, heap memory corruption, and panic) via a small length value in data sent to a ROSE socket, or (2) conduct stack-based buffer overflow attacks via a large length value in data sent to a ROSE socket.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4913"
},
{
"id": "CVE-2011-4914",
"summary": "The ROSE protocol implementation in the Linux kernel before 2.6.39 does not verify that certain data-length values are consistent with the amount of data sent, which might allow remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) via crafted data to a ROSE socket.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4914"
},
{
"id": "CVE-2011-4915",
"summary": "fs/proc/base.c in the Linux kernel through 3.1 allows local users to obtain sensitive keystroke information via access to /proc/interrupts.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4915",
"detail": "fixed-version",
"description": "Fixed from version 3.2rc1"
},
{
"id": "CVE-2011-4916",
"summary": "Linux kernel through 3.1 allows local users to obtain sensitive keystroke information via access to /dev/pts/ and /dev/tty*.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4916"
},
{
"id": "CVE-2011-4917",
"summary": "In the Linux kernel through 3.1 there is an information disclosure issue via /proc/stat.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4917"
},
{
"id": "CVE-2011-5321",
"summary": "The tty_open function in drivers/tty/tty_io.c in the Linux kernel before 3.1.1 mishandles a driver-lookup failure, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted access to a device file under the /dev/pts directory.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-5321",
"detail": "fixed-version",
"description": "Fixed from version 3.2rc1"
},
{
"id": "CVE-2011-5327",
"summary": "In the Linux kernel before 3.1, an off by one in the drivers/target/loopback/tcm_loop.c tcm_loop_make_naa_tpg() function could result in at least memory corruption.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-5327",
"detail": "fixed-version",
"description": "Fixed from version 3.1rc1"
},
{
"id": "CVE-2012-0028",
"summary": "The robust futex implementation in the Linux kernel before 2.6.28 does not properly handle processes that make exec system calls, which allows local users to cause a denial of service or possibly gain privileges by writing to a memory location in a child process.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0028"
},
{
"id": "CVE-2012-0038",
"summary": "Integer overflow in the xfs_acl_from_disk function in fs/xfs/xfs_acl.c in the Linux kernel before 3.1.9 allows local users to cause a denial of service (panic) via a filesystem with a malformed ACL, leading to a heap-based buffer overflow.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0038"
},
{
"id": "CVE-2012-0044",
"summary": "Integer overflow in the drm_mode_dirtyfb_ioctl function in drivers/gpu/drm/drm_crtc.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 3.1.5 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted ioctl call.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0044"
},
{
"id": "CVE-2012-0045",
"summary": "The em_syscall function in arch/x86/kvm/emulate.c in the KVM implementation in the Linux kernel before 3.2.14 does not properly handle the 0f05 (aka syscall) opcode, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application, as demonstrated by an NASM file.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0045"
},
{
"id": "CVE-2012-0055",
"summary": "OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10.0.4 LTS and 11.10, is missing inode security checks which could allow attackers to bypass security restrictions and perform unauthorized actions.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0055"
},
{
"id": "CVE-2012-0056",
"summary": "The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when writing to /proc//mem, which allows local users to gain privileges by modifying process memory, as demonstrated by Mempodipper.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0056"
},
{
"id": "CVE-2012-0058",
"summary": "The kiocb_batch_free function in fs/aio.c in the Linux kernel before 3.2.2 allows local users to cause a denial of service (OOPS) via vectors that trigger incorrect iocb management.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0058"
},
{
"id": "CVE-2012-0207",
"summary": "The igmp_heard_query function in net/ipv4/igmp.c in the Linux kernel before 3.2.1 allows remote attackers to cause a denial of service (divide-by-zero error and panic) via IGMP packets.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0207"
},
{
"id": "CVE-2012-0810",
"summary": "The int3 handler in the Linux kernel before 3.3 relies on a per-CPU debug stack, which allows local users to cause a denial of service (stack corruption and panic) via a crafted application that triggers certain lock contention.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0810"
},
{
"id": "CVE-2012-0879",
"summary": "The I/O implementation for block devices in the Linux kernel before 2.6.33 does not properly handle the CLONE_IO feature, which allows local users to cause a denial of service (I/O instability) by starting multiple processes that share an I/O context.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0879"
},
{
"id": "CVE-2012-0957",
"summary": "The override_release function in kernel/sys.c in the Linux kernel before 3.4.16 allows local users to obtain sensitive information from kernel stack memory via a uname system call in conjunction with a UNAME26 personality.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0957",
"detail": "fixed-version",
"description": "Fixed from version 3.7rc2"
},
{
"id": "CVE-2012-1090",
"summary": "The cifs_lookup function in fs/cifs/dir.c in the Linux kernel before 3.2.10 allows local users to cause a denial of service (OOPS) via attempted access to a special file, as demonstrated by a FIFO.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1090"
},
{
"id": "CVE-2012-1097",
"summary": "The regset (aka register set) feature in the Linux kernel before 3.2.10 does not properly handle the absence of .get and .set methods, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a (1) PTRACE_GETREGSET or (2) PTRACE_SETREGSET ptrace call.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1097"
},
{
"id": "CVE-2012-1146",
"summary": "The mem_cgroup_usage_unregister_event function in mm/memcontrol.c in the Linux kernel before 3.2.10 does not properly handle multiple events that are attached to the same eventfd, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by registering memory threshold events.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1146"
},
{
"id": "CVE-2012-1179",
"summary": "The Linux kernel before 3.3.1, when KVM is used, allows guest OS users to cause a denial of service (host OS crash) by leveraging administrative access to the guest OS, related to the pmd_none_or_clear_bad function and page faults for huge pages.",
"scorev2": "5.2",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1179"
},
{
"id": "CVE-2012-1583",
"summary": "Double free vulnerability in the xfrm6_tunnel_rcv function in net/ipv6/xfrm6_tunnel.c in the Linux kernel before 2.6.22, when the xfrm6_tunnel module is enabled, allows remote attackers to cause a denial of service (panic) via crafted IPv6 packets.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1583"
},
{
"id": "CVE-2012-1601",
"summary": "The KVM implementation in the Linux kernel before 3.3.6 allows host OS users to cause a denial of service (NULL pointer dereference and host OS crash) by making a KVM_CREATE_IRQCHIP ioctl call after a virtual CPU already exists.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1601"
},
{
"id": "CVE-2012-2100",
"summary": "The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kernel before 3.2.2, on the x86 platform and unspecified other platforms, allows user-assisted remote attackers to trigger inconsistent filesystem-groups data and possibly cause a denial of service via a malformed ext4 filesystem containing a super block with a large FLEX_BG group size (aka s_log_groups_per_flex value). NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-4307.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2100"
},
{
"id": "CVE-2012-2119",
"summary": "Buffer overflow in the macvtap device driver in the Linux kernel before 3.4.5, when running in certain configurations, allows privileged KVM guest users to cause a denial of service (crash) via a long descriptor with a long vector length.",
"scorev2": "5.2",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2119",
"detail": "fixed-version",
"description": "Fixed from version 3.5rc1"
},
{
"id": "CVE-2012-2121",
"summary": "The KVM implementation in the Linux kernel before 3.3.4 does not properly manage the relationships between memory slots and the iommu, which allows guest OS users to cause a denial of service (memory leak and host OS crash) by leveraging administrative access to the guest OS to conduct hotunplug and hotplug operations on devices.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2121"
},
{
"id": "CVE-2012-2123",
"summary": "The cap_bprm_set_creds function in security/commoncap.c in the Linux kernel before 3.3.3 does not properly handle the use of file system capabilities (aka fcaps) for implementing a privileged executable file, which allows local users to bypass intended personality restrictions via a crafted application, as demonstrated by an attack that uses a parent process to disable ASLR.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2123"
},
{
"id": "CVE-2012-2127",
"summary": "fs/proc/root.c in the procfs implementation in the Linux kernel before 3.2 does not properly interact with CLONE_NEWPID clone system calls, which allows remote attackers to cause a denial of service (reference leak and memory consumption) by making many connections to a daemon that uses PID namespaces to isolate clients, as demonstrated by vsftpd.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2127"
},
{
"id": "CVE-2012-2133",
"summary": "Use-after-free vulnerability in the Linux kernel before 3.3.6, when huge pages are enabled, allows local users to cause a denial of service (system crash) or possibly gain privileges by interacting with a hugetlbfs filesystem, as demonstrated by a umount operation that triggers improper handling of quota data.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2133"
},
{
"id": "CVE-2012-2136",
"summary": "The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel before 3.4.5 does not properly validate a certain length value, which allows local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2136",
"detail": "fixed-version",
"description": "Fixed from version 3.5rc1"
},
{
"id": "CVE-2012-2137",
"summary": "Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem in the Linux kernel before 3.2.24 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to Message Signaled Interrupts (MSI), irq routing entries, and an incorrect check by the setup_routing_entry function before invoking the kvm_set_irq function.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2137",
"detail": "fixed-version",
"description": "Fixed from version 3.5rc2"
},
{
"id": "CVE-2012-2313",
"summary": "The rio_ioctl function in drivers/net/ethernet/dlink/dl2k.c in the Linux kernel before 3.3.7 does not restrict access to the SIOCSMIIREG command, which allows local users to write data to an Ethernet adapter via an ioctl call.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2313",
"detail": "fixed-version",
"description": "Fixed from version 3.4rc6"
},
{
"id": "CVE-2012-2319",
"summary": "Multiple buffer overflows in the hfsplus filesystem implementation in the Linux kernel before 3.3.5 allow local users to gain privileges via a crafted HFS plus filesystem, a related issue to CVE-2009-4020.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2319",
"detail": "fixed-version",
"description": "Fixed from version 3.4rc6"
},
{
"id": "CVE-2012-2372",
"summary": "The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel 3.7.4 and earlier allows local users to cause a denial of service (BUG_ON and kernel panic) by establishing an RDS connection with the source IP address equal to the IPoIB interface's own IP address, as demonstrated by rds-ping.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2372",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc4"
},
{
"id": "CVE-2012-2373",
"summary": "The Linux kernel before 3.4.5 on the x86 platform, when Physical Address Extension (PAE) is enabled, does not properly use the Page Middle Directory (PMD), which allows local users to cause a denial of service (panic) via a crafted application that triggers a race condition.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2373"
},
{
"id": "CVE-2012-2375",
"summary": "The __nfs4_get_acl_uncached function in fs/nfs/nfs4proc.c in the NFSv4 implementation in the Linux kernel before 3.3.2 uses an incorrect length variable during a copy operation, which allows remote NFS servers to cause a denial of service (OOPS) by sending an excessive number of bitmap words in an FATTR4_ACL reply. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-4131.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2375",
"detail": "fixed-version",
"description": "Fixed from version 3.4rc1"
},
{
"id": "CVE-2012-2383",
"summary": "Integer overflow in the i915_gem_execbuffer2 function in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 3.3.5 on 32-bit platforms allows local users to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted ioctl call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2383"
},
{
"id": "CVE-2012-2384",
"summary": "Integer overflow in the i915_gem_do_execbuffer function in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 3.3.5 on 32-bit platforms allows local users to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted ioctl call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2384"
},
{
"id": "CVE-2012-2390",
"summary": "Memory leak in mm/hugetlb.c in the Linux kernel before 3.4.2 allows local users to cause a denial of service (memory consumption or system crash) via invalid MAP_HUGETLB mmap operations.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2390",
"detail": "fixed-version",
"description": "Fixed from version 3.5rc1"
},
{
"id": "CVE-2012-2669",
"summary": "The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distributed in the Linux kernel before 3.4.5, does not validate the origin of Netlink messages, which allows local users to spoof Netlink communication via a crafted connector message.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2669",
"detail": "fixed-version",
"description": "Fixed from version 3.5rc4"
},
{
"id": "CVE-2012-2744",
"summary": "net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel before 2.6.34, when the nf_conntrack_ipv6 module is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2744",
"detail": "fixed-version",
"description": "Fixed from version 2.6.34rc1"
},
{
"id": "CVE-2012-2745",
"summary": "The copy_creds function in kernel/cred.c in the Linux kernel before 3.3.2 provides an invalid replacement session keyring to a child process, which allows local users to cause a denial of service (panic) via a crafted application that uses the fork system call.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2745",
"detail": "fixed-version",
"description": "Fixed from version 3.4rc3"
},
{
"id": "CVE-2012-3364",
"summary": "Multiple stack-based buffer overflows in the Near Field Communication Controller Interface (NCI) in the Linux kernel before 3.4.5 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via incoming frames with crafted length fields.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3364",
"detail": "fixed-version",
"description": "Fixed from version 3.5rc6"
},
{
"id": "CVE-2012-3375",
"summary": "The epoll_ctl system call in fs/eventpoll.c in the Linux kernel before 3.2.24 does not properly handle ELOOP errors in EPOLL_CTL_ADD operations, which allows local users to cause a denial of service (file-descriptor consumption and system crash) via a crafted application that attempts to create a circular epoll dependency. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1083.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3375",
"detail": "fixed-version",
"description": "Fixed from version 3.4rc5"
},
{
"id": "CVE-2012-3400",
"summary": "Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel before 3.4.5 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem.",
"scorev2": "7.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3400",
"detail": "fixed-version",
"description": "Fixed from version 3.5rc5"
},
{
"id": "CVE-2012-3412",
"summary": "The sfc (aka Solarflare Solarstorm) driver in the Linux kernel before 3.2.30 allows remote attackers to cause a denial of service (DMA descriptor consumption and network-controller outage) via crafted TCP packets that trigger a small MSS value.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3412",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc2"
},
{
"id": "CVE-2012-3430",
"summary": "The rds_recvmsg function in net/rds/recv.c in the Linux kernel before 3.0.44 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) recvfrom or (2) recvmsg system call on an RDS socket.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3430",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc1"
},
{
"id": "CVE-2012-3510",
"summary": "Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel before 2.6.19 allows local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command.",
"scorev2": "5.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3510",
"detail": "fixed-version",
"description": "Fixed from version 2.6.19rc4"
},
{
"id": "CVE-2012-3511",
"summary": "Multiple race conditions in the madvise_remove function in mm/madvise.c in the Linux kernel before 3.4.5 allow local users to cause a denial of service (use-after-free and system crash) via vectors involving a (1) munmap or (2) close system call.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3511",
"detail": "fixed-version",
"description": "Fixed from version 3.5rc6"
},
{
"id": "CVE-2012-3520",
"summary": "The Netlink implementation in the Linux kernel before 3.2.30 does not properly handle messages that lack SCM_CREDENTIALS data, which might allow local users to spoof Netlink communication via a crafted message, as demonstrated by a message to (1) Avahi or (2) NetworkManager.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3520",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc3"
},
{
"id": "CVE-2012-3552",
"summary": "Race condition in the IP implementation in the Linux kernel before 3.0 might allow remote attackers to cause a denial of service (slab corruption and system crash) by sending packets to an application that sets socket options during the handling of network traffic.",
"scorev2": "7.1",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3552",
"detail": "fixed-version",
"description": "Fixed from version 3.0rc1"
},
{
"id": "CVE-2012-4398",
"summary": "The __request_module function in kernel/kmod.c in the Linux kernel before 3.4 does not set a certain killable attribute, which allows local users to cause a denial of service (memory consumption) via a crafted application.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4398",
"detail": "fixed-version",
"description": "Fixed from version 3.4rc1"
},
{
"id": "CVE-2012-4444",
"summary": "The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel before 2.6.36 allows remote attackers to bypass intended network restrictions via overlapping IPv6 fragments.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4444",
"detail": "fixed-version",
"description": "Fixed from version 2.6.36rc4"
},
{
"id": "CVE-2012-4461",
"summary": "The KVM subsystem in the Linux kernel before 3.6.9, when running on hosts that use qemu userspace without XSAVE, allows local users to cause a denial of service (kernel OOPS) by using the KVM_SET_SREGS ioctl to set the X86_CR4_OSXSAVE bit in the guest cr4 register, then calling the KVM_RUN ioctl.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4461",
"detail": "fixed-version",
"description": "Fixed from version 3.7rc6"
},
{
"id": "CVE-2012-4467",
"summary": "The (1) do_siocgstamp and (2) do_siocgstampns functions in net/socket.c in the Linux kernel before 3.5.4 use an incorrect argument order, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (system crash) via a crafted ioctl call.",
"scorev2": "6.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4467",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc5"
},
{
"id": "CVE-2012-4508",
"summary": "Race condition in fs/ext4/extents.c in the Linux kernel before 3.4.16 allows local users to obtain sensitive information from a deleted file by reading an extent that was not properly marked as uninitialized.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4508",
"detail": "fixed-version",
"description": "Fixed from version 3.7rc3"
},
{
"id": "CVE-2012-4530",
"summary": "The load_script function in fs/binfmt_script.c in the Linux kernel before 3.7.2 does not properly handle recursion, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4530",
"detail": "fixed-version",
"description": "Fixed from version 3.8rc1"
},
{
"id": "CVE-2012-4542",
"summary": "block/scsi_ioctl.c in the Linux kernel through 3.8 does not properly consider the SCSI device class during authorization of SCSI commands, which allows local users to bypass intended access restrictions via an SG_IO ioctl call that leverages overlapping opcodes.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4542"
},
{
"id": "CVE-2012-4565",
"summary": "The tcp_illinois_info function in net/ipv4/tcp_illinois.c in the Linux kernel before 3.4.19, when the net.ipv4.tcp_congestion_control illinois setting is enabled, allows local users to cause a denial of service (divide-by-zero error and OOPS) by reading TCP stats.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4565",
"detail": "fixed-version",
"description": "Fixed from version 3.7rc4"
},
{
"id": "CVE-2012-5374",
"summary": "The CRC32C feature in the Btrfs implementation in the Linux kernel before 3.8-rc1 allows local users to cause a denial of service (extended runtime of kernel code) by creating many different files whose names are associated with the same CRC32C hash value.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5374",
"detail": "fixed-version",
"description": "Fixed from version 3.8rc1"
},
{
"id": "CVE-2012-5375",
"summary": "The CRC32C feature in the Btrfs implementation in the Linux kernel before 3.8-rc1 allows local users to cause a denial of service (prevention of file creation) by leveraging the ability to write to a directory important to the victim, and creating a file with a crafted name that is associated with a specific CRC32C hash value.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5375",
"detail": "fixed-version",
"description": "Fixed from version 3.8rc1"
},
{
"id": "CVE-2012-5517",
"summary": "The online_pages function in mm/memory_hotplug.c in the Linux kernel before 3.6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact in opportunistic circumstances by using memory that was hot-added by an administrator.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5517",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc1"
},
{
"id": "CVE-2012-5532",
"summary": "The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distributed in the Linux kernel before 3.8-rc1, allows local users to cause a denial of service (daemon exit) via a crafted application that sends a Netlink message. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-2669.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5532"
},
{
"id": "CVE-2012-6536",
"summary": "net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not verify that the actual Netlink message length is consistent with a certain header field, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability and providing a (1) new or (2) updated state.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6536",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc7"
},
{
"id": "CVE-2012-6537",
"summary": "net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6537",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc7"
},
{
"id": "CVE-2012-6538",
"summary": "The copy_to_user_auth function in net/xfrm/xfrm_user.c in the Linux kernel before 3.6 uses an incorrect C library function for copying a string, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6538",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc7"
},
{
"id": "CVE-2012-6539",
"summary": "The dev_ifconf function in net/socket.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6539",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc3"
},
{
"id": "CVE-2012-6540",
"summary": "The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 3.6 does not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6540",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc3"
},
{
"id": "CVE-2012-6541",
"summary": "The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6541",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc3"
},
{
"id": "CVE-2012-6542",
"summary": "The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel before 3.6 has an incorrect return value in certain circumstances, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6542",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc3"
},
{
"id": "CVE-2012-6543",
"summary": "The l2tp_ip6_getname function in net/l2tp/l2tp_ip6.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6543",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc3"
},
{
"id": "CVE-2012-6544",
"summary": "The Bluetooth protocol stack in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6544",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc3"
},
{
"id": "CVE-2012-6545",
"summary": "The Bluetooth RFCOMM implementation in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6545",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc3"
},
{
"id": "CVE-2012-6546",
"summary": "The ATM implementation in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6546",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc3"
},
{
"id": "CVE-2012-6547",
"summary": "The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6547",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc1"
},
{
"id": "CVE-2012-6548",
"summary": "The udf_encode_fh function in fs/udf/namei.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6548",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc1"
},
{
"id": "CVE-2012-6549",
"summary": "The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6549",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc1"
},
{
"id": "CVE-2012-6638",
"summary": "The tcp_rcv_state_process function in net/ipv4/tcp_input.c in the Linux kernel before 3.2.24 allows remote attackers to cause a denial of service (kernel resource consumption) via a flood of SYN+FIN TCP packets, a different vulnerability than CVE-2012-2663.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6638",
"detail": "fixed-version",
"description": "Fixed from version 3.3rc1"
},
{
"id": "CVE-2012-6647",
"summary": "The futex_wait_requeue_pi function in kernel/futex.c in the Linux kernel before 3.5.1 does not ensure that calls have two different futex addresses, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted FUTEX_WAIT_REQUEUE_PI command.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6647",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc2"
},
{
"id": "CVE-2012-6657",
"summary": "The sock_setsockopt function in net/core/sock.c in the Linux kernel before 3.5.7 does not ensure that a keepalive action is associated with a stream socket, which allows local users to cause a denial of service (system crash) by leveraging the ability to create a raw socket.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6657",
"detail": "fixed-version",
"description": "Fixed from version 3.6"
},
{
"id": "CVE-2012-6689",
"summary": "The netlink_sendmsg function in net/netlink/af_netlink.c in the Linux kernel before 3.5.5 does not validate the dst_pid field, which allows local users to have an unspecified impact by spoofing Netlink messages.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6689",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc5"
},
{
"id": "CVE-2012-6701",
"summary": "Integer overflow in fs/aio.c in the Linux kernel before 3.4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6701",
"detail": "fixed-version",
"description": "Fixed from version 3.5rc1"
},
{
"id": "CVE-2012-6703",
"summary": "Integer overflow in the snd_compr_allocate_buffer function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel before 3.6-rc6-next-20120917 allows local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6703",
"detail": "fixed-version",
"description": "Fixed from version 3.7rc1"
},
{
"id": "CVE-2012-6704",
"summary": "The sock_setsockopt function in net/core/sock.c in the Linux kernel before 3.5 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUF or (2) SO_RCVBUF option.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6704",
"detail": "fixed-version",
"description": "Fixed from version 3.5rc1"
},
{
"id": "CVE-2012-6712",
"summary": "In the Linux kernel before 3.4, a buffer overflow occurs in drivers/net/wireless/iwlwifi/iwl-agn-sta.c, which will cause at least memory corruption.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6712",
"detail": "fixed-version",
"description": "Fixed from version 3.4rc1"
},
{
"id": "CVE-2013-0160",
"summary": "The Linux kernel through 3.7.9 allows local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0160",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc1"
},
{
"id": "CVE-2013-0190",
"summary": "The xen_failsafe_callback function in Xen for the Linux kernel 2.6.23 and other versions, when running a 32-bit PVOPS guest, allows local users to cause a denial of service (guest crash) by triggering an iret fault, leading to use of an incorrect stack pointer and stack corruption.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0190",
"detail": "fixed-version",
"description": "Fixed from version 3.8rc5"
},
{
"id": "CVE-2013-0216",
"summary": "The Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (loop) by triggering ring pointer corruption.",
"scorev2": "5.2",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0216",
"detail": "fixed-version",
"description": "Fixed from version 3.8rc7"
},
{
"id": "CVE-2013-0217",
"summary": "Memory leak in drivers/net/xen-netback/netback.c in the Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (memory consumption) by triggering certain error conditions.",
"scorev2": "5.2",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0217",
"detail": "fixed-version",
"description": "Fixed from version 3.8rc7"
},
{
"id": "CVE-2013-0228",
"summary": "The xen_iret function in arch/x86/xen/xen-asm_32.S in the Linux kernel before 3.7.9 on 32-bit Xen paravirt_ops platforms does not properly handle an invalid value in the DS segment register, which allows guest OS users to gain guest OS privileges via a crafted application.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0228",
"detail": "fixed-version",
"description": "Fixed from version 3.8"
},
{
"id": "CVE-2013-0231",
"summary": "The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages. NOTE: some of these details are obtained from third party information.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0231",
"detail": "fixed-version",
"description": "Fixed from version 3.8rc7"
},
{
"id": "CVE-2013-0268",
"summary": "The msr_open function in arch/x86/kernel/msr.c in the Linux kernel before 3.7.6 allows local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0268",
"detail": "fixed-version",
"description": "Fixed from version 3.8rc6"
},
{
"id": "CVE-2013-0290",
"summary": "The __skb_recv_datagram function in net/core/datagram.c in the Linux kernel before 3.8 does not properly handle the MSG_PEEK flag with zero-length data, which allows local users to cause a denial of service (infinite loop and system hang) via a crafted application.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0290",
"detail": "fixed-version",
"description": "Fixed from version 3.8"
},
{
"id": "CVE-2013-0309",
"summary": "arch/x86/include/asm/pgtable.h in the Linux kernel before 3.6.2, when transparent huge pages are used, does not properly support PROT_NONE memory regions, which allows local users to cause a denial of service (system crash) via a crafted application.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0309",
"detail": "fixed-version",
"description": "Fixed from version 3.7rc1"
},
{
"id": "CVE-2013-0310",
"summary": "The cipso_v4_validate function in net/ipv4/cipso_ipv4.c in the Linux kernel before 3.4.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an IPOPT_CIPSO IP_OPTIONS setsockopt system call.",
"scorev2": "6.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0310",
"detail": "fixed-version",
"description": "Fixed from version 3.5"
},
{
"id": "CVE-2013-0311",
"summary": "The translate_desc function in drivers/vhost/vhost.c in the Linux kernel before 3.7 does not properly handle cross-region descriptors, which allows guest OS users to obtain host OS privileges by leveraging KVM guest OS privileges.",
"scorev2": "6.5",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0311",
"detail": "fixed-version",
"description": "Fixed from version 3.7rc8"
},
{
"id": "CVE-2013-0313",
"summary": "The evm_update_evmxattr function in security/integrity/evm/evm_crypto.c in the Linux kernel before 3.7.5, when the Extended Verification Module (EVM) is enabled, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an attempted removexattr operation on an inode of a sockfs filesystem.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0313",
"detail": "fixed-version",
"description": "Fixed from version 3.8rc5"
},
{
"id": "CVE-2013-0343",
"summary": "The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages.",
"scorev2": "3.2",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0343",
"detail": "fixed-version",
"description": "Fixed from version 3.11rc7"
},
{
"id": "CVE-2013-0349",
"summary": "The hidp_setup_hid function in net/bluetooth/hidp/core.c in the Linux kernel before 3.7.6 does not properly copy a certain name field, which allows local users to obtain sensitive information from kernel memory by setting a long name and making an HIDPCONNADD ioctl call.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0349",
"detail": "fixed-version",
"description": "Fixed from version 3.8rc6"
},
{
"id": "CVE-2013-0871",
"summary": "Race condition in the ptrace functionality in the Linux kernel before 3.7.5 allows local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0871",
"detail": "fixed-version",
"description": "Fixed from version 3.8rc5"
},
{
"id": "CVE-2013-0913",
"summary": "Integer overflow in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the i915 driver in the Direct Rendering Manager (DRM) subsystem in the Linux kernel through 3.8.3, as used in Google Chrome OS before 25.0.1364.173 and other products, allows local users to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted application that triggers many relocation copies, and potentially leads to a race condition.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0913",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc4"
},
{
"id": "CVE-2013-0914",
"summary": "The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0914",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc3"
},
{
"id": "CVE-2013-1059",
"summary": "net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an auth_reply message that triggers an attempted build_request operation.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1059",
"detail": "fixed-version",
"description": "Fixed from version 3.11rc1"
},
{
"id": "CVE-2013-1763",
"summary": "Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1763",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc1"
},
{
"id": "CVE-2013-1767",
"summary": "Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1767",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc1"
},
{
"id": "CVE-2013-1772",
"summary": "The log_prefix function in kernel/printk.c in the Linux kernel 3.x before 3.4.33 does not properly remove a prefix string from a syslog header, which allows local users to cause a denial of service (buffer overflow and system crash) by leveraging /dev/kmsg write access and triggering a call_console_drivers function call.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1772",
"detail": "fixed-version",
"description": "Fixed from version 3.5rc1"
},
{
"id": "CVE-2013-1773",
"summary": "Buffer overflow in the VFAT filesystem implementation in the Linux kernel before 3.3 allows local users to gain privileges or cause a denial of service (system crash) via a VFAT write operation on a filesystem with the utf8 mount option, which is not properly handled during UTF-8 to UTF-16 conversion.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1773",
"detail": "fixed-version",
"description": "Fixed from version 3.3rc1"
},
{
"id": "CVE-2013-1774",
"summary": "The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel before 3.7.4 allows local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1774",
"detail": "fixed-version",
"description": "Fixed from version 3.8rc5"
},
{
"id": "CVE-2013-1792",
"summary": "Race condition in the install_user_keyrings function in security/keys/process_keys.c in the Linux kernel before 3.8.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) via crafted keyctl system calls that trigger keyring operations in simultaneous threads.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1792",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc3"
},
{
"id": "CVE-2013-1796",
"summary": "The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 does not ensure a required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allows guest OS users to cause a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other impact via a crafted application.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1796",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc4"
},
{
"id": "CVE-2013-1797",
"summary": "Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 allows guest OS users to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact via a crafted application that triggers use of a guest physical address (GPA) in (1) movable or (2) removable memory during an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1797",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc4"
},
{
"id": "CVE-2013-1798",
"summary": "The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel through 3.8.4 does not properly handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allows guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS OOPS) via a crafted application.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:N/C:C/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1798",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc4"
},
{
"id": "CVE-2013-1819",
"summary": "The _xfs_buf_find function in fs/xfs/xfs_buf.c in the Linux kernel before 3.7.6 does not validate block numbers, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the ability to mount an XFS filesystem containing a metadata inode with an invalid extent map.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1819",
"detail": "fixed-version",
"description": "Fixed from version 3.8rc6"
},
{
"id": "CVE-2013-1826",
"summary": "The xfrm_state_netlink function in net/xfrm/xfrm_user.c in the Linux kernel before 3.5.7 does not properly handle error conditions in dump_one_state function calls, which allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1826",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc7"
},
{
"id": "CVE-2013-1827",
"summary": "net/dccp/ccid.h in the Linux kernel before 3.5.4 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1827",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc3"
},
{
"id": "CVE-2013-1828",
"summary": "The sctp_getsockopt_assoc_stats function in net/sctp/socket.c in the Linux kernel before 3.8.4 does not validate a size value before proceeding to a copy_from_user operation, which allows local users to gain privileges via a crafted application that contains an SCTP_GET_ASSOC_STATS getsockopt system call.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1828",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc2"
},
{
"id": "CVE-2013-1848",
"summary": "fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect arguments to functions in certain circumstances related to printk input, which allows local users to conduct format-string attacks and possibly gain privileges via a crafted application.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1848",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc3"
},
{
"id": "CVE-2013-1858",
"summary": "The clone system-call implementation in the Linux kernel before 3.8.3 does not properly handle a combination of the CLONE_NEWUSER and CLONE_FS flags, which allows local users to gain privileges by calling chroot and leveraging the sharing of the / directory between a parent process and a child process.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1858",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc3"
},
{
"id": "CVE-2013-1860",
"summary": "Heap-based buffer overflow in the wdm_in_callback function in drivers/usb/class/cdc-wdm.c in the Linux kernel before 3.8.4 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted cdc-wdm USB device.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1860",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc3"
},
{
"id": "CVE-2013-1928",
"summary": "The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel before 3.6.5 on unspecified architectures lacks a certain error check, which might allow local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1928",
"detail": "fixed-version",
"description": "Fixed from version 3.7rc3"
},
{
"id": "CVE-2013-1929",
"summary": "Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the Linux kernel before 3.8.6 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital Product Data (VPD) data structure.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1929",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc6"
},
{
"id": "CVE-2013-1943",
"summary": "The KVM subsystem in the Linux kernel before 3.0 does not check whether kernel addresses are specified during allocation of memory slots for use in a guest's physical address space, which allows local users to gain privileges or obtain sensitive information from kernel memory via a crafted application, related to arch/x86/kvm/paging_tmpl.h and virt/kvm/kvm_main.c.",
"scorev2": "4.4",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1943",
"detail": "fixed-version",
"description": "Fixed from version 3.0rc1"
},
{
"id": "CVE-2013-1956",
"summary": "The create_user_ns function in kernel/user_namespace.c in the Linux kernel before 3.8.6 does not check whether a chroot directory exists that differs from the namespace root directory, which allows local users to bypass intended filesystem restrictions via a crafted clone system call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1956",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc5"
},
{
"id": "CVE-2013-1957",
"summary": "The clone_mnt function in fs/namespace.c in the Linux kernel before 3.8.6 does not properly restrict changes to the MNT_READONLY flag, which allows local users to bypass an intended read-only property of a filesystem by leveraging a separate mount namespace.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1957",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc5"
},
{
"id": "CVE-2013-1958",
"summary": "The scm_check_creds function in net/core/scm.c in the Linux kernel before 3.8.6 does not properly enforce capability requirements for controlling the PID value associated with a UNIX domain socket, which allows local users to bypass intended access restrictions by leveraging the time interval during which a user namespace has been created but a PID namespace has not been created.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1958",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc5"
},
{
"id": "CVE-2013-1959",
"summary": "kernel/user_namespace.c in the Linux kernel before 3.8.9 does not have appropriate capability requirements for the uid_map and gid_map files, which allows local users to gain privileges by opening a file within an unprivileged process and then modifying the file within a privileged process.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1959",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc7"
},
{
"id": "CVE-2013-1979",
"summary": "The scm_set_cred function in include/net/scm.h in the Linux kernel before 3.8.11 uses incorrect uid and gid values during credentials passing, which allows local users to gain privileges via a crafted application.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1979",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc8"
},
{
"id": "CVE-2013-2015",
"summary": "The ext4_orphan_del function in fs/ext4/namei.c in the Linux kernel before 3.7.3 does not properly handle orphan-list entries for non-journal filesystems, which allows physically proximate attackers to cause a denial of service (system hang) via a crafted filesystem on removable media, as demonstrated by the e2fsprogs tests/f_orphan_extents_inode/image.gz test.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2015",
"detail": "fixed-version",
"description": "Fixed from version 3.8rc2"
},
{
"id": "CVE-2013-2017",
"summary": "The veth (aka virtual Ethernet) driver in the Linux kernel before 2.6.34 does not properly manage skbs during congestion, which allows remote attackers to cause a denial of service (system crash) by leveraging lack of skb consumption in conjunction with a double-free error.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2017",
"detail": "fixed-version",
"description": "Fixed from version 2.6.34"
},
{
"id": "CVE-2013-2058",
"summary": "The host_start function in drivers/usb/chipidea/host.c in the Linux kernel before 3.7.4 does not properly support a certain non-streaming option, which allows local users to cause a denial of service (system crash) by sending a large amount of network traffic through a USB/Ethernet adapter.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2058",
"detail": "fixed-version",
"description": "Fixed from version 3.8rc4"
},
{
"id": "CVE-2013-2094",
"summary": "The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2094",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc8"
},
{
"id": "CVE-2013-2128",
"summary": "The tcp_read_sock function in net/ipv4/tcp.c in the Linux kernel before 2.6.34 does not properly manage skb consumption, which allows local users to cause a denial of service (system crash) via a crafted splice system call for a TCP socket.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2128",
"detail": "fixed-version",
"description": "Fixed from version 2.6.34rc4"
},
{
"id": "CVE-2013-2140",
"summary": "The dispatch_discard_io function in drivers/block/xen-blkback/blkback.c in the Xen blkback implementation in the Linux kernel before 3.10.5 allows guest OS users to cause a denial of service (data loss) via filesystem write operations on a read-only disk that supports the (1) BLKIF_OP_DISCARD (aka discard or TRIM) or (2) SCSI UNMAP feature.",
"scorev2": "3.8",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2140",
"detail": "fixed-version",
"description": "Fixed from version 3.11rc3"
},
{
"id": "CVE-2013-2141",
"summary": "The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2141",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc8"
},
{
"id": "CVE-2013-2146",
"summary": "arch/x86/kernel/cpu/perf_event_intel.c in the Linux kernel before 3.8.9, when the Performance Events Subsystem is enabled, specifies an incorrect bitmask, which allows local users to cause a denial of service (general protection fault and system crash) by attempting to set a reserved bit.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2146",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc8"
},
{
"id": "CVE-2013-2147",
"summary": "The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel through 3.9.4 do not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2147",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc3"
},
{
"id": "CVE-2013-2148",
"summary": "The fill_event_metadata function in fs/notify/fanotify/fanotify_user.c in the Linux kernel through 3.9.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a read operation on the fanotify descriptor.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2148",
"detail": "fixed-version",
"description": "Fixed from version 3.11rc1"
},
{
"id": "CVE-2013-2164",
"summary": "The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2164",
"detail": "fixed-version",
"description": "Fixed from version 3.11rc1"
},
{
"id": "CVE-2013-2206",
"summary": "The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel before 3.8.5 does not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic.",
"scorev2": "5.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2206",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc4"
},
{
"id": "CVE-2013-2232",
"summary": "The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2232",
"detail": "fixed-version",
"description": "Fixed from version 3.10"
},
{
"id": "CVE-2013-2234",
"summary": "The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2234",
"detail": "fixed-version",
"description": "Fixed from version 3.10"
},
{
"id": "CVE-2013-2237",
"summary": "The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2237",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc6"
},
{
"id": "CVE-2013-2546",
"summary": "The report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect C library function for copying strings, which allows local users to obtain sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2546",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc1"
},
{
"id": "CVE-2013-2547",
"summary": "The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 does not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2547",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc1"
},
{
"id": "CVE-2013-2548",
"summary": "The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect length value during a copy operation, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2548",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc1"
},
{
"id": "CVE-2013-2596",
"summary": "Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2596",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc8"
},
{
"id": "CVE-2013-2634",
"summary": "net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2634",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc3"
},
{
"id": "CVE-2013-2635",
"summary": "The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel before 3.8.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2635",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc3"
},
{
"id": "CVE-2013-2636",
"summary": "net/bridge/br_mdb.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2636",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc3"
},
{
"id": "CVE-2013-2850",
"summary": "Heap-based buffer overflow in the iscsi_add_notunderstood_response function in drivers/target/iscsi/iscsi_target_parameters.c in the iSCSI target subsystem in the Linux kernel through 3.9.4 allows remote attackers to cause a denial of service (memory corruption and OOPS) or possibly execute arbitrary code via a long key that is not properly handled during construction of an error-response packet.",
"scorev2": "7.9",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2850",
"detail": "fixed-version",
"description": "Fixed from version 3.10rc4"
},
{
"id": "CVE-2013-2851",
"summary": "Format string vulnerability in the register_disk function in block/genhd.c in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and writing format string specifiers to /sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md device name.",
"scorev2": "6.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2851",
"detail": "fixed-version",
"description": "Fixed from version 3.11rc1"
},
{
"id": "CVE-2013-2852",
"summary": "Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2852",
"detail": "fixed-version",
"description": "Fixed from version 3.10rc6"
},
{
"id": "CVE-2013-2888",
"summary": "Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2888",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc1"
},
{
"id": "CVE-2013-2889",
"summary": "drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2889",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc2"
},
{
"id": "CVE-2013-2890",
"summary": "drivers/hid/hid-sony.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_SONY is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2890",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc2"
},
{
"id": "CVE-2013-2891",
"summary": "drivers/hid/hid-steelseries.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_STEELSERIES is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2891",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc2"
},
{
"id": "CVE-2013-2892",
"summary": "drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PANTHERLORD is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2892",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc1"
},
{
"id": "CVE-2013-2893",
"summary": "The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2893",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc2"
},
{
"id": "CVE-2013-2894",
"summary": "drivers/hid/hid-lenovo-tpkbd.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_LENOVO_TPKBD is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2894",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc2"
},
{
"id": "CVE-2013-2895",
"summary": "drivers/hid/hid-logitech-dj.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_LOGITECH_DJ is enabled, allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) or obtain sensitive information from kernel memory via a crafted device.",
"scorev2": "5.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2895",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc2"
},
{
"id": "CVE-2013-2896",
"summary": "drivers/hid/hid-ntrig.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_NTRIG is enabled, allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted device.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2896",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc1"
},
{
"id": "CVE-2013-2897",
"summary": "Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2897",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc2"
},
{
"id": "CVE-2013-2898",
"summary": "drivers/hid/hid-sensor-hub.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_SENSOR_HUB is enabled, allows physically proximate attackers to obtain sensitive information from kernel memory via a crafted device.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2898",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc1"
},
{
"id": "CVE-2013-2899",
"summary": "drivers/hid/hid-picolcd_core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PICOLCD is enabled, allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted device.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2899",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc1"
},
{
"id": "CVE-2013-2929",
"summary": "The Linux kernel before 3.12.2 does not properly use the get_dumpable function, which allows local users to bypass intended ptrace restrictions or obtain sensitive information from IA64 scratch registers via a crafted application, related to kernel/ptrace.c and arch/ia64/include/asm/processor.h.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2929",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-2930",
"summary": "The perf_trace_event_perm function in kernel/trace/trace_event_perf.c in the Linux kernel before 3.12.2 does not properly restrict access to the perf subsystem, which allows local users to enable function tracing via a crafted application.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2930",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-3076",
"summary": "The crypto API in the Linux kernel through 3.9-rc8 does not initialize certain length variables, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call, related to the hash_recvmsg function in crypto/algif_hash.c and the skcipher_recvmsg function in crypto/algif_skcipher.c.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3076",
"detail": "fixed-version",
"description": "Fixed from version 3.9"
},
{
"id": "CVE-2013-3222",
"summary": "The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3222",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc7"
},
{
"id": "CVE-2013-3223",
"summary": "The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3223",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc7"
},
{
"id": "CVE-2013-3224",
"summary": "The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3224",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc7"
},
{
"id": "CVE-2013-3225",
"summary": "The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3225",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc7"
},
{
"id": "CVE-2013-3226",
"summary": "The sco_sock_recvmsg function in net/bluetooth/sco.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3226",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc7"
},
{
"id": "CVE-2013-3227",
"summary": "The caif_seqpkt_recvmsg function in net/caif/caif_socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3227",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc7"
},
{
"id": "CVE-2013-3228",
"summary": "The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3228",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc7"
},
{
"id": "CVE-2013-3229",
"summary": "The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3229",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc7"
},
{
"id": "CVE-2013-3230",
"summary": "The l2tp_ip6_recvmsg function in net/l2tp/l2tp_ip6.c in the Linux kernel before 3.9-rc7 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3230",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc7"
},
{
"id": "CVE-2013-3231",
"summary": "The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3231",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc7"
},
{
"id": "CVE-2013-3232",
"summary": "The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3232",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc7"
},
{
"id": "CVE-2013-3233",
"summary": "The llcp_sock_recvmsg function in net/nfc/llcp/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable and a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3233",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc7"
},
{
"id": "CVE-2013-3234",
"summary": "The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3234",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc7"
},
{
"id": "CVE-2013-3235",
"summary": "net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3235",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc7"
},
{
"id": "CVE-2013-3236",
"summary": "The vmci_transport_dgram_dequeue function in net/vmw_vsock/vmci_transport.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3236",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc7"
},
{
"id": "CVE-2013-3237",
"summary": "The vsock_stream_sendmsg function in net/vmw_vsock/af_vsock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3237",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc7"
},
{
"id": "CVE-2013-3301",
"summary": "The ftrace implementation in the Linux kernel before 3.8.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for write access to the (1) set_ftrace_pid or (2) set_graph_function file, and then making an lseek system call.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3301",
"detail": "fixed-version",
"description": "Fixed from version 3.9rc7"
},
{
"id": "CVE-2013-3302",
"summary": "Race condition in the smb_send_rqst function in fs/cifs/transport.c in the Linux kernel before 3.7.2 allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via vectors involving a reconnection event.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3302",
"detail": "fixed-version",
"description": "Fixed from version 3.8rc3"
},
{
"id": "CVE-2013-4125",
"summary": "The fib6_add_rt2node function in net/ipv6/ip6_fib.c in the IPv6 stack in the Linux kernel through 3.10.1 does not properly handle Router Advertisement (RA) messages in certain circumstances involving three routes that initially qualified for membership in an ECMP route set until a change occurred for one of the first two routes, which allows remote attackers to cause a denial of service (system crash) via a crafted sequence of messages.",
"scorev2": "5.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4125",
"detail": "fixed-version",
"description": "Fixed from version 3.11rc1"
},
{
"id": "CVE-2013-4127",
"summary": "Use-after-free vulnerability in the vhost_net_set_backend function in drivers/vhost/net.c in the Linux kernel through 3.10.3 allows local users to cause a denial of service (OOPS and system crash) via vectors involving powering on a virtual machine.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4127",
"detail": "fixed-version",
"description": "Fixed from version 3.11rc1"
},
{
"id": "CVE-2013-4129",
"summary": "The bridge multicast implementation in the Linux kernel through 3.10.3 does not check whether a certain timer is armed before modifying the timeout value of that timer, which allows local users to cause a denial of service (BUG and system crash) via vectors involving the shutdown of a KVM virtual machine, related to net/bridge/br_mdb.c and net/bridge/br_multicast.c.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4129",
"detail": "fixed-version",
"description": "Fixed from version 3.11rc1"
},
{
"id": "CVE-2013-4162",
"summary": "The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel through 3.10.3 makes an incorrect function call for pending data, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4162",
"detail": "fixed-version",
"description": "Fixed from version 3.11rc1"
},
{
"id": "CVE-2013-4163",
"summary": "The ip6_append_data_mtu function in net/ipv6/ip6_output.c in the IPv6 implementation in the Linux kernel through 3.10.3 does not properly maintain information about whether the IPV6_MTU setsockopt option had been specified, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4163",
"detail": "fixed-version",
"description": "Fixed from version 3.11rc1"
},
{
"id": "CVE-2013-4205",
"summary": "Memory leak in the unshare_userns function in kernel/user_namespace.c in the Linux kernel before 3.10.6 allows local users to cause a denial of service (memory consumption) via an invalid CLONE_NEWUSER unshare call.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4205",
"detail": "fixed-version",
"description": "Fixed from version 3.11rc5"
},
{
"id": "CVE-2013-4220",
"summary": "The bad_mode function in arch/arm64/kernel/traps.c in the Linux kernel before 3.9.5 on the ARM64 platform allows local users to cause a denial of service (system crash) via vectors involving an attempted register access that triggers an unexpected value in the Exception Syndrome Register (ESR).",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4220",
"detail": "fixed-version",
"description": "Fixed from version 3.10rc4"
},
{
"id": "CVE-2013-4247",
"summary": "Off-by-one error in the build_unc_path_to_root function in fs/cifs/connect.c in the Linux kernel before 3.9.6 allows remote attackers to cause a denial of service (memory corruption and system crash) via a DFS share mount operation that triggers use of an unexpected DFS referral name length.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4247",
"detail": "fixed-version",
"description": "Fixed from version 3.10rc5"
},
{
"id": "CVE-2013-4254",
"summary": "The validate_event function in arch/arm/kernel/perf_event.c in the Linux kernel before 3.10.8 on the ARM platform allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by adding a hardware event to an event group led by a software event.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4254",
"detail": "fixed-version",
"description": "Fixed from version 3.11rc6"
},
{
"id": "CVE-2013-4270",
"summary": "The net_ctl_permissions function in net/sysctl_net.c in the Linux kernel before 3.11.5 does not properly determine uid and gid values, which allows local users to bypass intended /proc/sys/net restrictions via a crafted application.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4270",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc4"
},
{
"id": "CVE-2013-4299",
"summary": "Interpretation conflict in drivers/md/dm-snap-persistent.c in the Linux kernel through 3.11.6 allows remote authenticated users to obtain sensitive information or modify data via a crafted mapping to a snapshot block device.",
"scorev2": "6.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4299",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc6"
},
{
"id": "CVE-2013-4300",
"summary": "The scm_check_creds function in net/core/scm.c in the Linux kernel before 3.11 performs a capability check in an incorrect namespace, which allows local users to gain privileges via PID spoofing.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4300",
"detail": "fixed-version",
"description": "Fixed from version 3.11"
},
{
"id": "CVE-2013-4312",
"summary": "The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to net/unix/af_unix.c and net/unix/garbage.c.",
"scorev2": "4.9",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4312",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2013-4343",
"summary": "Use-after-free vulnerability in drivers/net/tun.c in the Linux kernel through 3.11.1 allows local users to gain privileges by leveraging the CAP_NET_ADMIN capability and providing an invalid tuntap interface name in a TUNSETIFF ioctl call.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4343",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc2"
},
{
"id": "CVE-2013-4345",
"summary": "Off-by-one error in the get_prng_bytes function in crypto/ansi_cprng.c in the Linux kernel through 3.11.4 makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via multiple requests for small amounts of data, leading to improper management of the state of the consumed data.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4345",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc2"
},
{
"id": "CVE-2013-4348",
"summary": "The skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel through 3.12 allows remote attackers to cause a denial of service (infinite loop) via a small value in the IHL field of a packet with IPIP encapsulation.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4348",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-4350",
"summary": "The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel through 3.11.1 uses data structures and function calls that do not trigger an intended configuration of IPsec encryption, which allows remote attackers to obtain sensitive information by sniffing the network.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4350",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc2"
},
{
"id": "CVE-2013-4387",
"summary": "net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not properly determine the need for UDP Fragmentation Offload (UFO) processing of small packets after the UFO queueing of a large packet, which allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via network traffic that triggers a large response packet.",
"scorev2": "6.1",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4387",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc4"
},
{
"id": "CVE-2013-4470",
"summary": "The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4470",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc7"
},
{
"id": "CVE-2013-4483",
"summary": "The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4483",
"detail": "fixed-version",
"description": "Fixed from version 3.10rc1"
},
{
"id": "CVE-2013-4511",
"summary": "Multiple integer overflows in Alchemy LCD frame-buffer drivers in the Linux kernel before 3.12 allow local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted mmap operations, related to the (1) au1100fb_fb_mmap function in drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap function in drivers/video/au1200fb.c.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4511",
"detail": "fixed-version",
"description": "Fixed from version 3.12"
},
{
"id": "CVE-2013-4512",
"summary": "Buffer overflow in the exitcode_proc_write function in arch/um/kernel/exitcode.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact by leveraging root privileges for a write operation.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4512",
"detail": "fixed-version",
"description": "Fixed from version 3.12"
},
{
"id": "CVE-2013-4513",
"summary": "Buffer overflow in the oz_cdev_write function in drivers/staging/ozwpan/ozcdev.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact via a crafted write operation.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4513",
"detail": "fixed-version",
"description": "Fixed from version 3.12"
},
{
"id": "CVE-2013-4514",
"summary": "Multiple buffer overflows in drivers/staging/wlags49_h2/wl_priv.c in the Linux kernel before 3.12 allow local users to cause a denial of service or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability and providing a long station-name string, related to the (1) wvlan_uil_put_info and (2) wvlan_set_station_nickname functions.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4514",
"detail": "fixed-version",
"description": "Fixed from version 3.12"
},
{
"id": "CVE-2013-4515",
"summary": "The bcm_char_ioctl function in drivers/staging/bcm/Bcmchar.c in the Linux kernel before 3.12 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an IOCTL_BCM_GET_DEVICE_DRIVER_INFO ioctl call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4515",
"detail": "fixed-version",
"description": "Fixed from version 3.12"
},
{
"id": "CVE-2013-4516",
"summary": "The mp_get_count function in drivers/staging/sb105x/sb_pci_mp.c in the Linux kernel before 3.12 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4516",
"detail": "fixed-version",
"description": "Fixed from version 3.12"
},
{
"id": "CVE-2013-4563",
"summary": "The udp6_ufo_fragment function in net/ipv6/udp_offload.c in the Linux kernel through 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly perform a certain size comparison before inserting a fragment header, which allows remote attackers to cause a denial of service (panic) via a large IPv6 UDP packet, as demonstrated by use of the Token Bucket Filter (TBF) queueing discipline.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4563",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-4579",
"summary": "The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4579",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc7"
},
{
"id": "CVE-2013-4587",
"summary": "Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4587",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc4"
},
{
"id": "CVE-2013-4588",
"summary": "Multiple stack-based buffer overflows in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when CONFIG_IP_VS is used, allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to the do_ip_vs_set_ctl function.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4588",
"detail": "fixed-version",
"description": "Fixed from version 2.6.33rc4"
},
{
"id": "CVE-2013-4591",
"summary": "Buffer overflow in the __nfs4_get_acl_uncached function in fs/nfs/nfs4proc.c in the Linux kernel before 3.7.2 allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via a getxattr system call for the system.nfs4_acl extended attribute of a pathname on an NFSv4 filesystem.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4591",
"detail": "fixed-version",
"description": "Fixed from version 3.8rc1"
},
{
"id": "CVE-2013-4592",
"summary": "Memory leak in the __kvm_set_memory_region function in virt/kvm/kvm_main.c in the Linux kernel before 3.9 allows local users to cause a denial of service (memory consumption) by leveraging certain device access to trigger movement of memory slots.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4592",
"detail": "fixed-version",
"description": "Fixed from version 3.7rc1"
},
{
"id": "CVE-2013-5634",
"summary": "arch/arm/kvm/arm.c in the Linux kernel before 3.10 on the ARM platform, when KVM is used, allows host OS users to cause a denial of service (NULL pointer dereference, OOPS, and host OS crash) or possibly have unspecified other impact by omitting vCPU initialization before a KVM_GET_REG_LIST ioctl call.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-5634",
"detail": "fixed-version",
"description": "Fixed from version 3.10rc5"
},
{
"id": "CVE-2013-6282",
"summary": "The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6282",
"detail": "fixed-version",
"description": "Fixed from version 3.6rc6"
},
{
"id": "CVE-2013-6367",
"summary": "The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via crafted modifications of the TMICT value.",
"scorev2": "5.7",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6367",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc4"
},
{
"id": "CVE-2013-6368",
"summary": "The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6368",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc4"
},
{
"id": "CVE-2013-6376",
"summary": "The recalculate_apic_map function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (host OS crash) via a crafted ICR write operation in x2apic mode.",
"scorev2": "5.2",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6376",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc4"
},
{
"id": "CVE-2013-6378",
"summary": "The lbs_debugfs_write function in drivers/net/wireless/libertas/debugfs.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service (OOPS) by leveraging root privileges for a zero-length write operation.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6378",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-6380",
"summary": "The aac_send_raw_srb function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 3.12.1 does not properly validate a certain size value, which allows local users to cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via an FSACTL_SEND_RAW_SRB ioctl call that triggers a crafted SRB command.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6380",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-6381",
"summary": "Buffer overflow in the qeth_snmp_command function in drivers/s390/net/qeth_core_main.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service or possibly have unspecified other impact via an SNMP ioctl call with a length value that is incompatible with the command-buffer size.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6381",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-6382",
"summary": "Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6382",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc4"
},
{
"id": "CVE-2013-6383",
"summary": "The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6383",
"detail": "fixed-version",
"description": "Fixed from version 3.12"
},
{
"id": "CVE-2013-6431",
"summary": "The fib6_add function in net/ipv6/ip6_fib.c in the Linux kernel before 3.11.5 does not properly implement error-code encoding, which allows local users to cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for an IPv6 SIOCADDRT ioctl call.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6431",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc1"
},
{
"id": "CVE-2013-6432",
"summary": "The ping_recvmsg function in net/ipv4/ping.c in the Linux kernel before 3.12.4 does not properly interact with read system calls on ping sockets, which allows local users to cause a denial of service (NULL pointer dereference and system crash) by leveraging unspecified privileges to execute a crafted application.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6432",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-6763",
"summary": "The uio_mmap_physical function in drivers/uio/uio.c in the Linux kernel before 3.12 does not validate the size of a memory block, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via crafted mmap operations, a different vulnerability than CVE-2013-4511.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6763"
},
{
"id": "CVE-2013-6885",
"summary": "The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6885",
"detail": "fixed-version",
"description": "Fixed from version 3.14rc1"
},
{
"id": "CVE-2013-7026",
"summary": "Multiple race conditions in ipc/shm.c in the Linux kernel before 3.12.2 allow local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted application that uses shmctl IPC_RMID operations in conjunction with other shm system calls.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7026",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-7027",
"summary": "The ieee80211_radiotap_iterator_init function in net/wireless/radiotap.c in the Linux kernel before 3.11.7 does not check whether a frame contains any data outside of the header, which might allow attackers to cause a denial of service (buffer over-read) via a crafted header.",
"scorev2": "6.1",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7027",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc7"
},
{
"id": "CVE-2013-7263",
"summary": "The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7263",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-7264",
"summary": "The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7264",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-7265",
"summary": "The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7265",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-7266",
"summary": "The mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the Linux kernel before 3.12.4 does not ensure that a certain length value is consistent with the size of an associated data structure, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7266",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-7267",
"summary": "The atalk_recvmsg function in net/appletalk/ddp.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7267",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-7268",
"summary": "The ipx_recvmsg function in net/ipx/af_ipx.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7268",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-7269",
"summary": "The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7269",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-7270",
"summary": "The packet_recvmsg function in net/packet/af_packet.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7270",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-7271",
"summary": "The x25_recvmsg function in net/x25/af_x25.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7271",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-7281",
"summary": "The dgram_recvmsg function in net/ieee802154/dgram.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7281",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-7339",
"summary": "The rds_ib_laddr_check function in net/rds/ib.c in the Linux kernel before 3.12.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7339",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc7"
},
{
"id": "CVE-2013-7348",
"summary": "Double free vulnerability in the ioctx_alloc function in fs/aio.c in the Linux kernel before 3.12.4 allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via vectors involving an error condition in the aio_setup_ring function.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7348",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2013-7421",
"summary": "The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7421",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc1"
},
{
"id": "CVE-2013-7445",
"summary": "The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated by JavaScript code that creates many CANVAS elements for rendering by Chrome or Firefox.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7445"
},
{
"id": "CVE-2013-7446",
"summary": "Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel before 4.3.3 allows local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls.",
"scorev2": "5.4",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7446",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc4"
},
{
"id": "CVE-2013-7470",
"summary": "cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel before 3.11.7, when CONFIG_NETLABEL is disabled, allows attackers to cause a denial of service (infinite loop and crash), as demonstrated by icmpsic, a different vulnerability than CVE-2013-0310.",
"scorev2": "7.1",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7470",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc7"
},
{
"id": "CVE-2014-0038",
"summary": "The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0038",
"detail": "fixed-version",
"description": "Fixed from version 3.14rc1"
},
{
"id": "CVE-2014-0049",
"summary": "Buffer overflow in the complete_emulated_mmio function in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6 allows guest OS users to execute arbitrary code on the host OS by leveraging a loop that triggers an invalid memory copy affecting certain cancel_work_item data.",
"scorev2": "7.4",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0049",
"detail": "fixed-version",
"description": "Fixed from version 3.14rc5"
},
{
"id": "CVE-2014-0055",
"summary": "The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package before 2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle vhost_get_vq_desc errors, which allows guest OS users to cause a denial of service (host OS crash) via unspecified vectors.",
"scorev2": "5.5",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0055",
"detail": "fixed-version",
"description": "Fixed from version 3.14"
},
{
"id": "CVE-2014-0069",
"summary": "The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0069",
"detail": "fixed-version",
"description": "Fixed from version 3.14rc4"
},
{
"id": "CVE-2014-0077",
"summary": "drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions.",
"scorev2": "5.5",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:S/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0077",
"detail": "fixed-version",
"description": "Fixed from version 3.14"
},
{
"id": "CVE-2014-0100",
"summary": "Race condition in the inet_frag_intern function in net/ipv4/inet_fragment.c in the Linux kernel through 3.13.6 allows remote attackers to cause a denial of service (use-after-free error) or possibly have unspecified other impact via a large series of fragmented ICMP Echo Request packets to a system with a heavy CPU load.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0100",
"detail": "fixed-version",
"description": "Fixed from version 3.14rc7"
},
{
"id": "CVE-2014-0101",
"summary": "The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not validate certain auth_enable and auth_capable fields before making an sctp_sf_authenticate call, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an SCTP handshake with a modified INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO chunk.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0101",
"detail": "fixed-version",
"description": "Fixed from version 3.14rc6"
},
{
"id": "CVE-2014-0102",
"summary": "The keyring_detect_cycle_iterator function in security/keys/keyring.c in the Linux kernel through 3.13.6 does not properly determine whether keyrings are identical, which allows local users to cause a denial of service (OOPS) via crafted keyctl commands.",
"scorev2": "5.2",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0102",
"detail": "fixed-version",
"description": "Fixed from version 3.14rc6"
},
{
"id": "CVE-2014-0131",
"summary": "Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation.",
"scorev2": "2.9",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0131",
"detail": "fixed-version",
"description": "Fixed from version 3.14rc7"
},
{
"id": "CVE-2014-0155",
"summary": "The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of service (host OS crash) via a crafted entry in the redirection table of an I/O APIC. NOTE: the affected code was moved to the ioapic_service function before the vulnerability was announced.",
"scorev2": "5.5",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0155",
"detail": "fixed-version",
"description": "Fixed from version 3.15rc2"
},
{
"id": "CVE-2014-0181",
"summary": "The Netlink implementation in the Linux kernel through 3.14.1 does not provide a mechanism for authorizing socket operations based on the opener of a socket, which allows local users to bypass intended access restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr of a setuid program.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0181",
"detail": "fixed-version",
"description": "Fixed from version 3.15rc5"
},
{
"id": "CVE-2014-0196",
"summary": "The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the \"LECHO & !OPOST\" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0196",
"detail": "fixed-version",
"description": "Fixed from version 3.15rc5"
},
{
"id": "CVE-2014-0203",
"summary": "The __do_follow_link function in fs/namei.c in the Linux kernel before 2.6.33 does not properly handle the last pathname component during use of certain filesystems, which allows local users to cause a denial of service (incorrect free operations and system crash) via an open system call.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0203",
"detail": "fixed-version",
"description": "Fixed from version 2.6.33rc5"
},
{
"id": "CVE-2014-0205",
"summary": "The futex_wait function in kernel/futex.c in the Linux kernel before 2.6.37 does not properly maintain a certain reference count during requeue operations, which allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that triggers a zero count.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0205",
"detail": "fixed-version",
"description": "Fixed from version 2.6.37rc1"
},
{
"id": "CVE-2014-0206",
"summary": "Array index error in the aio_read_events_ring function in fs/aio.c in the Linux kernel through 3.15.1 allows local users to obtain sensitive information from kernel memory via a large head value.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0206",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc3"
},
{
"id": "CVE-2014-1438",
"summary": "The restore_fpu_checking function in arch/x86/include/asm/fpu-internal.h in the Linux kernel before 3.12.8 on the AMD K7 and K8 platforms does not clear pending exceptions before proceeding to an EMMS instruction, which allows local users to cause a denial of service (task kill) or possibly gain privileges via a crafted application.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1438",
"detail": "fixed-version",
"description": "Fixed from version 3.13"
},
{
"id": "CVE-2014-1444",
"summary": "The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call.",
"scorev2": "1.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1444",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc7"
},
{
"id": "CVE-2014-1445",
"summary": "The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1445",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc7"
},
{
"id": "CVE-2014-1446",
"summary": "The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1446",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc7"
},
{
"id": "CVE-2014-1690",
"summary": "The help function in net/netfilter/nf_nat_irc.c in the Linux kernel before 3.12.8 allows remote attackers to obtain sensitive information from kernel memory by establishing an IRC DCC session in which incorrect packet data is transmitted during use of the NAT mangle feature.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1690",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc8"
},
{
"id": "CVE-2014-1737",
"summary": "The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1737",
"detail": "fixed-version",
"description": "Fixed from version 3.15rc5"
},
{
"id": "CVE-2014-1738",
"summary": "The raw_cmd_copyout function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly restrict access to certain pointers during processing of an FDRAWCMD ioctl call, which allows local users to obtain sensitive information from kernel heap memory by leveraging write access to a /dev/fd device.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1738",
"detail": "fixed-version",
"description": "Fixed from version 3.15rc5"
},
{
"id": "CVE-2014-1739",
"summary": "The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1739",
"detail": "fixed-version",
"description": "Fixed from version 3.15rc6"
},
{
"id": "CVE-2014-1874",
"summary": "The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1874",
"detail": "fixed-version",
"description": "Fixed from version 3.14rc2"
},
{
"id": "CVE-2014-2038",
"summary": "The nfs_can_extend_write function in fs/nfs/write.c in the Linux kernel before 3.13.3 relies on a write delegation to extend a write operation without a certain up-to-date verification, which allows local users to obtain sensitive information from kernel memory in opportunistic circumstances by writing to a file in an NFS filesystem and then reading the same file.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2038",
"detail": "fixed-version",
"description": "Fixed from version 3.14rc1"
},
{
"id": "CVE-2014-2039",
"summary": "arch/s390/kernel/head64.S in the Linux kernel before 3.13.5 on the s390 platform does not properly handle attempted use of the linkage stack, which allows local users to cause a denial of service (system crash) by executing a crafted instruction.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2039",
"detail": "fixed-version",
"description": "Fixed from version 3.14rc3"
},
{
"id": "CVE-2014-2309",
"summary": "The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets.",
"scorev2": "6.1",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2309",
"detail": "fixed-version",
"description": "Fixed from version 3.14rc7"
},
{
"id": "CVE-2014-2523",
"summary": "net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2523",
"detail": "fixed-version",
"description": "Fixed from version 3.14rc1"
},
{
"id": "CVE-2014-2568",
"summary": "Use-after-free vulnerability in the nfqnl_zcopy function in net/netfilter/nfnetlink_queue_core.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. NOTE: the affected code was moved to the skb_zerocopy function in net/core/skbuff.c before the vulnerability was announced.",
"scorev2": "2.9",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2568",
"detail": "fixed-version",
"description": "Fixed from version 3.14"
},
{
"id": "CVE-2014-2580",
"summary": "The netback driver in Xen, when using certain Linux versions that do not allow sleeping in softirq context, allows local guest administrators to cause a denial of service (\"scheduling while atomic\" error and host crash) via a malformed packet, which causes a mutex to be taken when trying to disable the interface.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2580",
"detail": "fixed-version",
"description": "Fixed from version 3.15rc1"
},
{
"id": "CVE-2014-2672",
"summary": "Race condition in the ath_tx_aggr_sleep function in drivers/net/wireless/ath/ath9k/xmit.c in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via a large amount of network traffic that triggers certain list deletions.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2672",
"detail": "fixed-version",
"description": "Fixed from version 3.14rc6"
},
{
"id": "CVE-2014-2673",
"summary": "The arch_dup_task_struct function in the Transactional Memory (TM) implementation in arch/powerpc/kernel/process.c in the Linux kernel before 3.13.7 on the powerpc platform does not properly interact with the clone and fork system calls, which allows local users to cause a denial of service (Program Check and system crash) via certain instructions that are executed with the processor in the Transactional state.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2673",
"detail": "fixed-version",
"description": "Fixed from version 3.14rc6"
},
{
"id": "CVE-2014-2678",
"summary": "The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel through 3.14 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2678",
"detail": "fixed-version",
"description": "Fixed from version 3.15rc1"
},
{
"id": "CVE-2014-2706",
"summary": "Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2706",
"detail": "fixed-version",
"description": "Fixed from version 3.14rc6"
},
{
"id": "CVE-2014-2739",
"summary": "The cma_req_handler function in drivers/infiniband/core/cma.c in the Linux kernel 3.14.x through 3.14.1 attempts to resolve an RDMA over Converged Ethernet (aka RoCE) address that is properly resolved within a different module, which allows remote attackers to cause a denial of service (incorrect pointer dereference and system crash) via crafted network traffic.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2739",
"detail": "fixed-version",
"description": "Fixed from version 3.15rc1"
},
{
"id": "CVE-2014-2851",
"summary": "Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2851",
"detail": "fixed-version",
"description": "Fixed from version 3.15rc2"
},
{
"id": "CVE-2014-2889",
"summary": "Off-by-one error in the bpf_jit_compile function in arch/x86/net/bpf_jit_comp.c in the Linux kernel before 3.1.8, when BPF JIT is enabled, allows local users to cause a denial of service (system crash) or possibly gain privileges via a long jump after a conditional jump.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2889",
"detail": "fixed-version",
"description": "Fixed from version 3.2rc7"
},
{
"id": "CVE-2014-3122",
"summary": "The try_to_unmap_cluster function in mm/rmap.c in the Linux kernel before 3.14.3 does not properly consider which pages must be locked, which allows local users to cause a denial of service (system crash) by triggering a memory-usage pattern that requires removal of page-table mappings.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3122",
"detail": "fixed-version",
"description": "Fixed from version 3.15rc1"
},
{
"id": "CVE-2014-3144",
"summary": "The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 do not check whether a certain length value is sufficiently large, which allows local users to cause a denial of service (integer underflow and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr and __skb_get_nlattr_nest functions before the vulnerability was announced.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3144",
"detail": "fixed-version",
"description": "Fixed from version 3.15rc2"
},
{
"id": "CVE-2014-3145",
"summary": "The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 uses the reverse order in a certain subtraction, which allows local users to cause a denial of service (over-read and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr_nest function before the vulnerability was announced.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3145",
"detail": "fixed-version",
"description": "Fixed from version 3.15rc2"
},
{
"id": "CVE-2014-3153",
"summary": "The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3153",
"detail": "fixed-version",
"description": "Fixed from version 3.15"
},
{
"id": "CVE-2014-3180",
"summary": "In kernel/compat.c in the Linux kernel before 3.17, as used in Google Chrome OS and other products, there is a possible out-of-bounds read. restart_syscall uses uninitialized data when restarting compat_sys_nanosleep. NOTE: this is disputed because the code path is unreachable",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3180",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc4"
},
{
"id": "CVE-2014-3181",
"summary": "Multiple stack-based buffer overflows in the magicmouse_raw_event function in drivers/hid/hid-magicmouse.c in the Magic Mouse HID driver in the Linux kernel through 3.16.3 allow physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with an event.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3181",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc3"
},
{
"id": "CVE-2014-3182",
"summary": "Array index error in the logi_dj_raw_event function in drivers/hid/hid-logitech-dj.c in the Linux kernel before 3.16.2 allows physically proximate attackers to execute arbitrary code or cause a denial of service (invalid kfree) via a crafted device that provides a malformed REPORT_TYPE_NOTIF_DEVICE_UNPAIRED value.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3182",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc2"
},
{
"id": "CVE-2014-3183",
"summary": "Heap-based buffer overflow in the logi_dj_ll_raw_request function in drivers/hid/hid-logitech-dj.c in the Linux kernel before 3.16.2 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that specifies a large report size for an LED report.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3183",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc2"
},
{
"id": "CVE-2014-3184",
"summary": "The report_fixup functions in the HID subsystem in the Linux kernel before 3.16.2 might allow physically proximate attackers to cause a denial of service (out-of-bounds write) via a crafted device that provides a small report descriptor, related to (1) drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3) drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c, (5) drivers/hid/hid-petalynx.c, and (6) drivers/hid/hid-sunplus.c.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3184",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc2"
},
{
"id": "CVE-2014-3185",
"summary": "Multiple buffer overflows in the command_port_read_callback function in drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the Linux kernel before 3.16.2 allow physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption and system crash) via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with a bulk response.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3185",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc3"
},
{
"id": "CVE-2014-3186",
"summary": "Buffer overflow in the picolcd_raw_event function in devices/hid/hid-picolcd_core.c in the PicoLCD HID device driver in the Linux kernel through 3.16.3, as used in Android on Nexus 7 devices, allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that sends a large report.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3186",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc3"
},
{
"id": "CVE-2014-3534",
"summary": "arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a crafted application that makes a ptrace system call.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3534",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc7"
},
{
"id": "CVE-2014-3535",
"summary": "include/linux/netdevice.h in the Linux kernel before 2.6.36 incorrectly uses macros for netdev_printk and its related logging implementation, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) by sending invalid packets to a VxLAN interface.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3535",
"detail": "fixed-version",
"description": "Fixed from version 2.6.36rc1"
},
{
"id": "CVE-2014-3601",
"summary": "The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to (1) cause a denial of service (host OS memory corruption) or possibly have unspecified other impact by triggering a large gfn value or (2) cause a denial of service (host OS memory consumption) by triggering a small gfn value that leads to permanently pinned pages.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3601",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc2"
},
{
"id": "CVE-2014-3610",
"summary": "The WRMSR processing functionality in the KVM subsystem in the Linux kernel through 3.17.2 does not properly handle the writing of a non-canonical address to a model-specific register, which allows guest OS users to cause a denial of service (host OS crash) by leveraging guest OS privileges, related to the wrmsr_interception function in arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3610",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc2"
},
{
"id": "CVE-2014-3611",
"summary": "Race condition in the __kvm_migrate_pit_timer function in arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel through 3.17.2 allows guest OS users to cause a denial of service (host OS crash) by leveraging incorrect PIT emulation.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3611",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc2"
},
{
"id": "CVE-2014-3631",
"summary": "The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via multiple \"keyctl newring\" operations followed by a \"keyctl timeout\" operation.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3631",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc5"
},
{
"id": "CVE-2014-3645",
"summary": "arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.12 does not have an exit handler for the INVEPT instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3645",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc1"
},
{
"id": "CVE-2014-3646",
"summary": "arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through 3.17.2 does not have an exit handler for the INVVPID instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application.",
"scorev2": "4.7",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3646",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc2"
},
{
"id": "CVE-2014-3647",
"summary": "arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 does not properly perform RIP changes, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3647",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc2"
},
{
"id": "CVE-2014-3673",
"summary": "The SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3673",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc1"
},
{
"id": "CVE-2014-3687",
"summary": "The sctp_assoc_lookup_asconf_ack function in net/sctp/associola.c in the SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (panic) via duplicate ASCONF chunks that trigger an incorrect uncork within the side-effect interpreter.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3687",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc1"
},
{
"id": "CVE-2014-3688",
"summary": "The SCTP implementation in the Linux kernel before 3.17.4 allows remote attackers to cause a denial of service (memory consumption) by triggering a large number of chunks in an association's output queue, as demonstrated by ASCONF probes, related to net/sctp/inqueue.c and net/sctp/sm_statefuns.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3688",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc1"
},
{
"id": "CVE-2014-3690",
"summary": "arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.17.2 on Intel processors does not ensure that the value in the CR4 control register remains the same after a VM entry, which allows host OS users to kill arbitrary processes or cause a denial of service (system disruption) by leveraging /dev/kvm access, as demonstrated by PR_SET_TSC prctl calls within a modified copy of QEMU.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3690",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc1"
},
{
"id": "CVE-2014-3917",
"summary": "kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3917",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc1"
},
{
"id": "CVE-2014-3940",
"summary": "The Linux kernel through 3.14.5 does not properly consider the presence of hugetlb entries, which allows local users to cause a denial of service (memory corruption or system crash) by accessing certain memory locations, as demonstrated by triggering a race condition via numa_maps read operations during hugepage migration, related to fs/proc/task_mmu.c and mm/mempolicy.c.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3940",
"detail": "fixed-version",
"description": "Fixed from version 3.15"
},
{
"id": "CVE-2014-4014",
"summary": "The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4014",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc1"
},
{
"id": "CVE-2014-4027",
"summary": "The rd_build_device_space function in drivers/target/target_core_rd.c in the Linux kernel before 3.14 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from ramdisk_mcp memory by leveraging access to a SCSI initiator.",
"scorev2": "2.3",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4027",
"detail": "fixed-version",
"description": "Fixed from version 3.14rc1"
},
{
"id": "CVE-2014-4157",
"summary": "arch/mips/include/asm/thread_info.h in the Linux kernel before 3.14.8 on the MIPS platform does not configure _TIF_SECCOMP checks on the fast system-call path, which allows local users to bypass intended PR_SET_SECCOMP restrictions by executing a crafted application without invoking a trace or audit subsystem.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4157",
"detail": "fixed-version",
"description": "Fixed from version 3.15rc1"
},
{
"id": "CVE-2014-4171",
"summary": "mm/shmem.c in the Linux kernel through 3.15.1 does not properly implement the interaction between range notification and hole punching, which allows local users to cause a denial of service (i_mutex hold) by using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4171",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc3"
},
{
"id": "CVE-2014-4322",
"summary": "drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or cause a denial of service (memory corruption) via a crafted application.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4322"
},
{
"id": "CVE-2014-4323",
"summary": "The mdp_lut_hw_update function in drivers/video/msm/mdp.c in the MDP display driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain start and length values within an ioctl call, which allows attackers to gain privileges via a crafted application.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4323"
},
{
"id": "CVE-2014-4508",
"summary": "arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4508",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc3"
},
{
"id": "CVE-2014-4608",
"summary": "Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says \"the Linux kernel is *not* affected; media hype.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4608",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc1"
},
{
"id": "CVE-2014-4611",
"summary": "Integer overflow in the LZ4 algorithm implementation, as used in Yann Collet LZ4 before r118 and in the lz4_uncompress function in lib/lz4/lz4_decompress.c in the Linux kernel before 3.15.2, on 32-bit platforms might allow context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted Literal Run that would be improperly handled by programs not complying with an API limitation, a different vulnerability than CVE-2014-4715.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4611",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc3"
},
{
"id": "CVE-2014-4652",
"summary": "Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4652",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc2"
},
{
"id": "CVE-2014-4653",
"summary": "sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure possession of a read/write lock, which allows local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4653",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc2"
},
{
"id": "CVE-2014-4654",
"summary": "The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4654",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc2"
},
{
"id": "CVE-2014-4655",
"summary": "The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4655",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc2"
},
{
"id": "CVE-2014-4656",
"summary": "Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allow local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4656",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc2"
},
{
"id": "CVE-2014-4667",
"summary": "The sctp_association_free function in net/sctp/associola.c in the Linux kernel before 3.15.2 does not properly manage a certain backlog value, which allows remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4667",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc1"
},
{
"id": "CVE-2014-4699",
"summary": "The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4699",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc4"
},
{
"id": "CVE-2014-4943",
"summary": "The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4943",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc6"
},
{
"id": "CVE-2014-5045",
"summary": "The mountpoint_last function in fs/namei.c in the Linux kernel before 3.15.8 does not properly maintain a certain reference count during attempts to use the umount system call in conjunction with a symlink, which allows local users to cause a denial of service (memory consumption or use-after-free) or possibly have unspecified other impact via the umount program.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5045",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc7"
},
{
"id": "CVE-2014-5077",
"summary": "The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel through 3.15.8, when SCTP authentication is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by starting to establish an association between two endpoints immediately after an exchange of INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite direction.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5077",
"detail": "fixed-version",
"description": "Fixed from version 3.16"
},
{
"id": "CVE-2014-5206",
"summary": "The do_remount function in fs/namespace.c in the Linux kernel through 3.16.1 does not maintain the MNT_LOCK_READONLY bit across a remount of a bind mount, which allows local users to bypass an intended read-only restriction and defeat certain sandbox protection mechanisms via a \"mount -o remount\" command within a user namespace.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5206",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc1"
},
{
"id": "CVE-2014-5207",
"summary": "fs/namespace.c in the Linux kernel through 3.16.1 does not properly restrict clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing MNT_ATIME_MASK during a remount of a bind mount, which allows local users to gain privileges, interfere with backups and auditing on systems that had atime enabled, or cause a denial of service (excessive filesystem updating) on systems that had atime disabled via a \"mount -o remount\" command within a user namespace.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5207",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc1"
},
{
"id": "CVE-2014-5332",
"summary": "Race condition in NVMap in NVIDIA Tegra Linux Kernel 3.10 allows local users to gain privileges via a crafted NVMAP_IOC_CREATE IOCTL call, which triggers a use-after-free error, as demonstrated by using a race condition to escape the Chrome sandbox.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5332"
},
{
"id": "CVE-2014-5471",
"summary": "Stack consumption vulnerability in the parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (uncontrolled recursion, and system crash or reboot) via a crafted iso9660 image with a CL entry referring to a directory entry that has a CL entry.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5471",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc2"
},
{
"id": "CVE-2014-5472",
"summary": "The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (unkillable mount process) via a crafted iso9660 image with a self-referential CL entry.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5472",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc2"
},
{
"id": "CVE-2014-6410",
"summary": "The __udf_read_inode function in fs/udf/inode.c in the Linux kernel through 3.16.3 does not restrict the amount of ICB indirection, which allows physically proximate attackers to cause a denial of service (infinite loop or stack consumption) via a UDF filesystem with a crafted inode.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-6410",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc5"
},
{
"id": "CVE-2014-6416",
"summary": "Buffer overflow in net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, allows remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a long unencrypted auth ticket.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-6416",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc5"
},
{
"id": "CVE-2014-6417",
"summary": "net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, does not properly consider the possibility of kmalloc failure, which allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a long unencrypted auth ticket.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-6417",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc5"
},
{
"id": "CVE-2014-6418",
"summary": "net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, does not properly validate auth replies, which allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via crafted data from the IP address of a Ceph Monitor.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-6418",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc5"
},
{
"id": "CVE-2014-7145",
"summary": "The SMB2_tcon function in fs/cifs/smb2pdu.c in the Linux kernel before 3.16.3 allows remote CIFS servers to cause a denial of service (NULL pointer dereference and client system crash) or possibly have unspecified other impact by deleting the IPC$ share during resolution of DFS referrals.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7145",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc2"
},
{
"id": "CVE-2014-7207",
"summary": "A certain Debian patch to the IPv6 implementation in the Linux kernel 3.2.x through 3.2.63 does not properly validate arguments in ipv6_select_ident function calls, which allows local users to cause a denial of service (NULL pointer dereference and system crash) by leveraging (1) tun or (2) macvtap device access.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7207"
},
{
"id": "CVE-2014-7283",
"summary": "The xfs_da3_fixhashpath function in fs/xfs/xfs_da_btree.c in the xfs implementation in the Linux kernel before 3.14.2 does not properly compare btree hash values, which allows local users to cause a denial of service (filesystem corruption, and OOPS or panic) via operations on directories that have hash collisions, as demonstrated by rmdir operations.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7283",
"detail": "fixed-version",
"description": "Fixed from version 3.15rc1"
},
{
"id": "CVE-2014-7284",
"summary": "The net_get_random_once implementation in net/core/utils.c in the Linux kernel 3.13.x and 3.14.x before 3.14.5 on certain Intel processors does not perform the intended slow-path operation to initialize random seeds, which makes it easier for remote attackers to spoof or disrupt IP communication by leveraging the predictability of TCP sequence numbers, TCP and UDP port numbers, and IP ID values.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7284",
"detail": "fixed-version",
"description": "Fixed from version 3.15rc7"
},
{
"id": "CVE-2014-7822",
"summary": "The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call, as demonstrated by use of a file descriptor associated with an ext4 filesystem.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7822",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc1"
},
{
"id": "CVE-2014-7825",
"summary": "kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the perf subsystem, which allows local users to cause a denial of service (out-of-bounds read and OOPS) or bypass the ASLR protection mechanism via a crafted application.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7825",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc3"
},
{
"id": "CVE-2014-7826",
"summary": "kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the ftrace subsystem, which allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via a crafted application.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7826",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc3"
},
{
"id": "CVE-2014-7841",
"summary": "The sctp_process_param function in net/sctp/sm_make_chunk.c in the SCTP implementation in the Linux kernel before 3.17.4, when ASCONF is used, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via a malformed INIT chunk.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7841",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc5"
},
{
"id": "CVE-2014-7842",
"summary": "Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4 allows guest OS users to cause a denial of service (guest OS crash) via a crafted application that performs an MMIO transaction or a PIO transaction to trigger a guest userspace emulation error report, a similar issue to CVE-2010-5313.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7842",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc1"
},
{
"id": "CVE-2014-7843",
"summary": "The __clear_user function in arch/arm64/lib/clear_user.S in the Linux kernel before 3.17.4 on the ARM64 platform allows local users to cause a denial of service (system crash) by reading one byte beyond a /dev/zero page boundary.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7843",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc5"
},
{
"id": "CVE-2014-7970",
"summary": "The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly interact with certain locations of a chroot directory, which allows local users to cause a denial of service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7970",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc1"
},
{
"id": "CVE-2014-7975",
"summary": "The do_umount function in fs/namespace.c in the Linux kernel through 3.17 does not require the CAP_SYS_ADMIN capability for do_remount_sb calls that change the root filesystem to read-only, which allows local users to cause a denial of service (loss of writability) by making certain unshare system calls, clearing the / MNT_LOCKED flag, and making an MNT_FORCE umount system call.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7975",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc1"
},
{
"id": "CVE-2014-8086",
"summary": "Race condition in the ext4_file_write_iter function in fs/ext4/file.c in the Linux kernel through 3.17 allows local users to cause a denial of service (file unavailability) via a combination of a write action and an F_SETFL fcntl operation for the O_DIRECT flag.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8086",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc3"
},
{
"id": "CVE-2014-8133",
"summary": "arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set_thread_area system call and later reads a 16-bit value.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8133",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc1"
},
{
"id": "CVE-2014-8134",
"summary": "The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the ASLR protection mechanism via a crafted application that reads a 16-bit value.",
"scorev2": "1.9",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8134",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc1"
},
{
"id": "CVE-2014-8159",
"summary": "The InfiniBand (IB) implementation in the Linux kernel package before 2.6.32-504.12.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly restrict use of User Verbs for registration of memory regions, which allows local users to access arbitrary physical memory locations, and consequently cause a denial of service (system crash) or gain privileges, by leveraging permissions on a uverbs device under /dev/infiniband/.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8159",
"detail": "fixed-version",
"description": "Fixed from version 4.0rc7"
},
{
"id": "CVE-2014-8160",
"summary": "net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disallowed port numbers.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8160",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc1"
},
{
"id": "CVE-2014-8171",
"summary": "The memory resource controller (aka memcg) in the Linux kernel allows local users to cause a denial of service (deadlock) by spawning new processes within a memory-constrained cgroup.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8171",
"detail": "fixed-version",
"description": "Fixed from version 3.12rc1"
},
{
"id": "CVE-2014-8172",
"summary": "The filesystem implementation in the Linux kernel before 3.13 performs certain operations on lists of files with an inappropriate locking approach, which allows local users to cause a denial of service (soft lockup or system crash) via unspecified use of Asynchronous I/O (AIO) operations.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8172",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2014-8173",
"summary": "The pmd_none_or_trans_huge_or_clear_bad function in include/asm-generic/pgtable.h in the Linux kernel before 3.13 on NUMA systems does not properly determine whether a Page Middle Directory (PMD) entry is a transparent huge-table entry, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted MADV_WILLNEED madvise system call that leverages the absence of a page-table lock.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8173",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc5"
},
{
"id": "CVE-2014-8369",
"summary": "The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.17.2 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to cause a denial of service (host OS page unpinning) or possibly have unspecified other impact by leveraging guest OS privileges. NOTE: this vulnerability exists because of an incorrect fix for CVE-2014-3601.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8369",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc2"
},
{
"id": "CVE-2014-8480",
"summary": "The instruction decoder in arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel before 3.18-rc2 lacks intended decoder-table flags for certain RIP-relative instructions, which allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a crafted application.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8480",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc2"
},
{
"id": "CVE-2014-8481",
"summary": "The instruction decoder in arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel before 3.18-rc2 does not properly handle invalid instructions, which allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a crafted application that triggers (1) an improperly fetched instruction or (2) an instruction that occupies too many bytes. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8480.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8481",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc2"
},
{
"id": "CVE-2014-8559",
"summary": "The d_walk function in fs/dcache.c in the Linux kernel through 3.17.2 does not properly maintain the semantics of rename_lock, which allows local users to cause a denial of service (deadlock and system hang) via a crafted application.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8559",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc1"
},
{
"id": "CVE-2014-8709",
"summary": "The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel before 3.13.5 does not properly maintain a certain tail pointer, which allows remote attackers to obtain sensitive cleartext information by reading packets.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8709",
"detail": "fixed-version",
"description": "Fixed from version 3.14rc3"
},
{
"id": "CVE-2014-8884",
"summary": "Stack-based buffer overflow in the ttusbdecfe_dvbs_diseqc_send_master_cmd function in drivers/media/usb/ttusb-dec/ttusbdecfe.c in the Linux kernel before 3.17.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via a large message length in an ioctl call.",
"scorev2": "6.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8884",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc1"
},
{
"id": "CVE-2014-8989",
"summary": "The Linux kernel through 3.17.4 does not properly restrict dropping of supplemental group memberships in certain namespace scenarios, which allows local users to bypass intended file permissions by leveraging a POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other category, aka a \"negative groups\" issue, related to kernel/groups.c, kernel/uid16.c, and kernel/user_namespace.c.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8989",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc1"
},
{
"id": "CVE-2014-9090",
"summary": "The do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel through 3.17.4 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to cause a denial of service (panic) via a modify_ldt system call, as demonstrated by sigreturn_32 in the linux-clock-tests test suite.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9090",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc6"
},
{
"id": "CVE-2014-9322",
"summary": "arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9322",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc6"
},
{
"id": "CVE-2014-9410",
"summary": "The vfe31_proc_general function in drivers/media/video/msm/vfe/msm_vfe31.c in the MSM-VFE31 driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate a certain id value, which allows attackers to gain privileges or cause a denial of service (memory corruption) via an application that makes a crafted ioctl call.",
"scorev2": "7.2",
"scorev3": "9.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9410"
},
{
"id": "CVE-2014-9419",
"summary": "The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9419",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc1"
},
{
"id": "CVE-2014-9420",
"summary": "The rock_continue function in fs/isofs/rock.c in the Linux kernel through 3.18.1 does not restrict the number of Rock Ridge continuation entries, which allows local users to cause a denial of service (infinite loop, and system crash or hang) via a crafted iso9660 image.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9420",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc1"
},
{
"id": "CVE-2014-9428",
"summary": "The batadv_frag_merge_packets function in net/batman-adv/fragmentation.c in the B.A.T.M.A.N. implementation in the Linux kernel through 3.18.1 uses an incorrect length field during a calculation of an amount of memory, which allows remote attackers to cause a denial of service (mesh-node system crash) via fragmented packets.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9428",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc3"
},
{
"id": "CVE-2014-9529",
"summary": "Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 3.18.2 allows local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9529",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc4"
},
{
"id": "CVE-2014-9584",
"summary": "The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel before 3.18.2 does not validate a length value in the Extensions Reference (ER) System Use Field, which allows local users to obtain sensitive information from kernel memory via a crafted iso9660 image.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9584",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc3"
},
{
"id": "CVE-2014-9585",
"summary": "The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through 3.18.2 does not properly choose memory locations for the vDSO area, which makes it easier for local users to bypass the ASLR protection mechanism by guessing a location at the end of a PMD.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9585",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc4"
},
{
"id": "CVE-2014-9644",
"summary": "The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-2013-7421.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9644",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc1"
},
{
"id": "CVE-2014-9683",
"summary": "Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9683",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc1"
},
{
"id": "CVE-2014-9710",
"summary": "The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time window, related to a race condition, or (2) after an xattr-replacement attempt that fails because the data does not fit.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9710",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc1"
},
{
"id": "CVE-2014-9715",
"summary": "include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5 uses an insufficiently large data type for certain extension data, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via outbound network traffic that triggers extension loading, as demonstrated by configuring a PPTP tunnel in a NAT environment.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9715",
"detail": "fixed-version",
"description": "Fixed from version 3.15rc1"
},
{
"id": "CVE-2014-9717",
"summary": "fs/namespace.c in the Linux kernel before 4.0.2 processes MNT_DETACH umount2 system calls without verifying that the MNT_LOCKED flag is unset, which allows local users to bypass intended access restrictions and navigate to filesystem locations beneath a mount by calling umount2 within a user namespace.",
"scorev2": "3.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9717",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc1"
},
{
"id": "CVE-2014-9728",
"summary": "The UDF filesystem implementation in the Linux kernel before 3.18.2 does not validate certain lengths, which allows local users to cause a denial of service (buffer over-read and system crash) via a crafted filesystem image, related to fs/udf/inode.c and fs/udf/symlink.c.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9728",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc3"
},
{
"id": "CVE-2014-9729",
"summary": "The udf_read_inode function in fs/udf/inode.c in the Linux kernel before 3.18.2 does not ensure a certain data-structure size consistency, which allows local users to cause a denial of service (system crash) via a crafted UDF filesystem image.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9729",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc3"
},
{
"id": "CVE-2014-9730",
"summary": "The udf_pc_to_char function in fs/udf/symlink.c in the Linux kernel before 3.18.2 relies on component lengths that are unused, which allows local users to cause a denial of service (system crash) via a crafted UDF filesystem image.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9730",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc3"
},
{
"id": "CVE-2014-9731",
"summary": "The UDF filesystem implementation in the Linux kernel before 3.18.2 does not ensure that space is available for storing a symlink target's name along with a trailing \\0 character, which allows local users to obtain sensitive information via a crafted filesystem image, related to fs/udf/symlink.c and fs/udf/unicode.c.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9731",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc3"
},
{
"id": "CVE-2014-9803",
"summary": "arch/arm64/include/asm/pgtable.h in the Linux kernel before 3.15-rc5-next-20140519, as used in Android before 2016-07-05 on Nexus 5X and 6P devices, mishandles execute-only pages, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28557020.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9803",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc1"
},
{
"id": "CVE-2014-9870",
"summary": "The Linux kernel before 3.11 on ARM platforms, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly consider user-space access to the TPIDRURW register, which allows local users to gain privileges via a crafted application, aka Android internal bug 28749743 and Qualcomm internal bug CR561044.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9870",
"detail": "fixed-version",
"description": "Fixed from version 3.11rc1"
},
{
"id": "CVE-2014-9888",
"summary": "arch/arm/mm/dma-mapping.c in the Linux kernel before 3.13 on ARM platforms, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not prevent executable DMA mappings, which might allow local users to gain privileges via a crafted application, aka Android internal bug 28803642 and Qualcomm internal bug CR642735.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9888",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc1"
},
{
"id": "CVE-2014-9892",
"summary": "The snd_compr_tstamp function in sound/core/compress_offload.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly initialize a timestamp data structure, which allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28770164 and Qualcomm internal bug CR568717.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9892"
},
{
"id": "CVE-2014-9895",
"summary": "drivers/media/media-device.c in the Linux kernel before 3.11, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly initialize certain data structures, which allows local users to obtain sensitive information via a crafted application, aka Android internal bug 28750150 and Qualcomm internal bug CR570757, a different vulnerability than CVE-2014-1739.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9895",
"detail": "fixed-version",
"description": "Fixed from version 3.11rc1"
},
{
"id": "CVE-2014-9900",
"summary": "The ethtool_get_wol function in net/core/ethtool.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not initialize a certain data structure, which allows local users to obtain sensitive information via a crafted application, aka Android internal bug 28803952 and Qualcomm internal bug CR570754.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9900"
},
{
"id": "CVE-2014-9903",
"summary": "The sched_read_attr function in kernel/sched/core.c in the Linux kernel 3.14-rc before 3.14-rc4 uses an incorrect size, which allows local users to obtain sensitive information from kernel stack memory via a crafted sched_getattr system call.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9903",
"detail": "fixed-version",
"description": "Fixed from version 3.14rc4"
},
{
"id": "CVE-2014-9904",
"summary": "The snd_compress_check_input function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel before 3.17 does not properly check for an integer overflow, which allows local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9904",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc1"
},
{
"id": "CVE-2014-9914",
"summary": "Race condition in the ip4_datagram_release_cb function in net/ipv4/datagram.c in the Linux kernel before 3.15.2 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging incorrect expectations about locking during multithreaded access to internal data structures for IPv4 UDP sockets.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9914",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc1"
},
{
"id": "CVE-2014-9922",
"summary": "The eCryptfs subsystem in the Linux kernel before 3.18 allows local users to gain privileges via a large filesystem stack that includes an overlayfs layer, related to fs/ecryptfs/main.c and fs/overlayfs/super.c.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9922",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc2"
},
{
"id": "CVE-2014-9940",
"summary": "The regulator_ena_gpio_free function in drivers/regulator/core.c in the Linux kernel before 3.19 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted application.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9940",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc1"
},
{
"id": "CVE-2015-0239",
"summary": "The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYSENTER instruction.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0239",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc6"
},
{
"id": "CVE-2015-0274",
"summary": "The XFS implementation in the Linux kernel before 3.15 improperly uses an old size value during remote attribute replacement, which allows local users to cause a denial of service (transaction overrun and data corruption) or possibly gain privileges by leveraging XFS filesystem access.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0274",
"detail": "fixed-version",
"description": "Fixed from version 3.15rc5"
},
{
"id": "CVE-2015-0275",
"summary": "The ext4_zero_range function in fs/ext4/extents.c in the Linux kernel before 4.1 allows local users to cause a denial of service (BUG) via a crafted fallocate zero-range request.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0275",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc1"
},
{
"id": "CVE-2015-0568",
"summary": "Use-after-free vulnerability in the msm_set_crop function in drivers/media/video/msm/msm_camera.c in the MSM-Camera driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges or cause a denial of service (memory corruption) via an application that makes a crafted ioctl call.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0568"
},
{
"id": "CVE-2015-0569",
"summary": "Heap-based buffer overflow in the private wireless extensions IOCTL implementation in wlan_hdd_wext.c in the WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via a crafted application that establishes a packet filter.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0569"
},
{
"id": "CVE-2015-0570",
"summary": "Stack-based buffer overflow in the SET_WPS_IE IOCTL implementation in wlan_hdd_hostapd.c in the WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via a crafted application that uses a long WPS IE element.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0570"
},
{
"id": "CVE-2015-0571",
"summary": "The WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not verify authorization for private SET IOCTL calls, which allows attackers to gain privileges via a crafted application, related to wlan_hdd_hostapd.c and wlan_hdd_wext.c.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0571"
},
{
"id": "CVE-2015-0572",
"summary": "Multiple race conditions in drivers/char/adsprpc.c and drivers/char/adsprpc_compat.c in the ADSPRPC driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allow attackers to cause a denial of service (zero-value write) or possibly have unspecified other impact via a COMPAT_FASTRPC_IOCTL_INVOKE_FD ioctl call.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0572"
},
{
"id": "CVE-2015-0573",
"summary": "drivers/media/platform/msm/broadcast/tsc.c in the TSC driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via a crafted application that makes a TSC_GET_CARD_STATUS ioctl call.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0573"
},
{
"id": "CVE-2015-1328",
"summary": "The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount namespace.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1328"
},
{
"id": "CVE-2015-1333",
"summary": "Memory leak in the __key_link_end function in security/keys/keyring.c in the Linux kernel before 4.1.4 allows local users to cause a denial of service (memory consumption) via many add_key system calls that refer to existing keys.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1333",
"detail": "fixed-version",
"description": "Fixed from version 4.2rc5"
},
{
"id": "CVE-2015-1339",
"summary": "Memory leak in the cuse_channel_release function in fs/fuse/cuse.c in the Linux kernel before 4.4 allows local users to cause a denial of service (memory consumption) or possibly have unspecified other impact by opening /dev/cuse many times.",
"scorev2": "4.9",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1339",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc5"
},
{
"id": "CVE-2015-1350",
"summary": "The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allows local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1350",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc1"
},
{
"id": "CVE-2015-1420",
"summary": "Race condition in the handle_to_path function in fs/fhandle.c in the Linux kernel through 3.19.1 allows local users to bypass intended size restrictions and trigger read operations on additional memory locations by changing the handle_bytes value of a file handle during the execution of this function.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1420",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc7"
},
{
"id": "CVE-2015-1421",
"summary": "Use-after-free vulnerability in the sctp_assoc_update function in net/sctp/associola.c in the Linux kernel before 3.18.8 allows remote attackers to cause a denial of service (slab corruption and panic) or possibly have unspecified other impact by triggering an INIT collision that leads to improper handling of shared-key data.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1421",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc7"
},
{
"id": "CVE-2015-1465",
"summary": "The IPv4 implementation in the Linux kernel before 3.18.8 does not properly consider the length of the Read-Copy Update (RCU) grace period for redirecting lookups in the absence of caching, which allows remote attackers to cause a denial of service (memory consumption or system crash) via a flood of packets.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1465",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc7"
},
{
"id": "CVE-2015-1573",
"summary": "The nft_flush_table function in net/netfilter/nf_tables_api.c in the Linux kernel before 3.18.5 mishandles the interaction between cross-chain jumps and ruleset flushes, which allows local users to cause a denial of service (panic) by leveraging the CAP_NET_ADMIN capability.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1573",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc5"
},
{
"id": "CVE-2015-1593",
"summary": "The stack randomization feature in the Linux kernel before 3.19.1 on 64-bit platforms uses incorrect data types for the results of bitwise left-shift operations, which makes it easier for attackers to bypass the ASLR protection mechanism by predicting the address of the top of the stack, related to the randomize_stack_top function in fs/binfmt_elf.c and the stack_maxrandom_size function in arch/x86/mm/mmap.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1593",
"detail": "fixed-version",
"description": "Fixed from version 4.0rc1"
},
{
"id": "CVE-2015-1805",
"summary": "The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in the Linux kernel before 3.16 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an \"I/O vector array overrun.\"",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1805",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc1"
},
{
"id": "CVE-2015-2041",
"summary": "net/llc/sysctl_net_llc.c in the Linux kernel before 3.19 uses an incorrect data type in a sysctl table, which allows local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2041",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc7"
},
{
"id": "CVE-2015-2042",
"summary": "net/rds/sysctl.c in the Linux kernel before 3.19 uses an incorrect data type in a sysctl table, which allows local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2042",
"detail": "fixed-version",
"description": "Fixed from version 3.19"
},
{
"id": "CVE-2015-2150",
"summary": "Xen 3.3.x through 4.5.x and the Linux kernel through 3.19.1 do not properly restrict access to PCI command registers, which might allow local guest OS users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2150",
"detail": "fixed-version",
"description": "Fixed from version 4.0rc4"
},
{
"id": "CVE-2015-2666",
"summary": "Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to the initrd.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2666",
"detail": "fixed-version",
"description": "Fixed from version 4.0rc1"
},
{
"id": "CVE-2015-2672",
"summary": "The xsave/xrstor implementation in arch/x86/include/asm/xsave.h in the Linux kernel before 3.19.2 creates certain .altinstr_replacement pointers and consequently does not provide any protection against instruction faulting, which allows local users to cause a denial of service (panic) by triggering a fault, as demonstrated by an unaligned memory operand or a non-canonical address memory operand.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2672",
"detail": "fixed-version",
"description": "Fixed from version 4.0rc3"
},
{
"id": "CVE-2015-2686",
"summary": "net/socket.c in the Linux kernel 3.19 before 3.19.3 does not validate certain range data for (1) sendto and (2) recvfrom system calls, which allows local users to gain privileges by leveraging a subsystem that uses the copy_from_iter function in the iov_iter interface, as demonstrated by the Bluetooth subsystem.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2686",
"detail": "fixed-version",
"description": "Fixed from version 4.0rc6"
},
{
"id": "CVE-2015-2830",
"summary": "arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrated by an attack against seccomp before 3.16.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2830",
"detail": "fixed-version",
"description": "Fixed from version 4.0rc3"
},
{
"id": "CVE-2015-2877",
"summary": "Kernel Samepage Merging (KSM) in the Linux kernel 2.6.32 through 4.x does not prevent use of a write-timing side channel, which allows guest OS users to defeat the ASLR protection mechanism on other guest OS instances via a Cross-VM ASL INtrospection (CAIN) attack. NOTE: the vendor states \"Basically if you care about this attack vector, disable deduplication.\" Share-until-written approaches for memory conservation among mutually untrusting tenants are inherently detectable for information disclosure, and can be classified as potentially misunderstood behaviors rather than vulnerabilities",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2877"
},
{
"id": "CVE-2015-2922",
"summary": "The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2922",
"detail": "fixed-version",
"description": "Fixed from version 4.0rc7"
},
{
"id": "CVE-2015-2925",
"summary": "The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a \"double-chroot attack.\"",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2925",
"detail": "fixed-version",
"description": "Fixed from version 4.3rc1"
},
{
"id": "CVE-2015-3212",
"summary": "Race condition in net/sctp/socket.c in the Linux kernel before 4.1.2 allows local users to cause a denial of service (list corruption and panic) via a rapid series of system calls related to sockets, as demonstrated by setsockopt calls.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3212",
"detail": "fixed-version",
"description": "Fixed from version 4.2rc1"
},
{
"id": "CVE-2015-3214",
"summary": "The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3214",
"detail": "fixed-version",
"description": "Fixed from version 2.6.33rc8"
},
{
"id": "CVE-2015-3288",
"summary": "mm/memory.c in the Linux kernel before 4.1.4 mishandles anonymous pages, which allows local users to gain privileges or cause a denial of service (page tainting) via a crafted application that triggers writing to page zero.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3288",
"detail": "fixed-version",
"description": "Fixed from version 4.2rc2"
},
{
"id": "CVE-2015-3290",
"summary": "arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_64 platform improperly relies on espfix64 during nested NMI processing, which allows local users to gain privileges by triggering an NMI within a certain instruction window.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3290",
"detail": "fixed-version",
"description": "Fixed from version 4.2rc3"
},
{
"id": "CVE-2015-3291",
"summary": "arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_64 platform does not properly determine when nested NMI processing is occurring, which allows local users to cause a denial of service (skipped NMI) by modifying the rsp register, issuing a syscall instruction, and triggering an NMI.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3291",
"detail": "fixed-version",
"description": "Fixed from version 4.2rc3"
},
{
"id": "CVE-2015-3331",
"summary": "The __driver_rfc4106_decrypt function in arch/x86/crypto/aesni-intel_glue.c in the Linux kernel before 3.19.3 does not properly determine the memory locations used for encrypted data, which allows context-dependent attackers to cause a denial of service (buffer overflow and system crash) or possibly execute arbitrary code by triggering a crypto API call, as demonstrated by use of a libkcapi test program with an AF_ALG(aead) socket.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3331",
"detail": "fixed-version",
"description": "Fixed from version 4.0rc5"
},
{
"id": "CVE-2015-3332",
"summary": "A certain backport in the TCP Fast Open implementation for the Linux kernel before 3.18 does not properly maintain a count value, which allow local users to cause a denial of service (system crash) via the Fast Open feature, as demonstrated by visiting the chrome://flags/#enable-tcp-fast-open URL when using certain 3.10.x through 3.16.x kernel builds, including longterm-maintenance releases and ckt (aka Canonical Kernel Team) builds.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3332"
},
{
"id": "CVE-2015-3339",
"summary": "Race condition in the prepare_binprm function in fs/exec.c in the Linux kernel before 3.19.6 allows local users to gain privileges by executing a setuid program at a time instant when a chown to root is in progress, and the ownership is changed but the setuid bit is not yet stripped.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3339",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc1"
},
{
"id": "CVE-2015-3636",
"summary": "The ping_unhash function in net/ipv4/ping.c in the Linux kernel before 4.0.3 does not initialize a certain list data structure during an unhash operation, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) by leveraging the ability to make a SOCK_DGRAM socket system call for the IPPROTO_ICMP or IPPROTO_ICMPV6 protocol, and then making a connect system call after a disconnect.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3636",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc2"
},
{
"id": "CVE-2015-4001",
"summary": "Integer signedness error in the oz_hcd_get_desc_cnf function in drivers/staging/ozwpan/ozhcd.c in the OZWPAN driver in the Linux kernel through 4.0.5 allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted packet.",
"scorev2": "9.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4001",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc7"
},
{
"id": "CVE-2015-4002",
"summary": "drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux kernel through 4.0.5 does not ensure that certain length values are sufficiently large, which allows remote attackers to cause a denial of service (system crash or large loop) or possibly execute arbitrary code via a crafted packet, related to the (1) oz_usb_rx and (2) oz_usb_handle_ep_data functions.",
"scorev2": "9.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4002",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc7"
},
{
"id": "CVE-2015-4003",
"summary": "The oz_usb_handle_ep_data function in drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux kernel through 4.0.5 allows remote attackers to cause a denial of service (divide-by-zero error and system crash) via a crafted packet.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4003",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc7"
},
{
"id": "CVE-2015-4004",
"summary": "The OZWPAN driver in the Linux kernel through 4.0.5 relies on an untrusted length field during packet parsing, which allows remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via a crafted packet.",
"scorev2": "8.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4004",
"detail": "fixed-version",
"description": "Fixed from version 4.3rc1"
},
{
"id": "CVE-2015-4036",
"summary": "Array index error in the tcm_vhost_make_tpg function in drivers/vhost/scsi.c in the Linux kernel before 4.0 might allow guest OS users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted VHOST_SCSI_SET_ENDPOINT ioctl call. NOTE: the affected function was renamed to vhost_scsi_make_tpg before the vulnerability was announced.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4036",
"detail": "fixed-version",
"description": "Fixed from version 4.0rc1"
},
{
"id": "CVE-2015-4167",
"summary": "The udf_read_inode function in fs/udf/inode.c in the Linux kernel before 3.19.1 does not validate certain length values, which allows local users to cause a denial of service (incorrect data representation or integer overflow, and OOPS) via a crafted UDF filesystem.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4167",
"detail": "fixed-version",
"description": "Fixed from version 4.0rc1"
},
{
"id": "CVE-2015-4170",
"summary": "Race condition in the ldsem_cmpxchg function in drivers/tty/tty_ldsem.c in the Linux kernel before 3.13-rc4-next-20131218 allows local users to cause a denial of service (ldsem_down_read and ldsem_down_write deadlock) by establishing a new tty thread during shutdown of a previous tty thread.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4170",
"detail": "fixed-version",
"description": "Fixed from version 3.13rc5"
},
{
"id": "CVE-2015-4176",
"summary": "fs/namespace.c in the Linux kernel before 4.0.2 does not properly support mount connectivity, which allows local users to read arbitrary files by leveraging user-namespace root access for deletion of a file or directory.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4176",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc1"
},
{
"id": "CVE-2015-4177",
"summary": "The collect_mounts function in fs/namespace.c in the Linux kernel before 4.0.5 does not properly consider that it may execute after a path has been unmounted, which allows local users to cause a denial of service (system crash) by leveraging user-namespace root access for an MNT_DETACH umount2 system call.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4177",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc1"
},
{
"id": "CVE-2015-4178",
"summary": "The fs_pin implementation in the Linux kernel before 4.0.5 does not ensure the internal consistency of a certain list data structure, which allows local users to cause a denial of service (system crash) by leveraging user-namespace root access for an MNT_DETACH umount2 system call, related to fs/fs_pin.c and include/linux/fs_pin.h.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4178",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc1"
},
{
"id": "CVE-2015-4692",
"summary": "The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4692",
"detail": "fixed-version",
"description": "Fixed from version 4.2rc1"
},
{
"id": "CVE-2015-4700",
"summary": "The bpf_int_jit_compile function in arch/x86/net/bpf_jit_comp.c in the Linux kernel before 4.0.6 allows local users to cause a denial of service (system crash) by creating a packet filter and then loading crafted BPF instructions that trigger late convergence by the JIT compiler.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4700",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc6"
},
{
"id": "CVE-2015-5156",
"summary": "The virtnet_probe function in drivers/net/virtio_net.c in the Linux kernel before 4.2 attempts to support a FRAGLIST feature without proper memory allocation, which allows guest OS users to cause a denial of service (buffer overflow and memory corruption) via a crafted sequence of fragmented packets.",
"scorev2": "6.1",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5156",
"detail": "fixed-version",
"description": "Fixed from version 4.2rc7"
},
{
"id": "CVE-2015-5157",
"summary": "arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_64 platform mishandles IRET faults in processing NMIs that occurred during userspace execution, which might allow local users to gain privileges by triggering an NMI.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5157",
"detail": "fixed-version",
"description": "Fixed from version 4.2rc3"
},
{
"id": "CVE-2015-5257",
"summary": "drivers/usb/serial/whiteheat.c in the Linux kernel before 4.2.4 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted USB device. NOTE: this ID was incorrectly used for an Apache Cordova issue that has the correct ID of CVE-2015-8320.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5257",
"detail": "fixed-version",
"description": "Fixed from version 4.3rc3"
},
{
"id": "CVE-2015-5283",
"summary": "The sctp_init function in net/sctp/protocol.c in the Linux kernel before 4.2.3 has an incorrect sequence of protocol-initialization steps, which allows local users to cause a denial of service (panic or memory corruption) by creating SCTP sockets before all of the steps have finished.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5283",
"detail": "fixed-version",
"description": "Fixed from version 4.3rc3"
},
{
"id": "CVE-2015-5307",
"summary": "The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5307",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc1"
},
{
"id": "CVE-2015-5327",
"summary": "Out-of-bounds memory read in the x509_decode_time function in x509_cert_parser.c in Linux kernels 4.3-rc1 and after.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5327",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc1"
},
{
"id": "CVE-2015-5364",
"summary": "The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel before 4.0.6 do not properly consider yielding a processor, which allows remote attackers to cause a denial of service (system hang) via incorrect checksums within a UDP packet flood.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5364",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc7"
},
{
"id": "CVE-2015-5366",
"summary": "The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel before 4.0.6 provide inappropriate -EAGAIN return values, which allows remote attackers to cause a denial of service (EPOLLET epoll application read outage) via an incorrect checksum in a UDP packet, a different vulnerability than CVE-2015-5364.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5366",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc7"
},
{
"id": "CVE-2015-5697",
"summary": "The get_bitmap_file function in drivers/md/md.c in the Linux kernel before 4.1.6 does not initialize a certain bitmap data structure, which allows local users to obtain sensitive information from kernel memory via a GET_BITMAP_FILE ioctl call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5697",
"detail": "fixed-version",
"description": "Fixed from version 4.2rc6"
},
{
"id": "CVE-2015-5706",
"summary": "Use-after-free vulnerability in the path_openat function in fs/namei.c in the Linux kernel 3.x and 4.x before 4.0.4 allows local users to cause a denial of service or possibly have unspecified other impact via O_TMPFILE filesystem operations that leverage a duplicate cleanup operation.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5706",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc3"
},
{
"id": "CVE-2015-5707",
"summary": "Integer overflow in the sg_start_req function in drivers/scsi/sg.c in the Linux kernel 2.6.x through 4.x before 4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a large iov_count value in a write request.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5707",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc1"
},
{
"id": "CVE-2015-6252",
"summary": "The vhost_dev_ioctl function in drivers/vhost/vhost.c in the Linux kernel before 4.1.5 allows local users to cause a denial of service (memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggers permanent file-descriptor allocation.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6252",
"detail": "fixed-version",
"description": "Fixed from version 4.2rc5"
},
{
"id": "CVE-2015-6526",
"summary": "The perf_callchain_user_64 function in arch/powerpc/perf/callchain.c in the Linux kernel before 4.0.2 on ppc64 platforms allows local users to cause a denial of service (infinite loop) via a deep 64-bit userspace backtrace.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6526",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc1"
},
{
"id": "CVE-2015-6937",
"summary": "The __rds_conn_create function in net/rds/connection.c in the Linux kernel through 4.2.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6937",
"detail": "fixed-version",
"description": "Fixed from version 4.3rc1"
},
{
"id": "CVE-2015-7312",
"summary": "Multiple race conditions in the Advanced Union Filesystem (aufs) aufs3-mmap.patch and aufs4-mmap.patch patches for the Linux kernel 3.x and 4.x allow local users to cause a denial of service (use-after-free and BUG) or possibly gain privileges via a (1) madvise or (2) msync system call, related to mm/madvise.c and mm/msync.c.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7312"
},
{
"id": "CVE-2015-7509",
"summary": "fs/ext4/namei.c in the Linux kernel before 3.7 allows physically proximate attackers to cause a denial of service (system crash) via a crafted no-journal filesystem, a related issue to CVE-2013-2015.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7509",
"detail": "fixed-version",
"description": "Fixed from version 3.7rc1"
},
{
"id": "CVE-2015-7513",
"summary": "arch/x86/kvm/x86.c in the Linux kernel before 4.4 does not reset the PIT counter values during state restoration, which allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via a zero value, related to the kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7513",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc7"
},
{
"id": "CVE-2015-7515",
"summary": "The aiptek_probe function in drivers/input/tablet/aiptek.c in the Linux kernel before 4.4 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device that lacks endpoints.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7515",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc6"
},
{
"id": "CVE-2015-7550",
"summary": "The keyctl_read_key function in security/keys/keyctl.c in the Linux kernel before 4.3.4 does not properly use a semaphore, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted application that leverages a race condition between keyctl_revoke and keyctl_read calls.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7550",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc8"
},
{
"id": "CVE-2015-7566",
"summary": "The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel through 4.4.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7566",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc2"
},
{
"id": "CVE-2015-7613",
"summary": "Race condition in the IPC object implementation in the Linux kernel through 4.2.3 allows local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7613",
"detail": "fixed-version",
"description": "Fixed from version 4.3rc4"
},
{
"id": "CVE-2015-7799",
"summary": "The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel through 4.2.3 does not ensure that certain slot numbers are valid, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7799",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc1"
},
{
"id": "CVE-2015-7833",
"summary": "The usbvision driver in the Linux kernel package 3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red Hat Enterprise Linux (RHEL) 7.1 allows physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7833",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc6"
},
{
"id": "CVE-2015-7872",
"summary": "The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 4.2.6 allows local users to cause a denial of service (OOPS) via crafted keyctl commands.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7872",
"detail": "fixed-version",
"description": "Fixed from version 4.3rc7"
},
{
"id": "CVE-2015-7884",
"summary": "The vivid_fb_ioctl function in drivers/media/platform/vivid/vivid-osd.c in the Linux kernel through 4.3.3 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a crafted application.",
"scorev2": "1.9",
"scorev3": "2.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7884",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc1"
},
{
"id": "CVE-2015-7885",
"summary": "The dgnc_mgmt_ioctl function in drivers/staging/dgnc/dgnc_mgmt.c in the Linux kernel through 4.3.3 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a crafted application.",
"scorev2": "2.1",
"scorev3": "2.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7885",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc1"
},
{
"id": "CVE-2015-7990",
"summary": "Race condition in the rds_sendmsg function in net/rds/sendmsg.c in the Linux kernel before 4.3.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6937.",
"scorev2": "5.9",
"scorev3": "5.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7990",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc4"
},
{
"id": "CVE-2015-8019",
"summary": "The skb_copy_and_csum_datagram_iovec function in net/core/datagram.c in the Linux kernel 3.14.54 and 3.18.22 does not accept a length argument, which allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a write system call followed by a recvmsg system call.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8019"
},
{
"id": "CVE-2015-8104",
"summary": "The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8104",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc1"
},
{
"id": "CVE-2015-8215",
"summary": "net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel before 4.0 does not validate attempted changes to the MTU value, which allows context-dependent attackers to cause a denial of service (packet loss) via a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface, as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different vulnerability than CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is limited to the NetworkManager product.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8215",
"detail": "fixed-version",
"description": "Fixed from version 4.0rc3"
},
{
"id": "CVE-2015-8324",
"summary": "The ext4 implementation in the Linux kernel before 2.6.34 does not properly track the initialization of certain data structures, which allows physically proximate attackers to cause a denial of service (NULL pointer dereference and panic) via a crafted USB device, related to the ext4_fill_super function.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8324",
"detail": "fixed-version",
"description": "Fixed from version 2.6.34rc1"
},
{
"id": "CVE-2015-8374",
"summary": "fs/btrfs/inode.c in the Linux kernel before 4.3.3 mishandles compressed inline extents, which allows local users to obtain sensitive pre-truncation information from a file via a clone action.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8374",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc1"
},
{
"id": "CVE-2015-8539",
"summary": "The KEYS subsystem in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (BUG) via crafted keyctl commands that negatively instantiate a key, related to security/keys/encrypted-keys/encrypted.c, security/keys/trusted.c, and security/keys/user_defined.c.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8539",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc3"
},
{
"id": "CVE-2015-8543",
"summary": "The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products, does not validate protocol identifiers for certain protocol families, which allows local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8543",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc6"
},
{
"id": "CVE-2015-8550",
"summary": "Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend and backend, aka a double fetch vulnerability.",
"scorev2": "5.7",
"scorev3": "8.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8550",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc6"
},
{
"id": "CVE-2015-8551",
"summary": "The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows local guest administrators to hit BUG conditions and cause a denial of service (NULL pointer dereference and host OS crash) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and a crafted sequence of XEN_PCI_OP_* operations, aka \"Linux pciback missing sanity checks.\"",
"scorev2": "4.7",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8551",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc6"
},
{
"id": "CVE-2015-8552",
"summary": "The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XEN_PCI_OP_enable_msi operations, aka \"Linux pciback missing sanity checks.\"",
"scorev2": "1.7",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8552",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc6"
},
{
"id": "CVE-2015-8553",
"summary": "Xen allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory by not enabling memory and I/O decoding control bits. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0777.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8553",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc6"
},
{
"id": "CVE-2015-8569",
"summary": "The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel through 4.3.3 do not verify an address length, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application.",
"scorev2": "1.9",
"scorev3": "2.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8569",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc6"
},
{
"id": "CVE-2015-8575",
"summary": "The sco_sock_bind function in net/bluetooth/sco.c in the Linux kernel before 4.3.4 does not verify an address length, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8575",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc6"
},
{
"id": "CVE-2015-8660",
"summary": "The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8660",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc4"
},
{
"id": "CVE-2015-8709",
"summary": "kernel/ptrace.c in the Linux kernel through 4.4.1 mishandles uid and gid mappings, which allows local users to gain privileges by establishing a user namespace, waiting for a root process to enter that namespace with an unsafe uid or gid, and then using the ptrace system call. NOTE: the vendor states \"there is no kernel bug here.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8709",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc1"
},
{
"id": "CVE-2015-8746",
"summary": "fs/nfs/nfs4proc.c in the NFS client in the Linux kernel before 4.2.2 does not properly initialize memory for migration recovery operations, which allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) via crafted network traffic.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8746",
"detail": "fixed-version",
"description": "Fixed from version 4.3rc1"
},
{
"id": "CVE-2015-8767",
"summary": "net/sctp/sm_sideeffect.c in the Linux kernel before 4.3 does not properly manage the relationship between a lock and a socket, which allows local users to cause a denial of service (deadlock) via a crafted sctp_accept call.",
"scorev2": "4.9",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8767",
"detail": "fixed-version",
"description": "Fixed from version 4.3rc4"
},
{
"id": "CVE-2015-8785",
"summary": "The fuse_fill_write_pages function in fs/fuse/file.c in the Linux kernel before 4.4 allows local users to cause a denial of service (infinite loop) via a writev system call that triggers a zero length for the first segment of an iov.",
"scorev2": "4.9",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8785",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc5"
},
{
"id": "CVE-2015-8787",
"summary": "The nf_nat_redirect_ipv4 function in net/netfilter/nf_nat_redirect.c in the Linux kernel before 4.4 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by sending certain IPv4 packets to an incompletely configured interface, a related issue to CVE-2003-1604.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8787",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc1"
},
{
"id": "CVE-2015-8812",
"summary": "drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5 does not properly identify error conditions, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted packets.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8812",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2015-8816",
"summary": "The hub_activate function in drivers/usb/core/hub.c in the Linux kernel before 4.3.5 does not properly maintain a hub-interface data structure, which allows physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device.",
"scorev2": "7.2",
"scorev3": "6.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8816",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc6"
},
{
"id": "CVE-2015-8830",
"summary": "Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8830",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc1"
},
{
"id": "CVE-2015-8839",
"summary": "Multiple race conditions in the ext4 filesystem implementation in the Linux kernel before 4.5 allow local users to cause a denial of service (disk corruption) by writing to a page that is associated with a different user's file after unsynchronized hole punching and page-fault handling.",
"scorev2": "1.9",
"scorev3": "5.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8839",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2015-8844",
"summary": "The signal implementation in the Linux kernel before 4.3.5 on powerpc platforms does not check for an MSR with both the S and T bits set, which allows local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application.",
"scorev2": "4.7",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8844",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc3"
},
{
"id": "CVE-2015-8845",
"summary": "The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the Linux kernel before 4.4.1 on powerpc platforms does not ensure that TM suspend mode exists before proceeding with a tm_reclaim call, which allows local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8845",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc3"
},
{
"id": "CVE-2015-8944",
"summary": "The ioresources_init function in kernel/resource.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 6 and 7 (2013) devices, uses weak permissions for /proc/iomem, which allows local users to obtain sensitive information by reading this file, aka Android internal bug 28814213 and Qualcomm internal bug CR786116. NOTE: the permissions may be intentional in most non-Android contexts.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8944"
},
{
"id": "CVE-2015-8950",
"summary": "arch/arm64/mm/dma-mapping.c in the Linux kernel before 4.0.3, as used in the ION subsystem in Android and other products, does not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory by triggering a dma_mmap call.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8950",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc2"
},
{
"id": "CVE-2015-8952",
"summary": "The mbcache feature in the ext2 and ext4 filesystem implementations in the Linux kernel before 4.6 mishandles xattr block caching, which allows local users to cause a denial of service (soft lockup) via filesystem operations in environments that use many attributes, as demonstrated by Ceph and Samba.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8952",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2015-8953",
"summary": "fs/overlayfs/copy_up.c in the Linux kernel before 4.2.6 uses an incorrect cleanup code path, which allows local users to cause a denial of service (dentry reference leak) via filesystem operations on a large file in a lower overlayfs layer.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8953",
"detail": "fixed-version",
"description": "Fixed from version 4.3"
},
{
"id": "CVE-2015-8955",
"summary": "arch/arm64/kernel/perf_event.c in the Linux kernel before 4.1 on arm64 platforms allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via vectors involving events that are mishandled during a span of multiple HW PMUs.",
"scorev2": "6.9",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8955",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc1"
},
{
"id": "CVE-2015-8956",
"summary": "The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket.",
"scorev2": "3.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8956",
"detail": "fixed-version",
"description": "Fixed from version 4.2rc1"
},
{
"id": "CVE-2015-8961",
"summary": "The __ext4_journal_stop function in fs/ext4/ext4_jbd2.c in the Linux kernel before 4.3.3 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging improper access to a certain error field.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8961",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc1"
},
{
"id": "CVE-2015-8962",
"summary": "Double free vulnerability in the sg_common_write function in drivers/scsi/sg.c in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (memory corruption and system crash) by detaching a device during an SG_IO ioctl call.",
"scorev2": "9.3",
"scorev3": "7.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8962",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc1"
},
{
"id": "CVE-2015-8963",
"summary": "Race condition in kernel/events/core.c in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging incorrect handling of an swevent data structure during a CPU unplug operation.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8963",
"detail": "fixed-version",
"description": "Fixed from version 4.4"
},
{
"id": "CVE-2015-8964",
"summary": "The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux kernel before 4.5 allows local users to obtain sensitive information from kernel memory by reading a tty data structure.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8964",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2015-8966",
"summary": "arch/arm/kernel/sys_oabi-compat.c in the Linux kernel before 4.4 allows local users to gain privileges via a crafted (1) F_OFD_GETLK, (2) F_OFD_SETLK, or (3) F_OFD_SETLKW command in an fcntl64 system call.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8966",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc8"
},
{
"id": "CVE-2015-8967",
"summary": "arch/arm64/kernel/sys.c in the Linux kernel before 4.0 allows local users to bypass the \"strict page permissions\" protection mechanism and modify the system-call table, and consequently gain privileges, by leveraging write access.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8967",
"detail": "fixed-version",
"description": "Fixed from version 4.0rc1"
},
{
"id": "CVE-2015-8970",
"summary": "crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not verify that a setkey operation has been performed on an AF_ALG socket before an accept system call is processed, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted application that does not supply a key, related to the lrw_crypt function in crypto/lrw.c.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8970",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2015-9004",
"summary": "kernel/events/core.c in the Linux kernel before 3.19 mishandles counter grouping, which allows local users to gain privileges via a crafted application, related to the perf_pmu_register and perf_event_open functions.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9004",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc7"
},
{
"id": "CVE-2015-9016",
"summary": "In blk_mq_tag_to_rq in blk-mq.c in the upstream kernel, there is a possible use after free due to a race condition when a request has been previously freed by blk_mq_complete_request. This could lead to local escalation of privilege. Product: Android. Versions: Android kernel. Android ID: A-63083046.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9016",
"detail": "fixed-version",
"description": "Fixed from version 4.3rc1"
},
{
"id": "CVE-2015-9289",
"summary": "In the Linux kernel before 4.1.4, a buffer overflow occurs when checking userspace params in drivers/media/dvb-frontends/cx24116.c. The maximum size for a DiSEqC command is 6, according to the userspace API. However, the code allows larger values such as 23.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9289",
"detail": "fixed-version",
"description": "Fixed from version 4.2rc1"
},
{
"id": "CVE-2016-0617",
"summary": "Unspecified vulnerability in the kernel-uek component in Oracle Linux 6 allows local users to affect availability via unknown vectors.",
"scorev2": "4.6",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0617",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2016-0723",
"summary": "Race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel through 4.4.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call.",
"scorev2": "5.6",
"scorev3": "6.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0723",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc2"
},
{
"id": "CVE-2016-0728",
"summary": "The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0728",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2016-0758",
"summary": "Integer overflow in lib/asn1_decoder.c in the Linux kernel before 4.6 allows local users to gain privileges via crafted ASN.1 data.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0758",
"detail": "fixed-version",
"description": "Fixed from version 4.6"
},
{
"id": "CVE-2016-0774",
"summary": "The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in a certain Linux kernel backport in the linux package before 3.2.73-2+deb7u3 on Debian wheezy and the kernel package before 3.10.0-229.26.2 on Red Hat Enterprise Linux (RHEL) 7.1 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an \"I/O vector array overrun.\" NOTE: this vulnerability exists because of an incorrect fix for CVE-2015-1805.",
"scorev2": "5.6",
"scorev3": "6.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0774",
"detail": "ignored",
"description": "result of incomplete backport"
},
{
"id": "CVE-2016-0821",
"summary": "The LIST_POISON feature in include/linux/poison.h in the Linux kernel before 4.3, as used in Android 6.0.1 before 2016-03-01, does not properly consider the relationship to the mmap_min_addr value, which makes it easier for attackers to bypass a poison-pointer protection mechanism by triggering the use of an uninitialized list entry, aka Android internal bug 26186802, a different vulnerability than CVE-2015-3636.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0821",
"detail": "fixed-version",
"description": "Fixed from version 4.3rc1"
},
{
"id": "CVE-2016-0823",
"summary": "The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel before 3.19.3, as used in Android 6.0.1 before 2016-03-01, allows local users to obtain sensitive physical-address information by reading a pagemap file, aka Android internal bug 25739721.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0823",
"detail": "fixed-version",
"description": "Fixed from version 4.0rc5"
},
{
"id": "CVE-2016-10044",
"summary": "The aio_mount function in fs/aio.c in the Linux kernel before 4.7.7 does not properly restrict execute access, which makes it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10044",
"detail": "fixed-version",
"description": "Fixed from version 4.8rc7"
},
{
"id": "CVE-2016-10088",
"summary": "The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10088",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc1"
},
{
"id": "CVE-2016-10147",
"summary": "crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as demonstrated by mcryptd(md5).",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10147",
"detail": "fixed-version",
"description": "Fixed from version 4.9"
},
{
"id": "CVE-2016-10150",
"summary": "Use-after-free vulnerability in the kvm_ioctl_create_device function in virt/kvm/kvm_main.c in the Linux kernel before 4.8.13 allows host OS users to cause a denial of service (host OS crash) or possibly gain privileges via crafted ioctl calls on the /dev/kvm device.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10150",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc8"
},
{
"id": "CVE-2016-10153",
"summary": "The crypto scatterlist API in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging reliance on earlier net/ceph/crypto.c code.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10153",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc1"
},
{
"id": "CVE-2016-10154",
"summary": "The smbhash function in fs/cifs/smbencrypt.c in the Linux kernel 4.9.x before 4.9.1 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a scatterlist.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10154",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc1"
},
{
"id": "CVE-2016-10200",
"summary": "Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10200",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc7"
},
{
"id": "CVE-2016-10208",
"summary": "The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.9.8 does not properly validate meta block groups, which allows physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image.",
"scorev2": "4.9",
"scorev3": "4.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10208",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc1"
},
{
"id": "CVE-2016-10229",
"summary": "udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10229",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2016-10277",
"summary": "An elevation of privilege vulnerability in the Motorola bootloader could enable a local malicious application to execute arbitrary code within the context of the bootloader. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33840490.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10277"
},
{
"id": "CVE-2016-10283",
"summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32094986. References: QC-CR#2002052.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10283"
},
{
"id": "CVE-2016-10284",
"summary": "An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32402303. References: QC-CR#2000664.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10284"
},
{
"id": "CVE-2016-10285",
"summary": "An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33752702. References: QC-CR#1104899.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10285"
},
{
"id": "CVE-2016-10286",
"summary": "An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-35400904. References: QC-CR#1090237.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10286"
},
{
"id": "CVE-2016-10287",
"summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33784446. References: QC-CR#1112751.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10287"
},
{
"id": "CVE-2016-10288",
"summary": "An elevation of privilege vulnerability in the Qualcomm LED driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33863909. References: QC-CR#1109763.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10288"
},
{
"id": "CVE-2016-10289",
"summary": "An elevation of privilege vulnerability in the Qualcomm crypto driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33899710. References: QC-CR#1116295.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10289"
},
{
"id": "CVE-2016-10290",
"summary": "An elevation of privilege vulnerability in the Qualcomm shared memory driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33898330. References: QC-CR#1109782.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10290"
},
{
"id": "CVE-2016-10291",
"summary": "An elevation of privilege vulnerability in the Qualcomm Slimbus driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-34030871. References: QC-CR#986837.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10291"
},
{
"id": "CVE-2016-10292",
"summary": "A denial of service vulnerability in the Qualcomm Wi-Fi driver could enable a proximate attacker to cause a denial of service in the Wi-Fi subsystem. This issue is rated as High due to the possibility of remote denial of service. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34514463. References: QC-CR#1065466.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10292"
},
{
"id": "CVE-2016-10293",
"summary": "An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-33352393. References: QC-CR#1101943.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10293"
},
{
"id": "CVE-2016-10294",
"summary": "An information disclosure vulnerability in the Qualcomm power driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33621829. References: QC-CR#1105481.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10294"
},
{
"id": "CVE-2016-10295",
"summary": "An information disclosure vulnerability in the Qualcomm LED driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33781694. References: QC-CR#1109326.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10295"
},
{
"id": "CVE-2016-10296",
"summary": "An information disclosure vulnerability in the Qualcomm shared memory driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33845464. References: QC-CR#1109782.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10296"
},
{
"id": "CVE-2016-10318",
"summary": "A missing authorization check in the fscrypt_process_policy function in fs/crypto/policy.c in the ext4 and f2fs filesystem encryption support in the Linux kernel before 4.7.4 allows a user to assign an encryption policy to a directory owned by a different user, potentially creating a denial of service.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10318",
"detail": "fixed-version",
"description": "Fixed from version 4.8rc6"
},
{
"id": "CVE-2016-10723",
"summary": "An issue was discovered in the Linux kernel through 4.17.2. Since the page allocator does not yield CPU resources to the owner of the oom_lock mutex, a local unprivileged user can trivially lock up the system forever by wasting CPU resources from the page allocator (e.g., via concurrent page fault events) when the global OOM killer is invoked. NOTE: the software maintainer has not accepted certain proposed patches, in part because of a viewpoint that \"the underlying problem is non-trivial to handle.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10723",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2016-10741",
"summary": "In the Linux kernel before 4.9.3, fs/xfs/xfs_aops.c allows local users to cause a denial of service (system crash) because there is a race condition between direct and memory-mapped I/O (associated with a hole) that is handled with BUG_ON instead of an I/O failure.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10741",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc1"
},
{
"id": "CVE-2016-10764",
"summary": "In the Linux kernel before 4.9.6, there is an off by one in the drivers/mtd/spi-nor/cadence-quadspi.c cqspi_setup_flash() function. There are CQSPI_MAX_CHIPSELECT elements in the ->f_pdata array so the \">\" should be \">=\" instead.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10764",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc1"
},
{
"id": "CVE-2016-10905",
"summary": "An issue was discovered in fs/gfs2/rgrp.c in the Linux kernel before 4.8. A use-after-free is caused by the functions gfs2_clear_rgrpd and read_rindex_entry.",
"scorev2": "6.1",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10905",
"detail": "fixed-version",
"description": "Fixed from version 4.8rc1"
},
{
"id": "CVE-2016-10906",
"summary": "An issue was discovered in drivers/net/ethernet/arc/emac_main.c in the Linux kernel before 4.5. A use-after-free is caused by a race condition between the functions arc_emac_tx and arc_emac_tx_clean.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10906",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc6"
},
{
"id": "CVE-2016-10907",
"summary": "An issue was discovered in drivers/iio/dac/ad5755.c in the Linux kernel before 4.8.6. There is an out of bounds write in the function ad5755_parse_dt.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10907",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc1"
},
{
"id": "CVE-2016-1237",
"summary": "nfsd in the Linux kernel through 4.6.3 allows local users to bypass intended file-permission restrictions by setting a POSIX ACL, related to nfs2acl.c, nfs3acl.c, and nfs4acl.c.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1237",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc5"
},
{
"id": "CVE-2016-1575",
"summary": "The overlayfs implementation in the Linux kernel through 4.5.2 does not properly maintain POSIX ACL xattr data, which allows local users to gain privileges by leveraging a group-writable setgid directory.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1575",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2016-1576",
"summary": "The overlayfs implementation in the Linux kernel through 4.5.2 does not properly restrict the mount namespace, which allows local users to gain privileges by mounting an overlayfs filesystem on top of a FUSE filesystem, and then executing a crafted setuid program.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1576",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2016-1583",
"summary": "The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1583",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc3"
},
{
"id": "CVE-2016-2053",
"summary": "The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel before 4.3 allows attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2053",
"detail": "fixed-version",
"description": "Fixed from version 4.3rc1"
},
{
"id": "CVE-2016-2059",
"summary": "The msm_ipc_router_bind_control_port function in net/ipc_router/ipc_router_core.c in the IPC router kernel module for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not verify that a port is a client port, which allows attackers to gain privileges or cause a denial of service (race condition and list corruption) by making many BIND_CONTROL_PORT ioctl calls.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2059"
},
{
"id": "CVE-2016-2061",
"summary": "Integer signedness error in the MSM V4L2 video driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges or cause a denial of service (array overflow and memory corruption) via a crafted application that triggers an msm_isp_axi_create_stream call.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2061"
},
{
"id": "CVE-2016-2062",
"summary": "The adreno_perfcounter_query_group function in drivers/gpu/msm/adreno_perfcounter.c in the Adreno GPU driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, uses an incorrect integer data type, which allows attackers to cause a denial of service (integer overflow, heap-based buffer overflow, and incorrect memory allocation) or possibly have unspecified other impact via a crafted IOCTL_KGSL_PERFCOUNTER_QUERY ioctl call.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2062"
},
{
"id": "CVE-2016-2063",
"summary": "Stack-based buffer overflow in the supply_lm_input_write function in drivers/thermal/supply_lm_core.c in the MSM Thermal driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted application that sends a large amount of data through the debugfs interface.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2063"
},
{
"id": "CVE-2016-2064",
"summary": "sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c in the MSM QDSP6 audio driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted application that makes an ioctl call specifying many commands.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2064"
},
{
"id": "CVE-2016-2065",
"summary": "sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c in the MSM QDSP6 audio driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service (out-of-bounds write and memory corruption) or possibly have unspecified other impact via a crafted application that makes an ioctl call triggering incorrect use of a parameters pointer.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2065"
},
{
"id": "CVE-2016-2066",
"summary": "Integer signedness error in the MSM QDSP6 audio driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges or cause a denial of service (memory corruption) via a crafted application that makes an ioctl call.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2066"
},
{
"id": "CVE-2016-2067",
"summary": "drivers/gpu/msm/kgsl.c in the MSM graphics driver (aka GPU driver) for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, mishandles the KGSL_MEMFLAGS_GPUREADONLY flag, which allows attackers to gain privileges by leveraging accidental read-write mappings, aka Qualcomm internal bug CR988993.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2067"
},
{
"id": "CVE-2016-2068",
"summary": "The MSM QDSP6 audio driver (aka sound driver) for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges or cause a denial of service (integer overflow, and buffer overflow or buffer over-read) via a crafted application that performs a (1) AUDIO_EFFECTS_WRITE or (2) AUDIO_EFFECTS_READ operation, aka Qualcomm internal bug CR1006609.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2068"
},
{
"id": "CVE-2016-2069",
"summary": "Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4.4.1 allows local users to gain privileges by triggering access to a paging structure by a different CPU.",
"scorev2": "4.4",
"scorev3": "7.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2069",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2016-2070",
"summary": "The tcp_cwnd_reduction function in net/ipv4/tcp_input.c in the Linux kernel before 4.3.5 allows remote attackers to cause a denial of service (divide-by-zero error and system crash) via crafted TCP traffic.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2070",
"detail": "fixed-version",
"description": "Fixed from version 4.4"
},
{
"id": "CVE-2016-2085",
"summary": "The evm_verify_hmac function in security/integrity/evm/evm_main.c in the Linux kernel before 4.5 does not properly copy data, which makes it easier for local users to forge MAC values via a timing side-channel attack.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2085",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc4"
},
{
"id": "CVE-2016-2117",
"summary": "The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel through 4.5.2 incorrectly enables scatter/gather I/O, which allows remote attackers to obtain sensitive information from kernel memory by reading packet data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2117",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc5"
},
{
"id": "CVE-2016-2143",
"summary": "The fork implementation in the Linux kernel before 4.5 on s390 platforms mishandles the case of four page-table levels, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted application, related to arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2143",
"detail": "fixed-version",
"description": "Fixed from version 4.5"
},
{
"id": "CVE-2016-2184",
"summary": "The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2184",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2016-2185",
"summary": "The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2185",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2016-2186",
"summary": "The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2186",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2016-2187",
"summary": "The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel through 4.5.2 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2187",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc5"
},
{
"id": "CVE-2016-2188",
"summary": "The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2188",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc2"
},
{
"id": "CVE-2016-2383",
"summary": "The adjust_branches function in kernel/bpf/verifier.c in the Linux kernel before 4.5 does not consider the delta in the backward-jump case, which allows local users to obtain sensitive information from kernel memory by creating a packet filter and then loading crafted BPF instructions.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2383",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc4"
},
{
"id": "CVE-2016-2384",
"summary": "Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2384",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc4"
},
{
"id": "CVE-2016-2543",
"summary": "The snd_seq_ioctl_remove_events function in sound/core/seq/seq_clientmgr.c in the Linux kernel before 4.4.1 does not verify FIFO assignment before proceeding with FIFO clearing, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted ioctl call.",
"scorev2": "4.9",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2543",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2016-2544",
"summary": "Race condition in the queue_delete function in sound/core/seq/seq_queue.c in the Linux kernel before 4.4.1 allows local users to cause a denial of service (use-after-free and system crash) by making an ioctl call at a certain time.",
"scorev2": "4.7",
"scorev3": "5.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2544",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2016-2545",
"summary": "The snd_timer_interrupt function in sound/core/timer.c in the Linux kernel before 4.4.1 does not properly maintain a certain linked list, which allows local users to cause a denial of service (race condition and system crash) via a crafted ioctl call.",
"scorev2": "4.7",
"scorev3": "5.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2545",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2016-2546",
"summary": "sound/core/timer.c in the Linux kernel before 4.4.1 uses an incorrect type of mutex, which allows local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call.",
"scorev2": "4.7",
"scorev3": "5.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2546",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2016-2547",
"summary": "sound/core/timer.c in the Linux kernel before 4.4.1 employs a locking approach that does not consider slave timer instances, which allows local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call.",
"scorev2": "4.7",
"scorev3": "5.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2547",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2016-2548",
"summary": "sound/core/timer.c in the Linux kernel before 4.4.1 retains certain linked lists after a close or stop action, which allows local users to cause a denial of service (system crash) via a crafted ioctl call, related to the (1) snd_timer_close and (2) _snd_timer_stop functions.",
"scorev2": "4.9",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2548",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2016-2549",
"summary": "sound/core/hrtimer.c in the Linux kernel before 4.4.1 does not prevent recursive callback access, which allows local users to cause a denial of service (deadlock) via a crafted ioctl call.",
"scorev2": "2.1",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2549",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2016-2550",
"summary": "The Linux kernel before 4.5 allows local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by leveraging incorrect tracking of descriptor ownership and sending each descriptor over a UNIX socket before closing it. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-4312.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2550",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc4"
},
{
"id": "CVE-2016-2782",
"summary": "The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2782",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc2"
},
{
"id": "CVE-2016-2847",
"summary": "fs/pipe.c in the Linux kernel before 4.5 does not limit the amount of unread data in pipes, which allows local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes.",
"scorev2": "4.9",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2847",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2016-2853",
"summary": "The aufs module for the Linux kernel 3.x and 4.x does not properly restrict the mount namespace, which allows local users to gain privileges by mounting an aufs filesystem on top of a FUSE filesystem, and then executing a crafted setuid program.",
"scorev2": "4.4",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2853"
},
{
"id": "CVE-2016-2854",
"summary": "The aufs module for the Linux kernel 3.x and 4.x does not properly maintain POSIX ACL xattr data, which allows local users to gain privileges by leveraging a group-writable setgid directory.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2854"
},
{
"id": "CVE-2016-3044",
"summary": "The Linux kernel component in IBM PowerKVM 2.1 before 2.1.1.3-65.10 and 3.1 before 3.1.0.2 allows guest OS users to cause a denial of service (host OS infinite loop and hang) via unspecified vectors.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3044",
"detail": "fixed-version",
"description": "Fixed from version 4.5"
},
{
"id": "CVE-2016-3070",
"summary": "The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel before 4.4 improperly interacts with mm/migrate.c, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a certain page move.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3070",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc1"
},
{
"id": "CVE-2016-3134",
"summary": "The netfilter subsystem in the Linux kernel through 4.5.2 does not validate certain offset fields, which allows local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call.",
"scorev2": "7.2",
"scorev3": "8.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3134",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc2"
},
{
"id": "CVE-2016-3135",
"summary": "Integer overflow in the xt_alloc_table_info function in net/netfilter/x_tables.c in the Linux kernel through 4.5.2 on 32-bit platforms allows local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3135",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2016-3136",
"summary": "The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3136",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc3"
},
{
"id": "CVE-2016-3137",
"summary": "drivers/usb/serial/cypress_m8.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3137",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc3"
},
{
"id": "CVE-2016-3138",
"summary": "The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3138",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2016-3139",
"summary": "The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel before 3.17 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3139",
"detail": "fixed-version",
"description": "Fixed from version 3.17rc1"
},
{
"id": "CVE-2016-3140",
"summary": "The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3140",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc3"
},
{
"id": "CVE-2016-3156",
"summary": "The IPv4 implementation in the Linux kernel before 4.5.2 mishandles destruction of device objects, which allows guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3156",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2016-3157",
"summary": "The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel does not properly context-switch IOPL on 64-bit PV Xen guests, which allows local guest OS users to gain privileges, cause a denial of service (guest OS crash), or obtain sensitive information by leveraging I/O port access.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3157",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2016-3672",
"summary": "The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not properly randomize the legacy base address, which makes it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3672",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2016-3689",
"summary": "The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3689",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2016-3695",
"summary": "The einj_error_inject function in drivers/acpi/apei/einj.c in the Linux kernel allows local users to simulate hardware errors and consequently cause a denial of service by leveraging failure to disable APEI error injection through EINJ when securelevel is set.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3695",
"detail": "not-applicable-platform",
"description": "specific to RHEL with securelevel patches"
},
{
"id": "CVE-2016-3699",
"summary": "The Linux kernel, as used in Red Hat Enterprise Linux 7.2 and Red Hat Enterprise MRG 2 and when booted with UEFI Secure Boot enabled, allows local users to bypass intended Secure Boot restrictions and execute untrusted code by appending ACPI tables to the initrd.",
"scorev2": "6.9",
"scorev3": "7.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3699",
"detail": "not-applicable-platform",
"description": "specific to RHEL with securelevel patches"
},
{
"id": "CVE-2016-3713",
"summary": "The msr_mtrr_valid function in arch/x86/kvm/mtrr.c in the Linux kernel before 4.6.1 supports MSR 0x2f8, which allows guest OS users to read or write to the kvm_arch_vcpu data structure, and consequently obtain sensitive information or cause a denial of service (system crash), via a crafted ioctl call.",
"scorev2": "5.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3713",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc1"
},
{
"id": "CVE-2016-3841",
"summary": "The IPv6 stack in the Linux kernel before 4.3.3 mishandles options data, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call.",
"scorev2": "7.2",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3841",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc4"
},
{
"id": "CVE-2016-3857",
"summary": "The kernel in Android before 2016-08-05 on Nexus 7 (2013) devices allows attackers to gain privileges via a crafted application, aka internal bug 28522518.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3857",
"detail": "fixed-version",
"description": "Fixed from version 4.8rc2"
},
{
"id": "CVE-2016-3951",
"summary": "Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact by inserting a USB device with an invalid USB descriptor.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3951",
"detail": "fixed-version",
"description": "Fixed from version 4.5"
},
{
"id": "CVE-2016-3955",
"summary": "The usbip_recv_xbuff function in drivers/usb/usbip/usbip_common.c in the Linux kernel before 4.5.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted length value in a USB/IP packet.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3955",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc3"
},
{
"id": "CVE-2016-3961",
"summary": "Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs support in x86 PV guests, which allows local PV guest OS users to cause a denial of service (guest OS crash) by attempting to access a hugetlbfs mapped area.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3961",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc5"
},
{
"id": "CVE-2016-4440",
"summary": "arch/x86/kvm/vmx.c in the Linux kernel through 4.6.3 mishandles the APICv on/off state, which allows guest OS users to obtain direct APIC MSR access on the host OS, and consequently cause a denial of service (host OS crash) or possibly execute arbitrary code on the host OS, via x2APIC mode.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4440",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc1"
},
{
"id": "CVE-2016-4470",
"summary": "The key_reject_and_link function in security/keys/key.c in the Linux kernel through 4.6.3 does not ensure that a certain data structure is initialized, which allows local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4470",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc4"
},
{
"id": "CVE-2016-4482",
"summary": "The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call.",
"scorev2": "2.1",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4482",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc1"
},
{
"id": "CVE-2016-4485",
"summary": "The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory by reading a message.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4485",
"detail": "fixed-version",
"description": "Fixed from version 4.6"
},
{
"id": "CVE-2016-4486",
"summary": "The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4486",
"detail": "fixed-version",
"description": "Fixed from version 4.6"
},
{
"id": "CVE-2016-4557",
"summary": "The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel before 4.5.5 does not properly maintain an fd data structure, which allows local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4557",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc6"
},
{
"id": "CVE-2016-4558",
"summary": "The BPF subsystem in the Linux kernel before 4.5.5 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted application on (1) a system with more than 32 Gb of memory, related to the program reference count or (2) a 1 Tb system, related to the map reference count.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4558",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc7"
},
{
"id": "CVE-2016-4565",
"summary": "The InfiniBand (aka IB) stack in the Linux kernel before 4.5.3 incorrectly relies on the write system call, which allows local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4565",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc6"
},
{
"id": "CVE-2016-4568",
"summary": "drivers/media/v4l2-core/videobuf2-v4l2.c in the Linux kernel before 4.5.3 allows local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a crafted number of planes in a VIDIOC_DQBUF ioctl call.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4568",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc6"
},
{
"id": "CVE-2016-4569",
"summary": "The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4569",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc1"
},
{
"id": "CVE-2016-4578",
"summary": "sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4578",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc1"
},
{
"id": "CVE-2016-4580",
"summary": "The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4580",
"detail": "fixed-version",
"description": "Fixed from version 4.6"
},
{
"id": "CVE-2016-4581",
"summary": "fs/pnode.c in the Linux kernel before 4.5.4 does not properly traverse a mount propagation tree in a certain case involving a slave mount, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted series of mount system calls.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4581",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc7"
},
{
"id": "CVE-2016-4794",
"summary": "Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4794",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc4"
},
{
"id": "CVE-2016-4805",
"summary": "Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel before 4.5.2 allows local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4805",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2016-4913",
"summary": "The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel before 4.5.5 mishandles NM (aka alternate name) entries containing \\0 characters, which allows local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4913",
"detail": "fixed-version",
"description": "Fixed from version 4.6"
},
{
"id": "CVE-2016-4951",
"summary": "The tipc_nl_publ_dump function in net/tipc/socket.c in the Linux kernel through 4.6 does not verify socket existence, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a dumpit operation.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4951",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc1"
},
{
"id": "CVE-2016-4997",
"summary": "The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4997",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc1"
},
{
"id": "CVE-2016-4998",
"summary": "The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6 allows local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary.",
"scorev2": "5.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4998",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc1"
},
{
"id": "CVE-2016-5195",
"summary": "Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka \"Dirty COW.\"",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5195",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc2"
},
{
"id": "CVE-2016-5243",
"summary": "The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel through 4.6.3 does not properly copy a certain string, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5243",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc3"
},
{
"id": "CVE-2016-5244",
"summary": "The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel through 4.6.3 does not initialize a certain structure member, which allows remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5244",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc3"
},
{
"id": "CVE-2016-5340",
"summary": "The is_ashmem_file function in drivers/staging/android/ashmem.c in a certain Qualcomm Innovation Center (QuIC) Android patch for the Linux kernel 3.x mishandles pointer validation within the KGSL Linux Graphics Module, which allows attackers to bypass intended access restrictions by using the /ashmem string as the dentry name.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5340"
},
{
"id": "CVE-2016-5342",
"summary": "Heap-based buffer overflow in the wcnss_wlan_write function in drivers/net/wireless/wcnss/wcnss_wlan.c in the wcnss_wlan device driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service or possibly have unspecified other impact by writing to /dev/wcnss_wlan with an unexpected amount of data.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5342"
},
{
"id": "CVE-2016-5343",
"summary": "drivers/soc/qcom/qdsp6v2/voice_svc.c in the QDSP6v2 Voice Service driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a write request, as demonstrated by a voice_svc_send_req buffer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5343"
},
{
"id": "CVE-2016-5344",
"summary": "Multiple integer overflows in the MDSS driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allow attackers to cause a denial of service or possibly have unspecified other impact via a large size value, related to mdss_compat_utils.c, mdss_fb.c, and mdss_rotator.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5344"
},
{
"id": "CVE-2016-5400",
"summary": "Memory leak in the airspy_probe function in drivers/media/usb/airspy/airspy.c in the airspy USB driver in the Linux kernel before 4.7 allows local users to cause a denial of service (memory consumption) via a crafted USB device that emulates many VFL_TYPE_SDR or VFL_TYPE_SUBDEV devices and performs many connect and disconnect operations.",
"scorev2": "4.9",
"scorev3": "4.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5400",
"detail": "fixed-version",
"description": "Fixed from version 4.7"
},
{
"id": "CVE-2016-5412",
"summary": "arch/powerpc/kvm/book3s_hv_rmhandlers.S in the Linux kernel through 4.7 on PowerPC platforms, when CONFIG_KVM_BOOK3S_64_HV is enabled, allows guest OS users to cause a denial of service (host OS infinite loop) by making a H_CEDE hypercall during the existence of a suspended transaction.",
"scorev2": "4.6",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5412",
"detail": "fixed-version",
"description": "Fixed from version 4.8rc1"
},
{
"id": "CVE-2016-5696",
"summary": "net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack.",
"scorev2": "5.8",
"scorev3": "4.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5696",
"detail": "fixed-version",
"description": "Fixed from version 4.7"
},
{
"id": "CVE-2016-5728",
"summary": "Race condition in the vop_ioctl function in drivers/misc/mic/vop/vop_vringh.c in the MIC VOP driver in the Linux kernel before 4.6.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (memory corruption and system crash) by changing a certain header, aka a \"double fetch\" vulnerability.",
"scorev2": "5.4",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5728",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc1"
},
{
"id": "CVE-2016-5828",
"summary": "The start_thread function in arch/powerpc/kernel/process.c in the Linux kernel through 4.6.3 on powerpc platforms mishandles transactional state, which allows local users to cause a denial of service (invalid process state or TM Bad Thing exception, and system crash) or possibly have unspecified other impact by starting and suspending a transaction before an exec system call.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5828",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc6"
},
{
"id": "CVE-2016-5829",
"summary": "Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5829",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc5"
},
{
"id": "CVE-2016-5856",
"summary": "Drivers/soc/qcom/spcom.c in the Qualcomm SPCom driver in the Android kernel 2017-03-05 allows local users to gain privileges, a different vulnerability than CVE-2016-5857.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5856"
},
{
"id": "CVE-2016-5870",
"summary": "The msm_ipc_router_close function in net/ipc_router/ipc_router_socket.c in the ipc_router component for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allow attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact by triggering failure of an accept system call for an AF_MSM_IPC socket.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5870"
},
{
"id": "CVE-2016-6130",
"summary": "Race condition in the sclp_ctl_ioctl_sccb function in drivers/s390/char/sclp_ctl.c in the Linux kernel before 4.6 allows local users to obtain sensitive information from kernel memory by changing a certain length value, aka a \"double fetch\" vulnerability.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6130",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc6"
},
{
"id": "CVE-2016-6136",
"summary": "Race condition in the audit_log_single_execve_arg function in kernel/auditsc.c in the Linux kernel through 4.7 allows local users to bypass intended character-set restrictions or disrupt system-call auditing by changing a certain string, aka a \"double fetch\" vulnerability.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6136",
"detail": "fixed-version",
"description": "Fixed from version 4.8rc1"
},
{
"id": "CVE-2016-6156",
"summary": "Race condition in the ec_device_ioctl_xcmd function in drivers/platform/chrome/cros_ec_dev.c in the Linux kernel before 4.7 allows local users to cause a denial of service (out-of-bounds array access) by changing a certain size value, aka a \"double fetch\" vulnerability.",
"scorev2": "1.9",
"scorev3": "5.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6156",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc7"
},
{
"id": "CVE-2016-6162",
"summary": "net/core/skbuff.c in the Linux kernel 4.7-rc6 allows local users to cause a denial of service (panic) or possibly have unspecified other impact via certain IPv6 socket operations.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6162",
"detail": "fixed-version",
"description": "Fixed from version 4.7"
},
{
"id": "CVE-2016-6187",
"summary": "The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel before 4.6.5 does not validate the buffer size, which allows local users to gain privileges by triggering an AppArmor setprocattr hook.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6187",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc7"
},
{
"id": "CVE-2016-6197",
"summary": "fs/overlayfs/dir.c in the OverlayFS filesystem implementation in the Linux kernel before 4.6 does not properly verify the upper dentry before proceeding with unlink and rename system-call processing, which allows local users to cause a denial of service (system crash) via a rename system call that specifies a self-hardlink.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6197",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2016-6198",
"summary": "The filesystem layer in the Linux kernel before 4.5.5 proceeds with post-rename operations after an OverlayFS file is renamed to a self-hardlink, which allows local users to cause a denial of service (system crash) via a rename system call, related to fs/namei.c and fs/open.c.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6198",
"detail": "fixed-version",
"description": "Fixed from version 4.6"
},
{
"id": "CVE-2016-6213",
"summary": "fs/namespace.c in the Linux kernel before 4.9 does not restrict how many mounts may exist in a mount namespace, which allows local users to cause a denial of service (memory consumption and deadlock) via MS_BIND mount system calls, as demonstrated by a loop that triggers exponential growth in the number of mounts.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6213",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc1"
},
{
"id": "CVE-2016-6327",
"summary": "drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel before 4.5.1 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an ABORT_TASK command to abort a device write operation.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6327",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2016-6480",
"summary": "Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a \"double fetch\" vulnerability.",
"scorev2": "4.7",
"scorev3": "5.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6480",
"detail": "fixed-version",
"description": "Fixed from version 4.8rc3"
},
{
"id": "CVE-2016-6516",
"summary": "Race condition in the ioctl_file_dedupe_range function in fs/ioctl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (heap-based buffer overflow) or possibly gain privileges by changing a certain count value, aka a \"double fetch\" vulnerability.",
"scorev2": "4.4",
"scorev3": "7.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6516",
"detail": "fixed-version",
"description": "Fixed from version 4.8rc1"
},
{
"id": "CVE-2016-6755",
"summary": "An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-30740545. References: QC-CR#1065916.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6755"
},
{
"id": "CVE-2016-6756",
"summary": "An information disclosure vulnerability in Qualcomm components including the camera driver and video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-29464815. References: QC-CR#1042068.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6756"
},
{
"id": "CVE-2016-6757",
"summary": "An information disclosure vulnerability in Qualcomm components including the camera driver and video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-30148242. References: QC-CR#1052821.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6757"
},
{
"id": "CVE-2016-6758",
"summary": "An elevation of privilege vulnerability in Qualcomm media codecs could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-30148882. References: QC-CR#1071731.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6758"
},
{
"id": "CVE-2016-6759",
"summary": "An elevation of privilege vulnerability in Qualcomm media codecs could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-29982686. References: QC-CR#1055766.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6759"
},
{
"id": "CVE-2016-6760",
"summary": "An elevation of privilege vulnerability in Qualcomm media codecs could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-29617572. References: QC-CR#1055783.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6760"
},
{
"id": "CVE-2016-6761",
"summary": "An elevation of privilege vulnerability in Qualcomm media codecs could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-29421682. References: QC-CR#1055792.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6761"
},
{
"id": "CVE-2016-6775",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31222873. References: N-CVE-2016-6775.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6775"
},
{
"id": "CVE-2016-6776",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31680980. References: N-CVE-2016-6776.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6776"
},
{
"id": "CVE-2016-6777",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31910462. References: N-CVE-2016-6777.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6777"
},
{
"id": "CVE-2016-6778",
"summary": "An elevation of privilege vulnerability in the HTC sound codec driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31384646.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6778"
},
{
"id": "CVE-2016-6779",
"summary": "An elevation of privilege vulnerability in the HTC sound codec driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31386004.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6779"
},
{
"id": "CVE-2016-6780",
"summary": "An elevation of privilege vulnerability in the HTC sound codec driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31251496.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6780"
},
{
"id": "CVE-2016-6781",
"summary": "An elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31095175. References: MT-ALPS02943455.",
"scorev2": "9.3",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6781"
},
{
"id": "CVE-2016-6782",
"summary": "An elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31224389. References: MT-ALPS02943506.",
"scorev2": "9.3",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6782"
},
{
"id": "CVE-2016-6785",
"summary": "An elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31748056. References: MT-ALPS02961400.",
"scorev2": "9.3",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6785"
},
{
"id": "CVE-2016-6786",
"summary": "kernel/events/core.c in the performance subsystem in the Linux kernel before 4.0 mismanages locks during certain migrations, which allows local users to gain privileges via a crafted application, aka Android internal bug 30955111.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6786",
"detail": "fixed-version",
"description": "Fixed from version 4.0rc1"
},
{
"id": "CVE-2016-6787",
"summary": "kernel/events/core.c in the performance subsystem in the Linux kernel before 4.0 mismanages locks during certain migrations, which allows local users to gain privileges via a crafted application, aka Android internal bug 31095224.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6787",
"detail": "fixed-version",
"description": "Fixed from version 4.0rc1"
},
{
"id": "CVE-2016-6789",
"summary": "An elevation of privilege vulnerability in the NVIDIA libomx library (libnvomx) could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: Kernel-3.18. Android ID: A-31251973. References: N-CVE-2016-6789.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6789"
},
{
"id": "CVE-2016-6790",
"summary": "An elevation of privilege vulnerability in the NVIDIA libomx library (libnvomx) could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: Kernel-3.18. Android ID: A-31251628. References: N-CVE-2016-6790.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6790"
},
{
"id": "CVE-2016-6791",
"summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31252384. References: QC-CR#1071809.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6791"
},
{
"id": "CVE-2016-6828",
"summary": "The tcp_check_send_head function in include/net/tcp.h in the Linux kernel before 4.7.5 does not properly maintain certain SACK state after a failed data copy, which allows local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6828",
"detail": "fixed-version",
"description": "Fixed from version 4.8rc5"
},
{
"id": "CVE-2016-7039",
"summary": "The IP stack in the Linux kernel through 4.8.2 allows remote attackers to cause a denial of service (stack consumption and panic) or possibly have unspecified other impact by triggering use of the GRO path for large crafted packets, as demonstrated by packets that contain only VLAN headers, a related issue to CVE-2016-8666.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7039",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc4"
},
{
"id": "CVE-2016-7042",
"summary": "The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file.",
"scorev2": "4.9",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7042",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc3"
},
{
"id": "CVE-2016-7097",
"summary": "The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr call, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions.",
"scorev2": "3.6",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7097",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc1"
},
{
"id": "CVE-2016-7117",
"summary": "Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel before 4.5.2 allows remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7117",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2016-7425",
"summary": "The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7425",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc1"
},
{
"id": "CVE-2016-7910",
"summary": "Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel before 4.7.1 allows local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7910",
"detail": "fixed-version",
"description": "Fixed from version 4.8rc1"
},
{
"id": "CVE-2016-7911",
"summary": "Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel before 4.6.6 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7911",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc7"
},
{
"id": "CVE-2016-7912",
"summary": "Use-after-free vulnerability in the ffs_user_copy_worker function in drivers/usb/gadget/function/f_fs.c in the Linux kernel before 4.5.3 allows local users to gain privileges by accessing an I/O data structure after a certain callback call.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7912",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc5"
},
{
"id": "CVE-2016-7913",
"summary": "The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7913",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2016-7914",
"summary": "The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.5.3 does not check whether a slot is a leaf, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and out-of-bounds read) via an application that uses associative-array data structures, as demonstrated by the keyutils test suite.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7914",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc4"
},
{
"id": "CVE-2016-7915",
"summary": "The hid_input_field function in drivers/hid/hid-core.c in the Linux kernel before 4.6 allows physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) by connecting a device, as demonstrated by a Logitech DJ receiver.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7915",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2016-7916",
"summary": "Race condition in the environ_read function in fs/proc/base.c in the Linux kernel before 4.5.4 allows local users to obtain sensitive information from kernel memory by reading a /proc/*/environ file during a process-setup time interval in which environment-variable copying is incomplete.",
"scorev2": "4.7",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7916",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc7"
},
{
"id": "CVE-2016-7917",
"summary": "The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux kernel before 4.5 does not check whether a batch message's length field is large enough, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (infinite loop or out-of-bounds read) by leveraging the CAP_NET_ADMIN capability.",
"scorev2": "4.3",
"scorev3": "5.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7917",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc6"
},
{
"id": "CVE-2016-8391",
"summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31253255. References: QC-CR#1072166.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8391"
},
{
"id": "CVE-2016-8392",
"summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31385862. References: QC-CR#1073136.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8392"
},
{
"id": "CVE-2016-8393",
"summary": "An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31911920.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8393"
},
{
"id": "CVE-2016-8394",
"summary": "An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31913197.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8394"
},
{
"id": "CVE-2016-8395",
"summary": "A denial of service vulnerability in the NVIDIA camera driver could enable an attacker to cause a local permanent denial of service, which may require reflashing the operating system to repair the device. This issue is rated as High due to the possibility of local permanent denial of service. Product: Android. Versions: Kernel-3.10. Android ID: A-31403040. References: N-CVE-2016-8395.",
"scorev2": "7.1",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8395"
},
{
"id": "CVE-2016-8397",
"summary": "An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10. Android ID: A-31385953. References: N-CVE-2016-8397.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8397"
},
{
"id": "CVE-2016-8398",
"summary": "Unauthenticated messages processed by the UE. Certain NAS messages are processed when no EPS security context exists in the UE. Product: Android. Versions: Kernel 3.18. Android ID: A-31548486. References: QC-CR#877705.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8398"
},
{
"id": "CVE-2016-8399",
"summary": "An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and current compiler optimizations restrict access to the vulnerable code. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31349935.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8399",
"detail": "fixed-version",
"description": "Fixed from version 4.9"
},
{
"id": "CVE-2016-8400",
"summary": "An information disclosure vulnerability in the NVIDIA librm library (libnvrm) could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without permission. Product: Android. Versions: Kernel-3.18. Android ID: A-31251599. References: N-CVE-2016-8400.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8400"
},
{
"id": "CVE-2016-8401",
"summary": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31494725.",
"scorev2": "4.3",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8401"
},
{
"id": "CVE-2016-8402",
"summary": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31495231.",
"scorev2": "4.3",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8402"
},
{
"id": "CVE-2016-8403",
"summary": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31495348.",
"scorev2": "4.3",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8403"
},
{
"id": "CVE-2016-8404",
"summary": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31496950.",
"scorev2": "4.3",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8404"
},
{
"id": "CVE-2016-8405",
"summary": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31651010.",
"scorev2": "4.3",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8405",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc6"
},
{
"id": "CVE-2016-8406",
"summary": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31796940.",
"scorev2": "4.3",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8406"
},
{
"id": "CVE-2016-8407",
"summary": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31802656.",
"scorev2": "4.3",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8407"
},
{
"id": "CVE-2016-8408",
"summary": "An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31496571. References: N-CVE-2016-8408.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8408"
},
{
"id": "CVE-2016-8409",
"summary": "An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31495687. References: N-CVE-2016-8409.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8409"
},
{
"id": "CVE-2016-8410",
"summary": "An information disclosure vulnerability in the Qualcomm sound driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31498403. References: QC-CR#987010.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8410"
},
{
"id": "CVE-2016-8412",
"summary": "An elevation of privilege vulnerability in the Qualcomm camera could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31225246. References: QC-CR#1071891.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8412"
},
{
"id": "CVE-2016-8413",
"summary": "An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32709702. References: QC-CR#518731.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8413"
},
{
"id": "CVE-2016-8414",
"summary": "An information disclosure vulnerability in the Qualcomm Secure Execution Environment Communicator could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31704078. References: QC-CR#1076407.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8414"
},
{
"id": "CVE-2016-8415",
"summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31750554. References: QC-CR#1079596.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8415"
},
{
"id": "CVE-2016-8416",
"summary": "An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32510746. References: QC-CR#1088206.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8416"
},
{
"id": "CVE-2016-8417",
"summary": "An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32342399. References: QC-CR#1088824.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8417"
},
{
"id": "CVE-2016-8419",
"summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32454494. References: QC-CR#1087209.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8419"
},
{
"id": "CVE-2016-8420",
"summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32451171. References: QC-CR#1087807.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8420"
},
{
"id": "CVE-2016-8421",
"summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32451104. References: QC-CR#1087797.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8421"
},
{
"id": "CVE-2016-8424",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31606947. References: N-CVE-2016-8424.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8424"
},
{
"id": "CVE-2016-8425",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31797770. References: N-CVE-2016-8425.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8425"
},
{
"id": "CVE-2016-8426",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31799206. References: N-CVE-2016-8426.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8426"
},
{
"id": "CVE-2016-8427",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31799885. References: N-CVE-2016-8427.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8427"
},
{
"id": "CVE-2016-8428",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31993456. References: N-CVE-2016-8428.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8428"
},
{
"id": "CVE-2016-8429",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32160775. References: N-CVE-2016-8429.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8429"
},
{
"id": "CVE-2016-8430",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32225180. References: N-CVE-2016-8430.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8430"
},
{
"id": "CVE-2016-8431",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-32402179. References: N-CVE-2016-8431.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8431"
},
{
"id": "CVE-2016-8432",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-32447738. References: N-CVE-2016-8432.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8432"
},
{
"id": "CVE-2016-8434",
"summary": "An elevation of privilege vulnerability in the Qualcomm GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32125137. References: QC-CR#1081855.",
"scorev2": "9.3",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8434"
},
{
"id": "CVE-2016-8435",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-32700935. References: N-CVE-2016-8435.",
"scorev2": "9.3",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8435"
},
{
"id": "CVE-2016-8436",
"summary": "An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-32450261. References: QC-CR#1007860.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8436"
},
{
"id": "CVE-2016-8437",
"summary": "Improper input validation in Access Control APIs. Access control API may return memory range checking incorrectly. Product: Android. Versions: Kernel 3.18. Android ID: A-31623057. References: QC-CR#1009695.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8437"
},
{
"id": "CVE-2016-8438",
"summary": "Integer overflow leading to a TOCTOU condition in hypervisor PIL. An integer overflow exposes a race condition that may be used to bypass (Peripheral Image Loader) PIL authentication. Product: Android. Versions: Kernel 3.18. Android ID: A-31624565. References: QC-CR#1023638.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8438"
},
{
"id": "CVE-2016-8439",
"summary": "Possible buffer overflow in trust zone access control API. Buffer overflow may occur due to lack of buffer size checking. Product: Android. Versions: Kernel 3.18. Android ID: A-31625204. References: QC-CR#1027804.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8439"
},
{
"id": "CVE-2016-8440",
"summary": "Possible buffer overflow in SMMU system call. Improper input validation in ADSP SID2CB system call may result in hypervisor memory overwrite. Product: Android. Versions: Kernel 3.18. Android ID: A-31625306. References: QC-CR#1036747.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8440"
},
{
"id": "CVE-2016-8441",
"summary": "Possible buffer overflow in the hypervisor. Inappropriate usage of a static array could lead to a buffer overrun. Product: Android. Versions: Kernel 3.18. Android ID: A-31625904. References: QC-CR#1027769.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8441"
},
{
"id": "CVE-2016-8442",
"summary": "Possible unauthorized memory access in the hypervisor. Lack of input validation could allow hypervisor memory to be accessed by the HLOS. Product: Android. Versions: Kernel 3.18. Android ID: A-31625910. QC-CR#1038173.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8442"
},
{
"id": "CVE-2016-8443",
"summary": "Possible unauthorized memory access in the hypervisor. Incorrect configuration provides access to subsystem page tables. Product: Android. Versions: Kernel 3.18. Android ID: A-32576499. References: QC-CR#964185.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8443"
},
{
"id": "CVE-2016-8444",
"summary": "An elevation of privilege vulnerability in the Qualcomm camera could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31243641. References: QC-CR#1074310.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8444"
},
{
"id": "CVE-2016-8449",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31798848. References: N-CVE-2016-8449.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8449"
},
{
"id": "CVE-2016-8450",
"summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-32450563. References: QC-CR#880388.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8450"
},
{
"id": "CVE-2016-8451",
"summary": "An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.4. Android ID: A-32178033.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8451"
},
{
"id": "CVE-2016-8452",
"summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32506396. References: QC-CR#1050323.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8452"
},
{
"id": "CVE-2016-8453",
"summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-24739315. References: B-RB#73392.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8453"
},
{
"id": "CVE-2016-8454",
"summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32174590. References: B-RB#107142.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8454"
},
{
"id": "CVE-2016-8455",
"summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-32219121. References: B-RB#106311.",
"scorev2": "9.3",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8455"
},
{
"id": "CVE-2016-8456",
"summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32219255. References: B-RB#105580.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8456"
},
{
"id": "CVE-2016-8457",
"summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32219453. References: B-RB#106116.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8457"
},
{
"id": "CVE-2016-8458",
"summary": "An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31968442.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8458"
},
{
"id": "CVE-2016-8459",
"summary": "Possible buffer overflow in storage subsystem. Bad parameters as part of listener responses to RPMB commands could lead to buffer overflow. Product: Android. Versions: Kernel 3.18. Android ID: A-32577972. References: QC-CR#988462.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8459"
},
{
"id": "CVE-2016-8460",
"summary": "An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10. Android ID: A-31668540. References: N-CVE-2016-8460.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8460"
},
{
"id": "CVE-2016-8461",
"summary": "An information disclosure vulnerability in the bootloader could enable a local attacker to access data outside of its permission level. This issue is rated as High because it could be used to access sensitive data. Product: Android. Versions: Kernel-3.18. Android ID: A-32369621.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8461"
},
{
"id": "CVE-2016-8463",
"summary": "A denial of service vulnerability in the Qualcomm FUSE file system could enable a remote attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-30786860. References: QC-CR#586855.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8463"
},
{
"id": "CVE-2016-8464",
"summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-29000183. References: B-RB#106314.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8464"
},
{
"id": "CVE-2016-8465",
"summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32474971. References: B-RB#106053.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8465"
},
{
"id": "CVE-2016-8466",
"summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31822524. References: B-RB#105268.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8466"
},
{
"id": "CVE-2016-8468",
"summary": "An elevation of privilege vulnerability in Binder could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: Kernel-3.18. Android ID: A-32394425.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8468"
},
{
"id": "CVE-2016-8469",
"summary": "An information disclosure vulnerability in the camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31351206. References: N-CVE-2016-8469.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8469"
},
{
"id": "CVE-2016-8473",
"summary": "An information disclosure vulnerability in the STMicroelectronics driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31795790.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8473"
},
{
"id": "CVE-2016-8474",
"summary": "An information disclosure vulnerability in the STMicroelectronics driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31799972.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8474"
},
{
"id": "CVE-2016-8475",
"summary": "An information disclosure vulnerability in the HTC input driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32591129.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8475"
},
{
"id": "CVE-2016-8476",
"summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32879283. References: QC-CR#1091940.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8476"
},
{
"id": "CVE-2016-8477",
"summary": "An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32720522. References: QC-CR#1090007.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8477"
},
{
"id": "CVE-2016-8478",
"summary": "An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32511270. References: QC-CR#1088206.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8478"
},
{
"id": "CVE-2016-8479",
"summary": "An elevation of privilege vulnerability in the Qualcomm GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31824853. References: QC-CR#1093687.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8479"
},
{
"id": "CVE-2016-8480",
"summary": "An elevation of privilege vulnerability in the Qualcomm Secure Execution Environment Communicator driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31804432. References: QC-CR#1086186.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8480"
},
{
"id": "CVE-2016-8481",
"summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31906415. References: QC-CR#1078000.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8481"
},
{
"id": "CVE-2016-8483",
"summary": "An information disclosure vulnerability in the Qualcomm power driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10. Android ID: A-33745862. References: QC-CR#1035099.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8483"
},
{
"id": "CVE-2016-8630",
"summary": "The x86_decode_insn function in arch/x86/kvm/emulate.c in the Linux kernel before 4.8.7, when KVM is enabled, allows local users to cause a denial of service (host OS crash) via a certain use of a ModR/M byte in an undefined instruction.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8630",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc4"
},
{
"id": "CVE-2016-8632",
"summary": "The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through 4.8.11 does not validate the relationship between the minimum fragment length and the maximum packet size, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8632",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc8"
},
{
"id": "CVE-2016-8633",
"summary": "drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations, allows remote attackers to execute arbitrary code via crafted fragmented packets.",
"scorev2": "6.2",
"scorev3": "6.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8633",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc4"
},
{
"id": "CVE-2016-8636",
"summary": "Integer overflow in the mem_check_range function in drivers/infiniband/sw/rxe/rxe_mr.c in the Linux kernel before 4.9.10 allows local users to cause a denial of service (memory corruption), obtain sensitive information from kernel memory, or possibly have unspecified other impact via a write or read request involving the \"RDMA protocol over infiniband\" (aka Soft RoCE) technology.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8636",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc8"
},
{
"id": "CVE-2016-8645",
"summary": "The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, which allows local users to cause a denial of service (system crash) via a crafted application that makes sendto system calls, related to net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8645",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc6"
},
{
"id": "CVE-2016-8646",
"summary": "The hash_accept function in crypto/algif_hash.c in the Linux kernel before 4.3.6 allows local users to cause a denial of service (OOPS) by attempting to trigger use of in-kernel hash algorithms for a socket that has received zero bytes of data.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8646",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc1"
},
{
"id": "CVE-2016-8650",
"summary": "The mpi_powm function in lib/mpi/mpi-pow.c in the Linux kernel through 4.8.11 does not ensure that memory is allocated for limb data, which allows local users to cause a denial of service (stack memory corruption and panic) via an add_key system call for an RSA key with a zero exponent.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8650",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc7"
},
{
"id": "CVE-2016-8655",
"summary": "Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8655",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc8"
},
{
"id": "CVE-2016-8658",
"summary": "Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel before 4.7.5 allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a long SSID Information Element in a command to a Netlink socket.",
"scorev2": "5.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8658",
"detail": "fixed-version",
"description": "Fixed from version 4.8rc7"
},
{
"id": "CVE-2016-8660",
"summary": "The XFS subsystem in the Linux kernel through 4.8.2 allows local users to cause a denial of service (fdatasync failure and system hang) by using the vfs syscall group in the trinity program, related to a \"page lock order bug in the XFS seek hole/data implementation.\"",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8660"
},
{
"id": "CVE-2016-8666",
"summary": "The IP stack in the Linux kernel before 4.6 allows remote attackers to cause a denial of service (stack consumption and panic) or possibly have unspecified other impact by triggering use of the GRO path for packets with tunnel stacking, as demonstrated by interleaved IPv4 headers and GRE headers, a related issue to CVE-2016-7039.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8666",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2016-9083",
"summary": "drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a \"state machine confusion bug.\"",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9083",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc4"
},
{
"id": "CVE-2016-9084",
"summary": "drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel through 4.8.11 misuses the kzalloc function, which allows local users to cause a denial of service (integer overflow) or have unspecified other impact by leveraging access to a vfio PCI device file.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9084",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc4"
},
{
"id": "CVE-2016-9120",
"summary": "Race condition in the ion_ioctl function in drivers/staging/android/ion/ion.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) by calling ION_IOC_FREE on two CPUs at the same time.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9120",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2016-9178",
"summary": "The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel before 4.7.5 does not initialize a certain integer variable, which allows local users to obtain sensitive information from kernel stack memory by triggering failure of a get_user_ex call.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9178",
"detail": "fixed-version",
"description": "Fixed from version 4.8rc7"
},
{
"id": "CVE-2016-9191",
"summary": "The cgroup offline implementation in the Linux kernel through 4.8.11 mishandles certain drain operations, which allows local users to cause a denial of service (system hang) by leveraging access to a container environment for executing a crafted application, as demonstrated by trinity.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9191",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc4"
},
{
"id": "CVE-2016-9313",
"summary": "security/keys/big_key.c in the Linux kernel before 4.8.7 mishandles unsuccessful crypto registration in conjunction with successful key-type registration, which allows local users to cause a denial of service (NULL pointer dereference and panic) or possibly have unspecified other impact via a crafted application that uses the big_key data type.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9313",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc3"
},
{
"id": "CVE-2016-9555",
"summary": "The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel before 4.8.8 lacks chunk-length checking for the first chunk, which allows remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9555",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc4"
},
{
"id": "CVE-2016-9576",
"summary": "The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9576",
"detail": "fixed-version",
"description": "Fixed from version 4.9"
},
{
"id": "CVE-2016-9588",
"summary": "arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9588",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc1"
},
{
"id": "CVE-2016-9604",
"summary": "It was discovered in the Linux kernel before 4.11-rc8 that root can gain direct access to an internal keyring, such as '.dns_resolver' in RHEL-7 or '.builtin_trusted_keys' upstream, by joining it as its session keyring. This allows root to bypass module signature verification by adding a new public key of its own devising to the keyring.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9604",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc8"
},
{
"id": "CVE-2016-9644",
"summary": "The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel 4.4.22 through 4.4.28 contains extended asm statements that are incompatible with the exception table, which allows local users to obtain root access on non-SMEP platforms via a crafted application. NOTE: this vulnerability exists because of incorrect backporting of the CVE-2016-9178 patch to older kernels.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9644"
},
{
"id": "CVE-2016-9685",
"summary": "Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel before 4.5.1 allow local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9685",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2016-9754",
"summary": "The ring_buffer_resize function in kernel/trace/ring_buffer.c in the profiling subsystem in the Linux kernel before 4.6.1 mishandles certain integer calculations, which allows local users to gain privileges by writing to the /sys/kernel/debug/tracing/buffer_size_kb file.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9754",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc1"
},
{
"id": "CVE-2016-9755",
"summary": "The netfilter subsystem in the Linux kernel before 4.9 mishandles IPv6 reassembly, which allows local users to cause a denial of service (integer overflow, out-of-bounds write, and GPF) or possibly have unspecified other impact via a crafted application that makes socket, connect, and writev system calls, related to net/ipv6/netfilter/nf_conntrack_reasm.c and net/ipv6/netfilter/nf_defrag_ipv6_hooks.c.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9755",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc8"
},
{
"id": "CVE-2016-9756",
"summary": "arch/x86/kvm/emulate.c in the Linux kernel before 4.8.12 does not properly initialize Code Segment (CS) in certain error cases, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9756",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc7"
},
{
"id": "CVE-2016-9777",
"summary": "KVM in the Linux kernel before 4.8.12, when I/O APIC is enabled, does not properly restrict the VCPU index, which allows guest OS users to gain host OS privileges or cause a denial of service (out-of-bounds array access and host OS crash) via a crafted interrupt request, related to arch/x86/kvm/ioapic.c and arch/x86/kvm/ioapic.h.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9777",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc7"
},
{
"id": "CVE-2016-9793",
"summary": "The sock_setsockopt function in net/core/sock.c in the Linux kernel before 4.8.14 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9793",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc8"
},
{
"id": "CVE-2016-9794",
"summary": "Race condition in the snd_pcm_period_elapsed function in sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel before 4.7 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted SNDRV_PCM_TRIGGER_START command.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9794",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc1"
},
{
"id": "CVE-2016-9806",
"summary": "Race condition in the netlink_dump function in net/netlink/af_netlink.c in the Linux kernel before 4.6.3 allows local users to cause a denial of service (double free) or possibly have unspecified other impact via a crafted application that makes sendmsg system calls, leading to a free operation associated with a new dump that started earlier than anticipated.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9806",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc1"
},
{
"id": "CVE-2016-9919",
"summary": "The icmp6_send function in net/ipv6/icmp.c in the Linux kernel through 4.8.12 omits a certain check of the dst data structure, which allows remote attackers to cause a denial of service (panic) via a fragmented IPv6 packet.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9919",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc8"
},
{
"id": "CVE-2017-0306",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-34132950. References: N-CVE-2017-0306.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0306"
},
{
"id": "CVE-2017-0307",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33177895. References: N-CVE-2017-0307.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0307"
},
{
"id": "CVE-2017-0325",
"summary": "An elevation of privilege vulnerability in the NVIDIA I2C HID driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.10 and Kernel 3.18. Android ID: A-33040280. References: N-CVE-2017-0325.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0325"
},
{
"id": "CVE-2017-0327",
"summary": "An elevation of privilege vulnerability in the NVIDIA crypto driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.10. Android ID: A-33893669. References: N-CVE-2017-0327.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0327"
},
{
"id": "CVE-2017-0328",
"summary": "An information disclosure vulnerability in the NVIDIA crypto driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.10. Android ID: A-33898322. References: N-CVE-2017-0328.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0328"
},
{
"id": "CVE-2017-0329",
"summary": "An elevation of privilege vulnerability in the NVIDIA boot and power management processor driver could enable a local malicious application to execute arbitrary code within the context of the boot and power management processor. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.18. Android ID:A-34115304. References: N-CVE-2017-0329.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0329"
},
{
"id": "CVE-2017-0330",
"summary": "An information disclosure vulnerability in the NVIDIA crypto driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.10. Android ID: A-33899858. References: N-CVE-2017-0330.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0330"
},
{
"id": "CVE-2017-0331",
"summary": "An elevation of privilege vulnerability in the NVIDIA video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel 3.10. Android ID: A-34113000. References: N-CVE-2017-0331.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0331"
},
{
"id": "CVE-2017-0332",
"summary": "An elevation of privilege vulnerability in the NVIDIA crypto driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.10. Android ID: A-33812508. References: N-CVE-2017-0332.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0332"
},
{
"id": "CVE-2017-0333",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33899363. References: N-CVE-2017-0333.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0333"
},
{
"id": "CVE-2017-0334",
"summary": "An information disclosure vulnerability in the NVIDIA GPU driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.18. Android ID: A-33245849. References: N-CVE-2017-0334.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0334"
},
{
"id": "CVE-2017-0335",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33043375. References: N-CVE-2017-0335.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0335"
},
{
"id": "CVE-2017-0336",
"summary": "An information disclosure vulnerability in the NVIDIA GPU driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.18. Android ID: A-33042679. References: N-CVE-2017-0336.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0336"
},
{
"id": "CVE-2017-0337",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-31992762. References: N-CVE-2017-0337.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0337"
},
{
"id": "CVE-2017-0338",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33057977. References: N-CVE-2017-0338.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0338"
},
{
"id": "CVE-2017-0339",
"summary": "An elevation of privilege vulnerability in the NVIDIA crypto driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.10. Android ID: A-27930566. References: N-CVE-2017-0339.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0339"
},
{
"id": "CVE-2017-0403",
"summary": "An elevation of privilege vulnerability in the kernel performance subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32402548.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0403"
},
{
"id": "CVE-2017-0404",
"summary": "An elevation of privilege vulnerability in the kernel sound subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32510733.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0404"
},
{
"id": "CVE-2017-0427",
"summary": "An elevation of privilege vulnerability in the kernel file system could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31495866.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0427"
},
{
"id": "CVE-2017-0428",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32401526. References: N-CVE-2017-0428.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0428"
},
{
"id": "CVE-2017-0429",
"summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32636619. References: N-CVE-2017-0429.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0429"
},
{
"id": "CVE-2017-0430",
"summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32838767. References: B-RB#107459.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0430"
},
{
"id": "CVE-2017-0432",
"summary": "An elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-28332719.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0432"
},
{
"id": "CVE-2017-0433",
"summary": "An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the touchscreen chipset. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31913571.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0433"
},
{
"id": "CVE-2017-0434",
"summary": "An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the touchscreen chipset. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33001936.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0434"
},
{
"id": "CVE-2017-0435",
"summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31906657. References: QC-CR#1078000.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0435"
},
{
"id": "CVE-2017-0436",
"summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32624661. References: QC-CR#1078000.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0436"
},
{
"id": "CVE-2017-0437",
"summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32402310. References: QC-CR#1092497.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0437"
},
{
"id": "CVE-2017-0438",
"summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32402604. References: QC-CR#1092497.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0438"
},
{
"id": "CVE-2017-0439",
"summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32450647. References: QC-CR#1092059.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0439"
},
{
"id": "CVE-2017-0440",
"summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33252788. References: QC-CR#1095770.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0440"
},
{
"id": "CVE-2017-0441",
"summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32872662. References: QC-CR#1095009.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0441"
},
{
"id": "CVE-2017-0442",
"summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32871330. References: QC-CR#1092497.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0442"
},
{
"id": "CVE-2017-0443",
"summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32877494. References: QC-CR#1092497.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0443"
},
{
"id": "CVE-2017-0444",
"summary": "An elevation of privilege vulnerability in the Realtek sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-32705232.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0444"
},
{
"id": "CVE-2017-0445",
"summary": "An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32769717.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0445"
},
{
"id": "CVE-2017-0446",
"summary": "An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32917445.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0446"
},
{
"id": "CVE-2017-0447",
"summary": "An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32919560.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0447"
},
{
"id": "CVE-2017-0448",
"summary": "An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10. Android ID: A-32721029. References: N-CVE-2017-0448.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0448"
},
{
"id": "CVE-2017-0449",
"summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: Kernel-3.10. Android ID: A-31707909. References: B-RB#32094.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0449"
},
{
"id": "CVE-2017-0451",
"summary": "An information disclosure vulnerability in the Qualcomm sound driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31796345. References: QC-CR#1073129.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0451"
},
{
"id": "CVE-2017-0452",
"summary": "An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Low because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-32873615. References: QC-CR#1093693.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0452"
},
{
"id": "CVE-2017-0453",
"summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-33979145. References: QC-CR#1105085.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0453"
},
{
"id": "CVE-2017-0454",
"summary": "An elevation of privilege vulnerability in the Qualcomm audio driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33353700. References: QC-CR#1104067.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0454"
},
{
"id": "CVE-2017-0455",
"summary": "An information disclosure vulnerability in the Qualcomm bootloader could help to enable a local malicious application to to execute arbitrary code within the context of the bootloader. This issue is rated as High because it is a general bypass for a bootloader level defense in depth or exploit mitigation technology. Product: Android. Versions: Kernel-3.18. Android ID: A-32370952. References: QC-CR#1082755.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0455"
},
{
"id": "CVE-2017-0456",
"summary": "An elevation of privilege vulnerability in the Qualcomm IPA driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33106520. References: QC-CR#1099598.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0456"
},
{
"id": "CVE-2017-0457",
"summary": "An elevation of privilege vulnerability in the Qualcomm ADSPRPC driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31695439. References: QC-CR#1086123, QC-CR#1100695.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0457"
},
{
"id": "CVE-2017-0458",
"summary": "An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32588962. References: QC-CR#1089433.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0458"
},
{
"id": "CVE-2017-0459",
"summary": "An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32644895. References: QC-CR#1091939.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0459"
},
{
"id": "CVE-2017-0460",
"summary": "An elevation of privilege vulnerability in the Qualcomm networking driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31252965. References: QC-CR#1098801.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0460"
},
{
"id": "CVE-2017-0461",
"summary": "An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32073794. References: QC-CR#1100132.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0461"
},
{
"id": "CVE-2017-0462",
"summary": "An elevation of privilege vulnerability in the Qualcomm Seemp driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33353601. References: QC-CR#1102288.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0462"
},
{
"id": "CVE-2017-0463",
"summary": "An elevation of privilege vulnerability in the Qualcomm networking driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33277611. References: QC-CR#1101792.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0463"
},
{
"id": "CVE-2017-0464",
"summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32940193. References: QC-CR#1102593.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0464"
},
{
"id": "CVE-2017-0465",
"summary": "An elevation of privilege vulnerability in the Qualcomm ADSPRPC driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34112914. References: QC-CR#1110747.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0465"
},
{
"id": "CVE-2017-0507",
"summary": "An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31992382.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0507"
},
{
"id": "CVE-2017-0508",
"summary": "An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33940449.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0508"
},
{
"id": "CVE-2017-0510",
"summary": "An elevation of privilege vulnerability in the kernel FIQ debugger could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32402555.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0510"
},
{
"id": "CVE-2017-0516",
"summary": "An elevation of privilege vulnerability in the Qualcomm input hardware driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32341680. References: QC-CR#1096301.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0516"
},
{
"id": "CVE-2017-0518",
"summary": "An elevation of privilege vulnerability in the Qualcomm fingerprint sensor driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32370896. References: QC-CR#1086530.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0518"
},
{
"id": "CVE-2017-0519",
"summary": "An elevation of privilege vulnerability in the Qualcomm fingerprint sensor driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32372915. References: QC-CR#1086530.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0519"
},
{
"id": "CVE-2017-0520",
"summary": "An elevation of privilege vulnerability in the Qualcomm crypto engine driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31750232. References: QC-CR#1082636.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0520"
},
{
"id": "CVE-2017-0521",
"summary": "An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32919951. References: QC-CR#1097709.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0521"
},
{
"id": "CVE-2017-0523",
"summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: N/A. Android ID: A-32835279. References: QC-CR#1096945.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0523"
},
{
"id": "CVE-2017-0524",
"summary": "An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33002026.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0524"
},
{
"id": "CVE-2017-0525",
"summary": "An elevation of privilege vulnerability in the Qualcomm IPA driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33139056. References: QC-CR#1097714.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0525"
},
{
"id": "CVE-2017-0526",
"summary": "An elevation of privilege vulnerability in the HTC Sensor Hub Driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-33897738.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0526"
},
{
"id": "CVE-2017-0527",
"summary": "An elevation of privilege vulnerability in the HTC Sensor Hub Driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33899318.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0527"
},
{
"id": "CVE-2017-0528",
"summary": "An elevation of privilege vulnerability in the kernel security subsystem could enable a local malicious application to to execute code in the context of a privileged process. This issue is rated as High because it is a general bypass for a kernel level defense in depth or exploit mitigation technology. Product: Android. Versions: Kernel-3.18. Android ID: A-33351919.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0528"
},
{
"id": "CVE-2017-0531",
"summary": "An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32877245. References: QC-CR#1087469.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0531"
},
{
"id": "CVE-2017-0533",
"summary": "An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32509422. References: QC-CR#1088206.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0533"
},
{
"id": "CVE-2017-0534",
"summary": "An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32508732. References: QC-CR#1088206.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0534"
},
{
"id": "CVE-2017-0535",
"summary": "An information disclosure vulnerability in the HTC sound codec driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-33547247.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0535"
},
{
"id": "CVE-2017-0536",
"summary": "An information disclosure vulnerability in the Synaptics touchscreen driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33555878.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0536"
},
{
"id": "CVE-2017-0537",
"summary": "An information disclosure vulnerability in the kernel USB gadget driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-31614969.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0537"
},
{
"id": "CVE-2017-0561",
"summary": "A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of the Wi-Fi SoC. This issue is rated as Critical due to the possibility of remote code execution in the context of the Wi-Fi SoC. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34199105. References: B-RB#110814.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0561"
},
{
"id": "CVE-2017-0563",
"summary": "An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32089409.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0563"
},
{
"id": "CVE-2017-0564",
"summary": "An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34276203.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0564"
},
{
"id": "CVE-2017-0567",
"summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32125310. References: B-RB#112575.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0567"
},
{
"id": "CVE-2017-0568",
"summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34197514. References: B-RB#112600.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0568"
},
{
"id": "CVE-2017-0569",
"summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34198729. References: B-RB#110666.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0569"
},
{
"id": "CVE-2017-0570",
"summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34199963. References: B-RB#110688.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0570"
},
{
"id": "CVE-2017-0571",
"summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34203305. References: B-RB#111541.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0571"
},
{
"id": "CVE-2017-0572",
"summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-34198931. References: B-RB#112597.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0572"
},
{
"id": "CVE-2017-0573",
"summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34469904. References: B-RB#91539.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0573"
},
{
"id": "CVE-2017-0574",
"summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34624457. References: B-RB#113189.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0574"
},
{
"id": "CVE-2017-0575",
"summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32658595. References: QC-CR#1103099.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0575"
},
{
"id": "CVE-2017-0576",
"summary": "An elevation of privilege vulnerability in the Qualcomm crypto engine driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33544431. References: QC-CR#1103089.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0576"
},
{
"id": "CVE-2017-0577",
"summary": "An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33842951.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0577"
},
{
"id": "CVE-2017-0579",
"summary": "An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34125463. References: QC-CR#1115406.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0579"
},
{
"id": "CVE-2017-0580",
"summary": "An elevation of privilege vulnerability in the Synaptics Touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-34325986.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0580"
},
{
"id": "CVE-2017-0581",
"summary": "An elevation of privilege vulnerability in the Synaptics Touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-34614485.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0581"
},
{
"id": "CVE-2017-0582",
"summary": "An elevation of privilege vulnerability in the HTC OEM fastboot command could enable a local malicious application to execute arbitrary code within the context of the sensor hub. This issue is rated as Moderate because it first requires exploitation of separate vulnerabilities. Product: Android. Versions: Kernel-3.10. Android ID: A-33178836.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0582"
},
{
"id": "CVE-2017-0583",
"summary": "An elevation of privilege vulnerability in the Qualcomm CP access driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and because of vulnerability specific details which limit the impact of the issue. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32068683. References: QC-CR#1103788.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0583"
},
{
"id": "CVE-2017-0584",
"summary": "An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32074353. References: QC-CR#1104731.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0584"
},
{
"id": "CVE-2017-0585",
"summary": "An information disclosure vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32475556. References: B-RB#112953.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0585"
},
{
"id": "CVE-2017-0586",
"summary": "An information disclosure vulnerability in the Qualcomm sound driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33649808. References: QC-CR#1097569.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0586"
},
{
"id": "CVE-2017-0606",
"summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34088848. References: QC-CR#1116015.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0606"
},
{
"id": "CVE-2017-0607",
"summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-35400551. References: QC-CR#1085928.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0607"
},
{
"id": "CVE-2017-0608",
"summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35400458. References: QC-CR#1098363.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0608"
},
{
"id": "CVE-2017-0609",
"summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35399801. References: QC-CR#1090482.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0609"
},
{
"id": "CVE-2017-0610",
"summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35399404. References: QC-CR#1094852.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0610"
},
{
"id": "CVE-2017-0611",
"summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35393841. References: QC-CR#1084210.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0611"
},
{
"id": "CVE-2017-0612",
"summary": "An elevation of privilege vulnerability in the Qualcomm Secure Execution Environment Communicator driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-34389303. References: QC-CR#1061845.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0612"
},
{
"id": "CVE-2017-0613",
"summary": "An elevation of privilege vulnerability in the Qualcomm Secure Execution Environment Communicator driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35400457. References: QC-CR#1086140.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0613"
},
{
"id": "CVE-2017-0614",
"summary": "An elevation of privilege vulnerability in the Qualcomm Secure Execution Environment Communicator driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35399405. References: QC-CR#1080290.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0614"
},
{
"id": "CVE-2017-0619",
"summary": "An elevation of privilege vulnerability in the Qualcomm pin controller driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-35401152. References: QC-CR#826566.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0619"
},
{
"id": "CVE-2017-0620",
"summary": "An elevation of privilege vulnerability in the Qualcomm Secure Channel Manager driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35401052. References: QC-CR#1081711.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0620"
},
{
"id": "CVE-2017-0621",
"summary": "An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-35399703. References: QC-CR#831322.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0621"
},
{
"id": "CVE-2017-0622",
"summary": "An elevation of privilege vulnerability in the Goodix touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-32749036. References: QC-CR#1098602.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0622"
},
{
"id": "CVE-2017-0623",
"summary": "An elevation of privilege vulnerability in the HTC bootloader could enable a local malicious application to execute arbitrary code within the context of the bootloader. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32512358.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0623"
},
{
"id": "CVE-2017-0624",
"summary": "An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34327795. References: QC-CR#2005832.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0624"
},
{
"id": "CVE-2017-0626",
"summary": "An information disclosure vulnerability in the Qualcomm crypto engine driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35393124. References: QC-CR#1088050.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0626"
},
{
"id": "CVE-2017-0627",
"summary": "An information disclosure vulnerability in the kernel UVC driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33300353.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0627",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc1"
},
{
"id": "CVE-2017-0628",
"summary": "An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34230377. References: QC-CR#1086833.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0628"
},
{
"id": "CVE-2017-0629",
"summary": "An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35214296. References: QC-CR#1086833.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0629"
},
{
"id": "CVE-2017-0630",
"summary": "An information disclosure vulnerability in the kernel trace subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34277115.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0630"
},
{
"id": "CVE-2017-0631",
"summary": "An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35399756. References: QC-CR#1093232.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0631"
},
{
"id": "CVE-2017-0632",
"summary": "An information disclosure vulnerability in the Qualcomm sound codec driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-35392586. References: QC-CR#832915.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0632"
},
{
"id": "CVE-2017-0633",
"summary": "An information disclosure vulnerability in the Broadcom Wi-Fi driver could enable a local malicious component to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-36000515. References: B-RB#117131.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0633"
},
{
"id": "CVE-2017-0634",
"summary": "An information disclosure vulnerability in the Synaptics touchscreen driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32511682.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0634"
},
{
"id": "CVE-2017-0648",
"summary": "An elevation of privilege vulnerability in the kernel FIQ debugger could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-36101220.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0648"
},
{
"id": "CVE-2017-0650",
"summary": "An information disclosure vulnerability in the Synaptics touchscreen driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Low because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35472278.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0650"
},
{
"id": "CVE-2017-0651",
"summary": "An information disclosure vulnerability in the kernel ION subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Low because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-35644815.",
"scorev2": "2.6",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0651"
},
{
"id": "CVE-2017-0750",
"summary": "A elevation of privilege vulnerability in the Upstream Linux file system. Product: Android. Versions: Android kernel. Android ID: A-36817013.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0750",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2017-0786",
"summary": "A elevation of privilege vulnerability in the Broadcom wi-fi driver. Product: Android. Versions: Android kernel. Android ID: A-37351060. References: B-V2017060101.",
"scorev2": "5.8",
"scorev3": "8.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0786",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc4"
},
{
"id": "CVE-2017-0861",
"summary": "Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem in the Linux kernel allows attackers to gain privileges via unspecified vectors.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0861",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc3"
},
{
"id": "CVE-2017-1000111",
"summary": "Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000111",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc5"
},
{
"id": "CVE-2017-1000112",
"summary": "Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\") on Oct 18 2005.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000112",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc5"
},
{
"id": "CVE-2017-1000251",
"summary": "The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 2.6.32 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space.",
"scorev2": "7.7",
"scorev3": "8.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000251",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc1"
},
{
"id": "CVE-2017-1000252",
"summary": "The KVM subsystem in the Linux kernel through 4.13.3 allows guest OS users to cause a denial of service (assertion failure, and hypervisor hang or crash) via an out-of bounds guest_irq value, related to arch/x86/kvm/vmx.c and virt/kvm/eventfd.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000252",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc1"
},
{
"id": "CVE-2017-1000253",
"summary": "Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on April 14, 2015). This kernel vulnerability was fixed in April 2015 by commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to Linux 3.10.77 in May 2015), but it was not recognized as a security threat. With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down address allocation strategy, load_elf_binary() will attempt to map a PIE binary into an address range immediately below mm->mmap_base. Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are that is supposed to be the \"gap\" between the stack and the binary.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000253",
"detail": "fixed-version",
"description": "Fixed from version 4.1rc1"
},
{
"id": "CVE-2017-1000255",
"summary": "On Linux running on PowerPC hardware (Power8 or later) a user process can craft a signal frame and then do a sigreturn so that the kernel will take an exception (interrupt), and use the r1 value *from the signal frame* as the kernel stack pointer. As part of the exception entry the content of the signal frame is written to the kernel stack, allowing an attacker to overwrite arbitrary locations with arbitrary values. The exception handling does produce an oops, and a panic if panic_on_oops=1, but only after kernel memory has been over written. This flaw was introduced in commit: \"5d176f751ee3 (powerpc: tm: Enable transactional memory (TM) lazily for userspace)\" which was merged upstream into v4.9-rc1. Please note that kernels built with CONFIG_PPC_TRANSACTIONAL_MEM=n are not vulnerable.",
"scorev2": "6.6",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000255",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc5"
},
{
"id": "CVE-2017-1000363",
"summary": "Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parport_ptr integer is static, a 'secure boot' kernel command line adversary (can happen due to bootloader vulns, e.g. Google Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has partial control over the command line) can overflow the parport_nr array in the following code, by appending many (>LP_NO) 'lp=none' arguments to the command line.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000363",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc2"
},
{
"id": "CVE-2017-1000364",
"summary": "An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be \"jumped\" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010).",
"scorev2": "6.2",
"scorev3": "7.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000364",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc6"
},
{
"id": "CVE-2017-1000365",
"summary": "The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000365",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc7"
},
{
"id": "CVE-2017-1000370",
"summary": "The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve()'ed with 1GB of arguments or environmental strings then the stack occupies the address 0x80000000 and the PIE binary is mapped above 0x40000000 nullifying the protection of the offset2lib patch. This affects Linux Kernel version 4.11.5 and earlier. This is a different issue than CVE-2017-1000371. This issue appears to be limited to i386 based systems.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000370",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2017-1000371",
"summary": "The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000371",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2017-1000377",
"summary": "An issue was discovered in the size of the default stack guard page on PAX Linux (originally from GRSecurity but shipped by other Linux vendors), specifically the default stack guard page is not sufficiently large and can be \"jumped\" over (the stack guard page is bypassed), this affects PAX Linux Kernel versions as of June 19, 2017 (specific version information is not available at this time).",
"scorev2": "4.6",
"scorev3": "5.9",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000377",
"detail": "not-applicable-platform",
"description": "GRSecurity specific"
},
{
"id": "CVE-2017-1000379",
"summary": "The Linux Kernel running on AMD64 systems will sometimes map the contents of PIE executable, the heap or ld.so to where the stack is mapped allowing attackers to more easily manipulate the stack. Linux Kernel version 4.11.5 is affected.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000379",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc6"
},
{
"id": "CVE-2017-1000380",
"summary": "sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000380",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc5"
},
{
"id": "CVE-2017-1000405",
"summary": "The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original \"Dirty cow\" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000405",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc2"
},
{
"id": "CVE-2017-1000407",
"summary": "The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic.",
"scorev2": "6.1",
"scorev3": "7.4",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000407",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc3"
},
{
"id": "CVE-2017-1000410",
"summary": "The Linux kernel version 3.3-rc1 and later is affected by a vulnerability lies in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. This info leak is a result of uninitialized stack variables that may be returned to an attacker in their uninitialized state. By manipulating the code flows that precede the handling of these configuration messages, an attacker can also gain some control over which data will be held in the uninitialized stack variables. This can allow him to bypass KASLR, and stack canaries protection - as both pointers and stack canaries may be leaked in this manner. Combining this vulnerability (for example) with the previously disclosed RCE vulnerability in L2CAP configuration parsing (CVE-2017-1000251) may allow an attacker to exploit the RCE against kernels which were built with the above mitigations. These are the specifics of this vulnerability: In the function l2cap_parse_conf_rsp and in the function l2cap_parse_conf_req the following variable is declared without initialization: struct l2cap_conf_efs efs; In addition, when parsing input configuration parameters in both of these functions, the switch case for handling EFS elements may skip the memcpy call that will write to the efs variable: ... case L2CAP_CONF_EFS: if (olen == sizeof(efs)) memcpy(&efs, (void *)val, olen); ... The olen in the above if is attacker controlled, and regardless of that if, in both of these functions the efs variable would eventually be added to the outgoing configuration request that is being built: l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs); So by sending a configuration request, or response, that contains an L2CAP_CONF_EFS element, but with an element length that is not sizeof(efs) - the memcpy to the uninitialized efs variable can be avoided, and the uninitialized variable would be returned to the attacker (16 bytes).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000410",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc8"
},
{
"id": "CVE-2017-10661",
"summary": "Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allows local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10661",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc1"
},
{
"id": "CVE-2017-10662",
"summary": "The sanity_check_raw_super function in fs/f2fs/super.c in the Linux kernel before 4.11.1 does not validate the segment count, which allows local users to gain privileges via unspecified vectors.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10662",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc1"
},
{
"id": "CVE-2017-10663",
"summary": "The sanity_check_ckpt function in fs/f2fs/super.c in the Linux kernel before 4.12.4 does not validate the blkoff and segno arrays, which allows local users to gain privileges via unspecified vectors.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10663",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2017-10810",
"summary": "Memory leak in the virtio_gpu_object_create function in drivers/gpu/drm/virtio/virtgpu_object.c in the Linux kernel through 4.11.8 allows attackers to cause a denial of service (memory consumption) by triggering object-initialization failures.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10810",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc1"
},
{
"id": "CVE-2017-10911",
"summary": "The make_response function in drivers/block/xen-blkback/blkback.c in the Linux kernel before 4.11.8 allows guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures, aka XSA-216.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10911",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc7"
},
{
"id": "CVE-2017-11089",
"summary": "In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a buffer overread is observed in nl80211_set_station when user space application sends attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE with data of size less than 4 bytes",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11089",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2017-11176",
"summary": "The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11176",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2017-11472",
"summary": "The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel before 4.12 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11472",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc1"
},
{
"id": "CVE-2017-11473",
"summary": "Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel through 3.2 allows local users to gain privileges via a crafted ACPI table.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11473",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc2"
},
{
"id": "CVE-2017-11600",
"summary": "net/xfrm/xfrm_policy.c in the Linux kernel through 4.12.3, when CONFIG_XFRM_MIGRATE is enabled, does not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allows local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11600",
"detail": "fixed-version",
"description": "Fixed from version 4.13"
},
{
"id": "CVE-2017-12134",
"summary": "The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation.",
"scorev2": "7.2",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12134",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc6"
},
{
"id": "CVE-2017-12146",
"summary": "The driver_override implementation in drivers/base/platform.c in the Linux kernel before 4.12.1 allows local users to gain privileges by leveraging a race condition between a read operation and a store operation that involve different overrides.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12146",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2017-12153",
"summary": "A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel through 4.13.3. This function does not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12153",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc2"
},
{
"id": "CVE-2017-12154",
"summary": "The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel through 4.13.3 does not ensure that the \"CR8-load exiting\" and \"CR8-store exiting\" L0 vmcs02 controls exist in cases where L1 omits the \"use TPR shadow\" vmcs12 control, which allows KVM L2 guest OS users to obtain read and write access to the hardware CR8 register.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12154",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc1"
},
{
"id": "CVE-2017-12168",
"summary": "The access_pmu_evcntr function in arch/arm64/kvm/sys_regs.c in the Linux kernel before 4.8.11 allows privileged KVM guest OS users to cause a denial of service (assertion failure and host OS crash) by accessing the Performance Monitors Cycle Count Register (PMCCNTR).",
"scorev2": "4.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12168",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc6"
},
{
"id": "CVE-2017-12188",
"summary": "arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested virtualisation is used, does not properly traverse guest pagetable entries to resolve a guest virtual address, which allows L1 guest OS users to execute arbitrary code on the host OS or cause a denial of service (incorrect index during page walking, and host OS crash), aka an \"MMU potential stack buffer overrun.\"",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12188",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc5"
},
{
"id": "CVE-2017-12190",
"summary": "The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12190",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc5"
},
{
"id": "CVE-2017-12192",
"summary": "The keyctl_read_key function in security/keys/keyctl.c in the Key Management subcomponent in the Linux kernel before 4.13.5 does not properly consider that a key may be possessed but negatively instantiated, which allows local users to cause a denial of service (OOPS and system crash) via a crafted KEYCTL_READ operation.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12192",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc3"
},
{
"id": "CVE-2017-12193",
"summary": "The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12193",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc7"
},
{
"id": "CVE-2017-12762",
"summary": "In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. This affects the Linux kernel 4.9-stable tree, 4.12-stable tree, 3.18-stable tree, and 4.4-stable tree.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12762",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc4"
},
{
"id": "CVE-2017-13080",
"summary": "Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients.",
"scorev2": "2.9",
"scorev3": "5.3",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13080",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc6"
},
{
"id": "CVE-2017-13166",
"summary": "An elevation of privilege vulnerability in the kernel v4l2 video driver. Product: Android. Versions: Android kernel. Android ID A-34624167.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13166",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc1"
},
{
"id": "CVE-2017-13167",
"summary": "An elevation of privilege vulnerability in the kernel sound timer. Product: Android. Versions: Android kernel. Android ID A-37240993.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13167",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc4"
},
{
"id": "CVE-2017-13168",
"summary": "An elevation of privilege vulnerability in the kernel scsi driver. Product: Android. Versions: Android kernel. Android ID A-65023233.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13168",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc4"
},
{
"id": "CVE-2017-13215",
"summary": "A elevation of privilege vulnerability in the Upstream kernel skcipher. Product: Android. Versions: Android kernel. Android ID: A-64386293. References: Upstream kernel.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13215",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc1"
},
{
"id": "CVE-2017-13216",
"summary": "In ashmem_ioctl of ashmem.c, there is an out-of-bounds write due to insufficient locking when accessing asma. This could lead to a local elevation of privilege enabling code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-66954097.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13216",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc8"
},
{
"id": "CVE-2017-13220",
"summary": "An elevation of privilege vulnerability in the Upstream kernel bluez. Product: Android. Versions: Android kernel. Android ID: A-63527053.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13220",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc3"
},
{
"id": "CVE-2017-13305",
"summary": "A information disclosure vulnerability in the Upstream kernel encrypted-keys. Product: Android. Versions: Android kernel. Android ID: A-70526974.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13305",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc5"
},
{
"id": "CVE-2017-13686",
"summary": "net/ipv4/route.c in the Linux kernel 4.13-rc1 through 4.13-rc6 is too late to check for a NULL fi field when RTM_F_FIB_MATCH is set, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via crafted system calls. NOTE: this does not affect any stable release.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13686",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc7"
},
{
"id": "CVE-2017-13693",
"summary": "The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13693"
},
{
"id": "CVE-2017-13694",
"summary": "The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13694"
},
{
"id": "CVE-2017-13695",
"summary": "The acpi_ns_evaluate() function in drivers/acpi/acpica/nseval.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13695",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc1"
},
{
"id": "CVE-2017-13715",
"summary": "The __skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel before 4.3 does not ensure that n_proto, ip_proto, and thoff are initialized, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a single crafted MPLS packet.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13715",
"detail": "fixed-version",
"description": "Fixed from version 4.3rc1"
},
{
"id": "CVE-2017-14051",
"summary": "An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel through 4.12.10 allows local users to cause a denial of service (memory corruption and system crash) by leveraging root access.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14051",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc1"
},
{
"id": "CVE-2017-14106",
"summary": "The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14106",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc3"
},
{
"id": "CVE-2017-14140",
"summary": "The move_pages system call in mm/migrate.c in the Linux kernel before 4.12.9 doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14140",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc6"
},
{
"id": "CVE-2017-14156",
"summary": "The atyfb_ioctl function in drivers/video/fbdev/aty/atyfb_base.c in the Linux kernel through 4.12.10 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading locations associated with padding bytes.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14156",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc1"
},
{
"id": "CVE-2017-14340",
"summary": "The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the Linux kernel before 4.13.2 does not verify that a filesystem has a realtime device, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via vectors related to setting an RHINHERIT flag on a directory.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14340",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc1"
},
{
"id": "CVE-2017-14489",
"summary": "The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel through 4.13.2 allows local users to cause a denial of service (panic) by leveraging incorrect length validation.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14489",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc3"
},
{
"id": "CVE-2017-14497",
"summary": "The tpacket_rcv function in net/packet/af_packet.c in the Linux kernel before 4.13 mishandles vnet headers, which might allow local users to cause a denial of service (buffer overflow, and disk and memory corruption) or possibly have unspecified other impact via crafted system calls.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14497",
"detail": "fixed-version",
"description": "Fixed from version 4.13"
},
{
"id": "CVE-2017-14954",
"summary": "The waitid implementation in kernel/exit.c in the Linux kernel through 4.13.4 accesses rusage data structures in unintended cases, which allows local users to obtain sensitive information, and bypass the KASLR protection mechanism, via a crafted system call.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14954",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc3"
},
{
"id": "CVE-2017-14991",
"summary": "The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14991",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc2"
},
{
"id": "CVE-2017-15102",
"summary": "The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel before 4.8.1 allows local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference.",
"scorev2": "6.9",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15102",
"detail": "fixed-version",
"description": "Fixed from version 4.9rc1"
},
{
"id": "CVE-2017-15115",
"summary": "The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel before 4.14 does not check whether the intended netns is used in a peel-off action, which allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15115",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc6"
},
{
"id": "CVE-2017-15116",
"summary": "The rngapi_reset function in crypto/rng.c in the Linux kernel before 4.2 allows attackers to cause a denial of service (NULL pointer dereference).",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15116",
"detail": "fixed-version",
"description": "Fixed from version 4.2rc1"
},
{
"id": "CVE-2017-15121",
"summary": "A non-privileged user is able to mount a fuse filesystem on RHEL 6 or 7 and crash a system if an application punches a hole in a file that does not end aligned to a page boundary.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15121",
"detail": "fixed-version",
"description": "Fixed from version 3.11rc1"
},
{
"id": "CVE-2017-15126",
"summary": "A use-after-free flaw was found in fs/userfaultfd.c in the Linux kernel before 4.13.6. The issue is related to the handling of fork failure when dealing with event messages. Failure to fork correctly can lead to a situation where a fork event will be removed from an already freed list of events with userfaultfd_ctx_put().",
"scorev2": "9.3",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15126",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc4"
},
{
"id": "CVE-2017-15127",
"summary": "A flaw was found in the hugetlb_mcopy_atomic_pte function in mm/hugetlb.c in the Linux kernel before 4.13. A superfluous implicit page unlock for VM_SHARED hugetlbfs mapping could trigger a local denial of service (BUG).",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15127",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc5"
},
{
"id": "CVE-2017-15128",
"summary": "A flaw was found in the hugetlb_mcopy_atomic_pte function in mm/hugetlb.c in the Linux kernel before 4.13.12. A lack of size check could cause a denial of service (BUG).",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15128",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc8"
},
{
"id": "CVE-2017-15129",
"summary": "A use-after-free vulnerability was found in network namespaces code affecting the Linux kernel before 4.14.11. The function get_net_ns_by_id() in net/core/net_namespace.c does not check for the net::count value after it has found a peer network in netns_ids idr, which could lead to double free and memory corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is thought to be unlikely.",
"scorev2": "4.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15129",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc5"
},
{
"id": "CVE-2017-15265",
"summary": "Race condition in the ALSA subsystem in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15265",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc5"
},
{
"id": "CVE-2017-15274",
"summary": "security/keys/keyctl.c in the Linux kernel before 4.11.5 does not consider the case of a NULL payload in conjunction with a nonzero length value, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15274",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc5"
},
{
"id": "CVE-2017-15299",
"summary": "The KEYS subsystem in the Linux kernel through 4.13.7 mishandles use of add_key for a key that already exists but is uninstantiated, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15299",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc6"
},
{
"id": "CVE-2017-15306",
"summary": "The kvm_vm_ioctl_check_extension function in arch/powerpc/kvm/powerpc.c in the Linux kernel before 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) via a KVM_CHECK_EXTENSION KVM_CAP_PPC_HTM ioctl call to /dev/kvm.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15306",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc7"
},
{
"id": "CVE-2017-15537",
"summary": "The x86/fpu (Floating Point Unit) subsystem in the Linux kernel before 4.13.5, when a processor supports the xsave feature but not the xsaves feature, does not correctly handle attempts to set reserved bits in the xstate header via the ptrace() or rt_sigreturn() system call, allowing local users to read the FPU registers of other processes on the system, related to arch/x86/kernel/fpu/regset.c and arch/x86/kernel/fpu/signal.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15537",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc3"
},
{
"id": "CVE-2017-15649",
"summary": "net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15649",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc4"
},
{
"id": "CVE-2017-15868",
"summary": "The bnep_add_connection function in net/bluetooth/bnep/core.c in the Linux kernel before 3.19 does not ensure that an l2cap socket is available, which allows local users to gain privileges via a crafted application.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15868",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc3"
},
{
"id": "CVE-2017-15951",
"summary": "The KEYS subsystem in the Linux kernel before 4.13.10 does not correctly synchronize the actions of updating versus finding a key in the \"negative\" state to avoid a race condition, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15951",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc6"
},
{
"id": "CVE-2017-16525",
"summary": "The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16525",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc5"
},
{
"id": "CVE-2017-16526",
"summary": "drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16526",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc4"
},
{
"id": "CVE-2017-16527",
"summary": "sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16527",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc5"
},
{
"id": "CVE-2017-16528",
"summary": "sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local users to cause a denial of service (snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16528",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc1"
},
{
"id": "CVE-2017-16529",
"summary": "The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16529",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc4"
},
{
"id": "CVE-2017-16530",
"summary": "The uas driver in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to drivers/usb/storage/uas-detect.h and drivers/usb/storage/uas.c.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16530",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc4"
},
{
"id": "CVE-2017-16531",
"summary": "drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16531",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc4"
},
{
"id": "CVE-2017-16532",
"summary": "The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16532",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc5"
},
{
"id": "CVE-2017-16533",
"summary": "The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16533",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc5"
},
{
"id": "CVE-2017-16534",
"summary": "The cdc_parse_cdc_header function in drivers/usb/core/message.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.",
"scorev2": "7.2",
"scorev3": "6.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16534",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc4"
},
{
"id": "CVE-2017-16535",
"summary": "The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel before 4.13.10 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16535",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc6"
},
{
"id": "CVE-2017-16536",
"summary": "The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16536",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc1"
},
{
"id": "CVE-2017-16537",
"summary": "The imon_probe function in drivers/media/rc/imon.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16537",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc1"
},
{
"id": "CVE-2017-16538",
"summary": "drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device, related to a missing warm-start check and incorrect attach timing (dm04_lme2510_frontend_attach versus dm04_lme2510_tuner).",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16538",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc1"
},
{
"id": "CVE-2017-16643",
"summary": "The parse_hid_report_descriptor function in drivers/input/tablet/gtco.c in the Linux kernel before 4.13.11 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16643",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc7"
},
{
"id": "CVE-2017-16644",
"summary": "The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16644",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc1"
},
{
"id": "CVE-2017-16645",
"summary": "The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16645",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc6"
},
{
"id": "CVE-2017-16646",
"summary": "drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted USB device.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16646",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc1"
},
{
"id": "CVE-2017-16647",
"summary": "drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16647",
"detail": "fixed-version",
"description": "Fixed from version 4.14"
},
{
"id": "CVE-2017-16648",
"summary": "The dvb_frontend_free function in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device. NOTE: the function was later renamed __dvb_frontend_free.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16648",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc1"
},
{
"id": "CVE-2017-16649",
"summary": "The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16649",
"detail": "fixed-version",
"description": "Fixed from version 4.14"
},
{
"id": "CVE-2017-16650",
"summary": "The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16650",
"detail": "fixed-version",
"description": "Fixed from version 4.14"
},
{
"id": "CVE-2017-16911",
"summary": "The vhci_hcd driver in the Linux Kernel before version 4.14.8 and 4.4.114 allows allows local attackers to disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16911",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc4"
},
{
"id": "CVE-2017-16912",
"summary": "The \"get_pipe()\" function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version 4.14.8, 4.9.71, and 4.4.114 allows attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet.",
"scorev2": "7.1",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16912",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc4"
},
{
"id": "CVE-2017-16913",
"summary": "The \"stub_recv_cmd_submit()\" function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version 4.14.8, 4.9.71, and 4.4.114 when handling CMD_SUBMIT packets allows attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet.",
"scorev2": "7.1",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16913",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc4"
},
{
"id": "CVE-2017-16914",
"summary": "The \"stub_send_ret_submit()\" function (drivers/usb/usbip/stub_tx.c) in the Linux Kernel before version 4.14.8, 4.9.71, 4.1.49, and 4.4.107 allows attackers to cause a denial of service (NULL pointer dereference) via a specially crafted USB over IP packet.",
"scorev2": "7.1",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16914",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc4"
},
{
"id": "CVE-2017-16939",
"summary": "The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16939",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc7"
},
{
"id": "CVE-2017-16994",
"summary": "The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16994",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc1"
},
{
"id": "CVE-2017-16995",
"summary": "The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16995",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc5"
},
{
"id": "CVE-2017-16996",
"summary": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging register truncation mishandling.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16996",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc5"
},
{
"id": "CVE-2017-17052",
"summary": "The mm_init function in kernel/fork.c in the Linux kernel before 4.12.10 does not clear the ->exe_file member of a new process's mm_struct, allowing a local attacker to achieve a use-after-free or possibly have unspecified other impact by running a specially crafted program.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17052",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc7"
},
{
"id": "CVE-2017-17053",
"summary": "The init_new_context function in arch/x86/include/asm/mmu_context.h in the Linux kernel before 4.12.10 does not correctly handle errors from LDT table allocation when forking a new process, allowing a local attacker to achieve a use-after-free or possibly have unspecified other impact by running a specially crafted program. This vulnerability only affected kernels built with CONFIG_MODIFY_LDT_SYSCALL=y.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17053",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc7"
},
{
"id": "CVE-2017-17448",
"summary": "net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for new, get, and del operations, which allows local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17448",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc4"
},
{
"id": "CVE-2017-17449",
"summary": "The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel through 4.14.4, when CONFIG_NLMON is enabled, does not restrict observations of Netlink messages to a single net namespace, which allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17449",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc4"
},
{
"id": "CVE-2017-17450",
"summary": "net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17450",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc4"
},
{
"id": "CVE-2017-17558",
"summary": "The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17558",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc4"
},
{
"id": "CVE-2017-17712",
"summary": "The raw_sendmsg() function in net/ipv4/raw.c in the Linux kernel through 4.14.6 has a race condition in inet->hdrincl that leads to uninitialized stack pointer usage; this allows a local user to execute code and gain privileges.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17712",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc4"
},
{
"id": "CVE-2017-17741",
"summary": "The KVM implementation in the Linux kernel through 4.14.7 allows attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17741",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc5"
},
{
"id": "CVE-2017-17805",
"summary": "The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17805",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc4"
},
{
"id": "CVE-2017-17806",
"summary": "The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17806",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc4"
},
{
"id": "CVE-2017-17807",
"summary": "The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to the current task's \"default request-key keyring\" via the request_key() system call, allowing a local user to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17807",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc3"
},
{
"id": "CVE-2017-17852",
"summary": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of 32-bit ALU ops.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17852",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc5"
},
{
"id": "CVE-2017-17853",
"summary": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect BPF_RSH signed bounds calculations.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17853",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc5"
},
{
"id": "CVE-2017-17854",
"summary": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (integer overflow and memory corruption) or possibly have unspecified other impact by leveraging unrestricted integer values for pointer arithmetic.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17854",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc5"
},
{
"id": "CVE-2017-17855",
"summary": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging improper use of pointers in place of scalars.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17855",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc5"
},
{
"id": "CVE-2017-17856",
"summary": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the lack of stack-pointer alignment enforcement.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17856",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc5"
},
{
"id": "CVE-2017-17857",
"summary": "The check_stack_boundary function in kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of invalid variable stack read operations.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17857",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc5"
},
{
"id": "CVE-2017-17862",
"summary": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 ignores unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17862",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc1"
},
{
"id": "CVE-2017-17863",
"summary": "kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71 does not check the relationship between pointer values and the BPF stack, which allows local users to cause a denial of service (integer overflow or invalid memory access) or possibly have unspecified other impact.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17863",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc5"
},
{
"id": "CVE-2017-17864",
"summary": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 mishandles states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allows local users to obtain potentially sensitive address information, aka a \"pointer leak.\"",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17864",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc5"
},
{
"id": "CVE-2017-17975",
"summary": "Use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c in the Linux kernel through 4.14.10 allows attackers to cause a denial of service (system crash) or possibly have unspecified other impact by triggering failure of audio registration, because a kfree of the usbtv data structure occurs during a usbtv_video_free call, but the usbtv_video_fail label's code attempts to both access and free this data structure.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17975",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc1"
},
{
"id": "CVE-2017-18017",
"summary": "The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18017",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc7"
},
{
"id": "CVE-2017-18075",
"summary": "crypto/pcrypt.c in the Linux kernel before 4.14.13 mishandles freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18075",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc7"
},
{
"id": "CVE-2017-18079",
"summary": "drivers/input/serio/i8042.c in the Linux kernel before 4.12.4 allows attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port->exists value can change after it is validated.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18079",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2017-18174",
"summary": "In the Linux kernel before 4.7, the amd_gpio_remove function in drivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function, leading to a double free.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18174",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc1"
},
{
"id": "CVE-2017-18193",
"summary": "fs/f2fs/extent_cache.c in the Linux kernel before 4.13 mishandles extent trees, which allows local users to cause a denial of service (BUG) via an application with multiple threads.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18193",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2017-18200",
"summary": "The f2fs implementation in the Linux kernel before 4.14 mishandles reference counts associated with f2fs_wait_discard_bios calls, which allows local users to cause a denial of service (BUG), as demonstrated by fstrim.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18200",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc5"
},
{
"id": "CVE-2017-18202",
"summary": "The __oom_reap_task_mm function in mm/oom_kill.c in the Linux kernel before 4.14.4 mishandles gather operations, which allows attackers to cause a denial of service (TLB entry leak or use-after-free) or possibly have unspecified other impact by triggering a copy_to_user call within a certain time window.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18202",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc2"
},
{
"id": "CVE-2017-18203",
"summary": "The dm_get_from_kobject function in drivers/md/dm.c in the Linux kernel before 4.14.3 allow local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18203",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc1"
},
{
"id": "CVE-2017-18204",
"summary": "The ocfs2_setattr function in fs/ocfs2/file.c in the Linux kernel before 4.14.2 allows local users to cause a denial of service (deadlock) via DIO requests.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18204",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc1"
},
{
"id": "CVE-2017-18208",
"summary": "The madvise_willneed function in mm/madvise.c in the Linux kernel before 4.14.4 allows local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18208",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc2"
},
{
"id": "CVE-2017-18216",
"summary": "In fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, local users can cause a denial of service (NULL pointer dereference and BUG) because a required mutex is not used.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18216",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc1"
},
{
"id": "CVE-2017-18218",
"summary": "In drivers/net/ethernet/hisilicon/hns/hns_enet.c in the Linux kernel before 4.13, local users can cause a denial of service (use-after-free and BUG) or possibly have unspecified other impact by leveraging differences in skb handling between hns_nic_net_xmit_hw and hns_nic_net_xmit.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18218",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2017-18221",
"summary": "The __munlock_pagevec function in mm/mlock.c in the Linux kernel before 4.11.4 allows local users to cause a denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall and munlockall system calls.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18221",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc4"
},
{
"id": "CVE-2017-18222",
"summary": "In the Linux kernel before 4.12, Hisilicon Network Subsystem (HNS) does not consider the ETH_SS_PRIV_FLAGS case when retrieving sset_count data, which allows local users to cause a denial of service (buffer overflow and memory corruption) or possibly have unspecified other impact, as demonstrated by incompatibility between hns_get_sset_count and ethtool_get_strings.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18222",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc1"
},
{
"id": "CVE-2017-18224",
"summary": "In the Linux kernel before 4.15, fs/ocfs2/aops.c omits use of a semaphore and consequently has a race condition for access to the extent tree during read operations in DIRECT mode, which allows local users to cause a denial of service (BUG) by modifying a certain e_cpos field.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18224",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc1"
},
{
"id": "CVE-2017-18232",
"summary": "The Serial Attached SCSI (SAS) implementation in the Linux kernel through 4.15.9 mishandles a mutex within libsas, which allows local users to cause a denial of service (deadlock) by triggering certain error-handling code.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18232",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc1"
},
{
"id": "CVE-2017-18241",
"summary": "fs/f2fs/segment.c in the Linux kernel before 4.13 allows local users to cause a denial of service (NULL pointer dereference and panic) by using a noflush_merge option that triggers a NULL value for a flush_cmd_control data structure.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18241",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2017-18249",
"summary": "The add_free_nid function in fs/f2fs/node.c in the Linux kernel before 4.12 does not properly track an allocated nid, which allows local users to cause a denial of service (race condition) or possibly have unspecified other impact via concurrent threads.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18249",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc1"
},
{
"id": "CVE-2017-18255",
"summary": "The perf_cpu_time_max_percent_handler function in kernel/events/core.c in the Linux kernel before 4.11 allows local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18255",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc1"
},
{
"id": "CVE-2017-18257",
"summary": "The __get_data_block function in fs/f2fs/data.c in the Linux kernel before 4.11 allows local users to cause a denial of service (integer overflow and loop) via crafted use of the open and fallocate system calls with an FS_IOC_FIEMAP ioctl.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18257",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc1"
},
{
"id": "CVE-2017-18261",
"summary": "The arch_timer_reg_read_stable macro in arch/arm64/include/asm/arch_timer.h in the Linux kernel before 4.13 allows local users to cause a denial of service (infinite recursion) by writing to a file under /sys/kernel/debug in certain circumstances, as demonstrated by a scenario involving debugfs, ftrace, PREEMPT_TRACER, and FUNCTION_GRAPH_TRACER.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18261",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc6"
},
{
"id": "CVE-2017-18270",
"summary": "In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands, setting unwanted defaults or causing a denial of service.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18270",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc3"
},
{
"id": "CVE-2017-18344",
"summary": "The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18344",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc4"
},
{
"id": "CVE-2017-18360",
"summary": "In change_port_settings in drivers/usb/serial/io_ti.c in the Linux kernel before 4.11.3, local users could cause a denial of service by division-by-zero in the serial device layer by trying to set very high baud rates.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18360",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc2"
},
{
"id": "CVE-2017-18379",
"summary": "In the Linux kernel before 4.14, an out of boundary access happened in drivers/nvme/target/fc.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18379",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc3"
},
{
"id": "CVE-2017-18509",
"summary": "An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before 4.11. By setting a specific socket option, an attacker can control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. The issue can be triggered as root (e.g., inside a default LXC container or with the CAP_NET_ADMIN capability) or after namespace unsharing. This occurs because sk_type and protocol are not checked in the appropriate part of the ip6_mroute_* functions. NOTE: this affects Linux distributions that use 4.9.x longterm kernels before 4.9.187.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18509",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc1"
},
{
"id": "CVE-2017-18549",
"summary": "An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_send_raw_srb does not initialize the reply structure.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18549",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2017-18550",
"summary": "An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo structure.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18550",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2017-18551",
"summary": "An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18551",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc9"
},
{
"id": "CVE-2017-18552",
"summary": "An issue was discovered in net/rds/af_rds.c in the Linux kernel before 4.11. There is an out of bounds write and read in the function rds_recv_track_latency.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18552",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc1"
},
{
"id": "CVE-2017-18595",
"summary": "An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18595",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc6"
},
{
"id": "CVE-2017-2583",
"summary": "The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the Linux kernel before 4.9.5 improperly emulates a \"MOV SS, NULL selector\" instruction, which allows guest OS users to cause a denial of service (guest OS crash) or gain guest OS privileges via a crafted application.",
"scorev2": "4.6",
"scorev3": "8.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2583",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc4"
},
{
"id": "CVE-2017-2584",
"summary": "arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free) via a crafted application that leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2584",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc4"
},
{
"id": "CVE-2017-2596",
"summary": "The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel through 4.9.8 improperly emulates the VMXON instruction, which allows KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2596",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc1"
},
{
"id": "CVE-2017-2618",
"summary": "A flaw was found in the Linux kernel's handling of clearing SELinux attributes on /proc/pid/attr files before 4.9.10. An empty (null) write to this file can crash the system by causing the system to attempt to access unmapped kernel memory.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2618",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc8"
},
{
"id": "CVE-2017-2634",
"summary": "It was found that the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation before 2.6.22.17 used the IPv4-only inet_sk_rebuild_header() function for both IPv4 and IPv6 DCCP connections, which could result in memory corruptions. A remote attacker could use this flaw to crash the system.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2634",
"detail": "fixed-version",
"description": "Fixed from version 2.6.25rc1"
},
{
"id": "CVE-2017-2636",
"summary": "Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2636",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc2"
},
{
"id": "CVE-2017-2647",
"summary": "The KEYS subsystem in the Linux kernel before 3.18 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2647",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc1"
},
{
"id": "CVE-2017-2671",
"summary": "The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2671",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc6"
},
{
"id": "CVE-2017-5123",
"summary": "Insufficient data validation in waitid allowed an user to escape sandboxes on Linux.",
"scorev2": "4.6",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5123",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc5"
},
{
"id": "CVE-2017-5546",
"summary": "The freelist-randomization feature in mm/slab.c in the Linux kernel 4.8.x and 4.9.x before 4.9.5 allows local users to cause a denial of service (duplicate freelist entries and system crash) or possibly have unspecified other impact in opportunistic circumstances by leveraging the selection of a large value for a random number.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5546",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc4"
},
{
"id": "CVE-2017-5547",
"summary": "drivers/hid/hid-corsair.c in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5547",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc5"
},
{
"id": "CVE-2017-5548",
"summary": "drivers/net/ieee802154/atusb.c in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5548",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc5"
},
{
"id": "CVE-2017-5549",
"summary": "The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in the Linux kernel before 4.9.5 places uninitialized heap-memory contents into a log entry upon a failure to read the line status, which allows local users to obtain sensitive information by reading the log.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5549",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc4"
},
{
"id": "CVE-2017-5550",
"summary": "Off-by-one error in the pipe_advance function in lib/iov_iter.c in the Linux kernel before 4.9.5 allows local users to obtain sensitive information from uninitialized heap-memory locations in opportunistic circumstances by reading from a pipe after an incorrect buffer-release decision.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5550",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc4"
},
{
"id": "CVE-2017-5551",
"summary": "The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7097.",
"scorev2": "3.6",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5551",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc4"
},
{
"id": "CVE-2017-5576",
"summary": "Integer overflow in the vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 allows local users to cause a denial of service or possibly have unspecified other impact via a crafted size value in a VC4_SUBMIT_CL ioctl call.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5576",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc6"
},
{
"id": "CVE-2017-5577",
"summary": "The vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 does not set an errno value upon certain overflow detections, which allows local users to cause a denial of service (incorrect pointer dereference and OOPS) via inconsistent size values in a VC4_SUBMIT_CL ioctl call.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5577",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc6"
},
{
"id": "CVE-2017-5669",
"summary": "The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address calculated by a certain rounding operation, which allows local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5669",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc1"
},
{
"id": "CVE-2017-5715",
"summary": "Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.",
"scorev2": "1.9",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5715",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc8"
},
{
"id": "CVE-2017-5753",
"summary": "Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.",
"scorev2": "4.7",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5753",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc8"
},
{
"id": "CVE-2017-5754",
"summary": "Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.",
"scorev2": "4.7",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5754",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc1"
},
{
"id": "CVE-2017-5897",
"summary": "The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5897",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc8"
},
{
"id": "CVE-2017-5967",
"summary": "The time subsystem in the Linux kernel through 4.9.9, when CONFIG_TIMER_STATS is enabled, allows local users to discover real PID values (as distinguished from PID values inside a PID namespace) by reading the /proc/timer_list file, related to the print_timer function in kernel/time/timer_list.c and the __timer_stats_timer_set_start_info function in kernel/time/timer.c.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5967",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc1"
},
{
"id": "CVE-2017-5970",
"summary": "The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows attackers to cause a denial of service (system crash) via (1) an application that makes crafted system calls or possibly (2) IPv4 traffic with invalid IP options.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5970",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc8"
},
{
"id": "CVE-2017-5972",
"summary": "The TCP stack in the Linux kernel 3.x does not properly implement a SYN cookie protection mechanism for the case of a fast network connection, which allows remote attackers to cause a denial of service (CPU consumption) by sending many TCP SYN packets, as demonstrated by an attack against the kernel-3.10.0 package in CentOS Linux 7. NOTE: third parties have been unable to discern any relationship between the GitHub Engineering finding and the Trigemini.c attack code.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5972",
"detail": "fixed-version",
"description": "Fixed from version 4.4rc1"
},
{
"id": "CVE-2017-5986",
"summary": "Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5986",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc8"
},
{
"id": "CVE-2017-6001",
"summary": "Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain privileges via a crafted application that makes concurrent perf_event_open system calls for moving a software group into a hardware context. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-6786.",
"scorev2": "7.6",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6001",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc4"
},
{
"id": "CVE-2017-6074",
"summary": "The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6074",
"detail": "fixed-version",
"description": "Fixed from version 4.10"
},
{
"id": "CVE-2017-6214",
"summary": "The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6214",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc8"
},
{
"id": "CVE-2017-6264",
"summary": "An elevation of privilege vulnerability exists in the NVIDIA GPU driver (gm20b_clk_throt_set_cdev_state), where an out of bound memory read is used as a function pointer could lead to code execution in the kernel.This issue is rated as high because it could allow a local malicious application to execute arbitrary code within the context of a privileged process. Product: Android. Version: N/A. Android ID: A-34705430. References: N-CVE-2017-6264.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6264",
"detail": "not-applicable-platform",
"description": "Android specific"
},
{
"id": "CVE-2017-6345",
"summary": "The LLC subsystem in the Linux kernel before 4.9.13 does not ensure that a certain destructor exists in required circumstances, which allows local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6345",
"detail": "fixed-version",
"description": "Fixed from version 4.10"
},
{
"id": "CVE-2017-6346",
"summary": "Race condition in net/packet/af_packet.c in the Linux kernel before 4.9.13 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that makes PACKET_FANOUT setsockopt system calls.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6346",
"detail": "fixed-version",
"description": "Fixed from version 4.10"
},
{
"id": "CVE-2017-6347",
"summary": "The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel before 4.10.1 has incorrect expectations about skb data layout, which allows local users to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by use of the MSG_MORE flag in conjunction with loopback UDP transmission.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6347",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc1"
},
{
"id": "CVE-2017-6348",
"summary": "The hashbin_delete function in net/irda/irqueue.c in the Linux kernel before 4.9.13 improperly manages lock dropping, which allows local users to cause a denial of service (deadlock) via crafted operations on IrDA devices.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6348",
"detail": "fixed-version",
"description": "Fixed from version 4.10"
},
{
"id": "CVE-2017-6353",
"summary": "net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6353",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc1"
},
{
"id": "CVE-2017-6874",
"summary": "Race condition in kernel/ucount.c in the Linux kernel through 4.10.2 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls that leverage certain decrement behavior that causes incorrect interaction between put_ucounts and get_ucounts.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6874",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc2"
},
{
"id": "CVE-2017-6951",
"summary": "The keyring_search_aux function in security/keys/keyring.c in the Linux kernel through 3.14.79 allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the \"dead\" type.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6951",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc1"
},
{
"id": "CVE-2017-7184",
"summary": "The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7184",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc5"
},
{
"id": "CVE-2017-7187",
"summary": "The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through 4.10.4 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7187",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc5"
},
{
"id": "CVE-2017-7261",
"summary": "The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7261",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc6"
},
{
"id": "CVE-2017-7273",
"summary": "The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux kernel 3.2 and 4.x before 4.9.4 allows physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report.",
"scorev2": "4.6",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7273",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc4"
},
{
"id": "CVE-2017-7277",
"summary": "The TCP stack in the Linux kernel through 4.10.6 mishandles the SCM_TIMESTAMPING_OPT_STATS feature, which allows local users to obtain sensitive information from the kernel's internal socket data structures or cause a denial of service (out-of-bounds read) via crafted system calls, related to net/core/skbuff.c and net/socket.c.",
"scorev2": "6.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7277",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc4"
},
{
"id": "CVE-2017-7294",
"summary": "The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.6 does not validate addition of certain levels data, which allows local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7294",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc6"
},
{
"id": "CVE-2017-7308",
"summary": "The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7308",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc6"
},
{
"id": "CVE-2017-7346",
"summary": "The vmw_gb_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.7 does not validate certain levels data, which allows local users to cause a denial of service (system hang) via a crafted ioctl call for a /dev/dri/renderD* device.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7346",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc5"
},
{
"id": "CVE-2017-7374",
"summary": "Use-after-free vulnerability in fs/crypto/ in the Linux kernel before 4.10.7 allows local users to cause a denial of service (NULL pointer dereference) or possibly gain privileges by revoking keyring keys being used for ext4, f2fs, or ubifs encryption, causing cryptographic transform objects to be freed prematurely.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7374",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc4"
},
{
"id": "CVE-2017-7472",
"summary": "The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7472",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc8"
},
{
"id": "CVE-2017-7477",
"summary": "Heap-based buffer overflow in drivers/net/macsec.c in the MACsec module in the Linux kernel through 4.10.12 allows attackers to cause a denial of service or possibly have unspecified other impact by leveraging the use of a MAX_SKB_FRAGS+1 size in conjunction with the NETIF_F_FRAGLIST feature, leading to an error in the skb_to_sgvec function.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7477",
"detail": "fixed-version",
"description": "Fixed from version 4.11"
},
{
"id": "CVE-2017-7482",
"summary": "In the Linux kernel before version 4.12, Kerberos 5 tickets decoded when using the RXRPC keys incorrectly assumes the size of a field. This could lead to the size-remaining variable wrapping and the data pointer going over the end of the buffer. This could possibly lead to memory corruption and possible privilege escalation.",
"scorev2": "7.2",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7482",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc7"
},
{
"id": "CVE-2017-7487",
"summary": "The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel through 4.11.1 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7487",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc1"
},
{
"id": "CVE-2017-7495",
"summary": "fs/ext4/inode.c in the Linux kernel before 4.6.2, when ext4 data=ordered mode is used, mishandles a needs-flushing-before-commit list, which allows local users to obtain sensitive information from other users' files in opportunistic circumstances by waiting for a hardware reset, creating a new file, making write system calls, and reading this file.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7495",
"detail": "fixed-version",
"description": "Fixed from version 4.7rc1"
},
{
"id": "CVE-2017-7518",
"summary": "A flaw was found in the Linux kernel before version 4.12 in the way the KVM module processed the trap flag(TF) bit in EFLAGS during emulation of the syscall instruction, which leads to a debug exception(#DB) being raised in the guest stack. A user/process inside a guest could use this flaw to potentially escalate their privileges inside the guest. Linux guests are not affected by this.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7518",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc7"
},
{
"id": "CVE-2017-7533",
"summary": "Race condition in the fsnotify implementation in the Linux kernel through 4.12.4 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotify_handle_event and vfs_rename functions.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7533",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2017-7541",
"summary": "The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel before 4.12.3 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7541",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2017-7542",
"summary": "The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel through 4.12.3 allows local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7542",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc2"
},
{
"id": "CVE-2017-7558",
"summary": "A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7558",
"detail": "fixed-version",
"description": "Fixed from version 4.13"
},
{
"id": "CVE-2017-7616",
"summary": "Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel through 4.10.9 allows local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7616",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc6"
},
{
"id": "CVE-2017-7618",
"summary": "crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7618",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc8"
},
{
"id": "CVE-2017-7645",
"summary": "The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7645",
"detail": "fixed-version",
"description": "Fixed from version 4.11"
},
{
"id": "CVE-2017-7889",
"summary": "The mm subsystem in the Linux kernel through 3.2 does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allows local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7889",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc7"
},
{
"id": "CVE-2017-7895",
"summary": "The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7895",
"detail": "fixed-version",
"description": "Fixed from version 4.11"
},
{
"id": "CVE-2017-7979",
"summary": "The cookie feature in the packet action API implementation in net/sched/act_api.c in the Linux kernel 4.11.x through 4.11-rc7 mishandles the tb nlattr array, which allows local users to cause a denial of service (uninitialized memory access and refcount underflow, and system hang or crash) or possibly have unspecified other impact via \"tc filter add\" commands in certain contexts. NOTE: this does not affect stable kernels, such as 4.10.x, from kernel.org.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7979",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc8"
},
{
"id": "CVE-2017-8061",
"summary": "drivers/media/usb/dvb-usb/dvb-usb-firmware.c in the Linux kernel 4.9.x and 4.10.x before 4.10.7 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8061",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc4"
},
{
"id": "CVE-2017-8062",
"summary": "drivers/media/usb/dvb-usb/dw2102.c in the Linux kernel 4.9.x and 4.10.x before 4.10.4 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8062",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc2"
},
{
"id": "CVE-2017-8063",
"summary": "drivers/media/usb/dvb-usb/cxusb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8063",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc1"
},
{
"id": "CVE-2017-8064",
"summary": "drivers/media/usb/dvb-usb-v2/dvb_usb_core.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8064",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc1"
},
{
"id": "CVE-2017-8065",
"summary": "crypto/ccm.c in the Linux kernel 4.9.x and 4.10.x through 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8065",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc1"
},
{
"id": "CVE-2017-8066",
"summary": "drivers/net/can/usb/gs_usb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.2 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8066",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc1"
},
{
"id": "CVE-2017-8067",
"summary": "drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8067",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc1"
},
{
"id": "CVE-2017-8068",
"summary": "drivers/net/usb/pegasus.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8068",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc8"
},
{
"id": "CVE-2017-8069",
"summary": "drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8069",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc8"
},
{
"id": "CVE-2017-8070",
"summary": "drivers/net/usb/catc.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8070",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc8"
},
{
"id": "CVE-2017-8071",
"summary": "drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 uses a spinlock without considering that sleeping is possible in a USB HID request callback, which allows local users to cause a denial of service (deadlock) via unspecified vectors.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8071",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc7"
},
{
"id": "CVE-2017-8072",
"summary": "The cp2112_gpio_direction_input function in drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 does not have the expected EIO error status for a zero-length report, which allows local users to have an unspecified impact via unknown vectors.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8072",
"detail": "fixed-version",
"description": "Fixed from version 4.10rc7"
},
{
"id": "CVE-2017-8106",
"summary": "The handle_invept function in arch/x86/kvm/vmx.c in the Linux kernel 3.12 through 3.15 allows privileged KVM guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a single-context INVEPT instruction with a NULL EPT pointer.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8106",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc1"
},
{
"id": "CVE-2017-8240",
"summary": "In all Android releases from CAF using the Linux kernel, a kernel driver has an off-by-one buffer over-read vulnerability.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8240",
"detail": "fixed-version",
"description": "Fixed from version 3.19rc6"
},
{
"id": "CVE-2017-8797",
"summary": "The NFSv4 server in the Linux kernel before 4.11.3 does not properly validate the layout type when processing the NFSv4 pNFS GETDEVICEINFO or LAYOUTGET operand in a UDP packet from a remote attacker. This type value is uninitialized upon encountering certain error conditions. This value is used as an array index for dereferencing, which leads to an OOPS and eventually a DoS of knfsd and a soft-lockup of the whole system.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8797",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc1"
},
{
"id": "CVE-2017-8824",
"summary": "The dccp_disconnect function in net/dccp/proto.c in the Linux kernel through 4.14.3 allows local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8824",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc3"
},
{
"id": "CVE-2017-8831",
"summary": "The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.11.5 allows local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a \"double fetch\" vulnerability.",
"scorev2": "6.9",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8831",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2017-8890",
"summary": "The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel through 4.10.15 allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8890",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc1"
},
{
"id": "CVE-2017-8924",
"summary": "The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel before 4.10.4 allows local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow.",
"scorev2": "2.1",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8924",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc2"
},
{
"id": "CVE-2017-8925",
"summary": "The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel before 4.10.4 allows local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8925",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc2"
},
{
"id": "CVE-2017-9059",
"summary": "The NFSv4 implementation in the Linux kernel through 4.11.1 allows local users to cause a denial of service (resource consumption) by leveraging improper channel callback shutdown when unmounting an NFSv4 filesystem, aka a \"module reference and kernel daemon\" leak.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9059",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc1"
},
{
"id": "CVE-2017-9074",
"summary": "The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9074",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc2"
},
{
"id": "CVE-2017-9075",
"summary": "The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9075",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc2"
},
{
"id": "CVE-2017-9076",
"summary": "The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9076",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc2"
},
{
"id": "CVE-2017-9077",
"summary": "The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9077",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc2"
},
{
"id": "CVE-2017-9150",
"summary": "The do_check function in kernel/bpf/verifier.c in the Linux kernel before 4.11.1 does not make the allow_ptr_leaks value available for restricting the output of the print_bpf_insn function, which allows local users to obtain sensitive address information via crafted bpf system calls.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9150",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc1"
},
{
"id": "CVE-2017-9211",
"summary": "The crypto_skcipher_init_tfm function in crypto/skcipher.c in the Linux kernel through 4.11.2 relies on a setkey function that lacks a key-size check, which allows local users to cause a denial of service (NULL pointer dereference) via a crafted application.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9211",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc3"
},
{
"id": "CVE-2017-9242",
"summary": "The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9242",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc3"
},
{
"id": "CVE-2017-9605",
"summary": "The vmw_gb_surface_define_ioctl function (accessible via DRM_IOCTL_VMW_GB_SURFACE_CREATE) in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.11.4 defines a backup_handle variable but does not give it an initial value. If one attempts to create a GB surface, with a previously allocated DMA buffer to be used as a backup buffer, the backup_handle variable does not get written to and is then later returned to user space, allowing local users to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9605",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc5"
},
{
"id": "CVE-2017-9725",
"summary": "In all Qualcomm products with Android releases from CAF using the Linux kernel, during DMA allocation, due to wrong data type of size, allocation size gets truncated which makes allocation succeed when it should fail.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9725",
"detail": "fixed-version",
"description": "Fixed from version 4.3rc7"
},
{
"id": "CVE-2017-9984",
"summary": "The snd_msnd_interrupt function in sound/isa/msnd/msnd_pinnacle.c in the Linux kernel through 4.11.7 allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a \"double fetch\" vulnerability.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9984",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2017-9985",
"summary": "The snd_msndmidi_input_read function in sound/isa/msnd/msnd_midi.c in the Linux kernel through 4.11.7 allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a \"double fetch\" vulnerability.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9985",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2017-9986",
"summary": "The intr function in sound/oss/msnd_pinnacle.c in the Linux kernel through 4.11.7 allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a \"double fetch\" vulnerability.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9986",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc1"
},
{
"id": "CVE-2018-1000004",
"summary": "In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a race condition vulnerability exists in the sound system, this can lead to a deadlock and denial of service condition.",
"scorev2": "7.1",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000004",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc9"
},
{
"id": "CVE-2018-1000026",
"summary": "Linux Linux kernel version at least v4.8 onwards, probably well before contains a Insufficient input validation vulnerability in bnx2x network card driver that can result in DoS: Network card firmware assertion takes card off-line. This attack appear to be exploitable via An attacker on a must pass a very large, specially crafted packet to the bnx2x card. This can be done from an untrusted guest VM..",
"scorev2": "6.8",
"scorev3": "7.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000026",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc1"
},
{
"id": "CVE-2018-1000028",
"summary": "Linux kernel version after commit bdcf0a423ea1 - 4.15-rc4+, 4.14.8+, 4.9.76+, 4.4.111+ contains a Incorrect Access Control vulnerability in NFS server (nfsd) that can result in remote users reading or writing files they should not be able to via NFS. This attack appear to be exploitable via NFS server must export a filesystem with the \"rootsquash\" options enabled. This vulnerability appears to have been fixed in after commit 1995266727fa.",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000028",
"detail": "fixed-version",
"description": "Fixed from version 4.15"
},
{
"id": "CVE-2018-1000199",
"summary": "The Linux Kernel version 3.18 contains a dangerous feature vulnerability in modify_user_hw_breakpoint() that can result in crash and possibly memory corruption. This attack appear to be exploitable via local code execution and the ability to use ptrace. This vulnerability appears to have been fixed in git commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000199",
"detail": "fixed-version",
"description": "Fixed from version 4.16"
},
{
"id": "CVE-2018-1000200",
"summary": "The Linux Kernel versions 4.14, 4.15, and 4.16 has a null pointer dereference which can result in an out of memory (OOM) killing of large mlocked processes. The issue arises from an oom killed process's final thread calling exit_mmap(), which calls munlock_vma_pages_all() for mlocked vmas.This can happen synchronously with the oom reaper's unmap_page_range() since the vma's VM_LOCKED bit is cleared before munlocking (to determine if any other vmas share the memory and are mlocked).",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000200",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc5"
},
{
"id": "CVE-2018-1000204",
"summary": "Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. This has been fixed upstream in https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. NOTE: third parties dispute the relevance of this report, noting that the requirement for an attacker to have both the CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it \"virtually impossible to exploit.",
"scorev2": "6.3",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000204",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc7"
},
{
"id": "CVE-2018-10021",
"summary": "drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 4.16 allows local users to cause a denial of service (ata qc leak) by triggering certain failure conditions. NOTE: a third party disputes the relevance of this report because the failure can only occur for physically proximate attackers who unplug SAS Host Bus Adapter cables",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10021",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc7"
},
{
"id": "CVE-2018-10074",
"summary": "The hi3660_stub_clk_probe function in drivers/clk/hisilicon/clk-hi3660-stub.c in the Linux kernel before 4.16 allows local users to cause a denial of service (NULL pointer dereference) by triggering a failure of resource retrieval.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10074",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc7"
},
{
"id": "CVE-2018-10087",
"summary": "The kernel_wait4 function in kernel/exit.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10087",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2018-10124",
"summary": "The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN argument.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10124",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2018-10322",
"summary": "The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_ilock_attr_map_shared invalid pointer dereference) via a crafted xfs image.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10322",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc4"
},
{
"id": "CVE-2018-10323",
"summary": "The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted xfs image.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10323",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc4"
},
{
"id": "CVE-2018-1065",
"summary": "The netfilter subsystem in the Linux kernel through 4.15.7 mishandles the case of a rule blob that contains a jump but lacks a user-defined chain, which allows local users to cause a denial of service (NULL pointer dereference) by leveraging the CAP_NET_RAW or CAP_NET_ADMIN capability, related to arpt_do_table in net/ipv4/netfilter/arp_tables.c, ipt_do_table in net/ipv4/netfilter/ip_tables.c, and ip6t_do_table in net/ipv6/netfilter/ip6_tables.c.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1065",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc3"
},
{
"id": "CVE-2018-1066",
"summary": "The Linux kernel before version 4.11 is vulnerable to a NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allows an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response is mishandled during session recovery.",
"scorev2": "7.1",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1066",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc1"
},
{
"id": "CVE-2018-10675",
"summary": "The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system calls.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10675",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc6"
},
{
"id": "CVE-2018-1068",
"summary": "A flaw was found in the Linux 4.x kernel's implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1068",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc5"
},
{
"id": "CVE-2018-10840",
"summary": "Linux kernel is vulnerable to a heap-based buffer overflow in the fs/ext4/xattr.c:ext4_xattr_set_entry() function. An attacker could exploit this by operating on a mounted crafted ext4 image.",
"scorev2": "7.2",
"scorev3": "5.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10840",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc1"
},
{
"id": "CVE-2018-10853",
"summary": "A flaw was found in the way Linux kernel KVM hypervisor before 4.18 emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10853",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc1"
},
{
"id": "CVE-2018-1087",
"summary": "kernel KVM before versions kernel 4.16, kernel 4.16-rc7, kernel 4.17-rc1, kernel 4.17-rc2 and kernel 4.17-rc3 is vulnerable to a flaw in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1087",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc7"
},
{
"id": "CVE-2018-10876",
"summary": "A flaw was found in Linux kernel in the ext4 filesystem code. A use-after-free is possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10876",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc4"
},
{
"id": "CVE-2018-10877",
"summary": "Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image.",
"scorev2": "6.8",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10877",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc4"
},
{
"id": "CVE-2018-10878",
"summary": "A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write and a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4 filesystem image.",
"scorev2": "6.1",
"scorev3": "4.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10878",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc4"
},
{
"id": "CVE-2018-10879",
"summary": "A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact may occur by renaming a file in a crafted ext4 filesystem image.",
"scorev2": "6.1",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10879",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc4"
},
{
"id": "CVE-2018-10880",
"summary": "Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could use this to cause a system crash and a denial of service.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10880",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc4"
},
{
"id": "CVE-2018-10881",
"summary": "A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10881",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc4"
},
{
"id": "CVE-2018-10882",
"summary": "A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound write in in fs/jbd2/transaction.c code, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10882",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc4"
},
{
"id": "CVE-2018-10883",
"summary": "A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10883",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc4"
},
{
"id": "CVE-2018-10901",
"summary": "A flaw was found in Linux kernel's KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host's userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. An attacker can use this to escalate their privileges.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10901",
"detail": "fixed-version",
"description": "Fixed from version 2.6.36rc1"
},
{
"id": "CVE-2018-10902",
"summary": "It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10902",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc6"
},
{
"id": "CVE-2018-1091",
"summary": "In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c in the Linux kernel before 4.13.5, a guest kernel crash can be triggered from unprivileged userspace during a core dump on a POWER host due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path, leading to a denial of service.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1091",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc2"
},
{
"id": "CVE-2018-1092",
"summary": "The ext4_iget function in fs/ext4/inode.c in the Linux kernel through 4.15.15 mishandles the case of a root directory with a zero i_links_count, which allows attackers to cause a denial of service (ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted ext4 image.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1092",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc1"
},
{
"id": "CVE-2018-1093",
"summary": "The ext4_valid_block_bitmap function in fs/ext4/balloc.c in the Linux kernel through 4.15.15 allows attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image because balloc.c and ialloc.c do not validate bitmap block numbers.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1093",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc1"
},
{
"id": "CVE-2018-10938",
"summary": "A flaw was found in the Linux kernel present since v4.0-rc1 and through v4.13-rc4. A crafted network packet sent remotely by an attacker may force the kernel to enter an infinite loop in the cipso_v4_optptr() function in net/ipv4/cipso_ipv4.c leading to a denial-of-service. A certain non-default configuration of LSM (Linux Security Module) and NetLabel should be set up on a system before an attacker could leverage this flaw.",
"scorev2": "7.1",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10938",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc5"
},
{
"id": "CVE-2018-1094",
"summary": "The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.15.15 does not always initialize the crc32c checksum driver, which allows attackers to cause a denial of service (ext4_xattr_inode_hash NULL pointer dereference and system crash) via a crafted ext4 image.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1094",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc1"
},
{
"id": "CVE-2018-10940",
"summary": "The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c in the Linux kernel before 4.16.6 allows local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10940",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc3"
},
{
"id": "CVE-2018-1095",
"summary": "The ext4_xattr_check_entries function in fs/ext4/xattr.c in the Linux kernel through 4.15.15 does not properly validate xattr sizes, which causes misinterpretation of a size as an error code, and consequently allows attackers to cause a denial of service (get_acl NULL pointer dereference and system crash) via a crafted ext4 image.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1095",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc1"
},
{
"id": "CVE-2018-1108",
"summary": "kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1108",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc2"
},
{
"id": "CVE-2018-1118",
"summary": "Linux kernel vhost since version 4.8 does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1118",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc1"
},
{
"id": "CVE-2018-1120",
"summary": "A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc//cmdline (or /proc//environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks).",
"scorev2": "3.5",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1120",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc6"
},
{
"id": "CVE-2018-11232",
"summary": "The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11232",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc1"
},
{
"id": "CVE-2018-1128",
"summary": "It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable.",
"scorev2": "5.4",
"scorev3": "7.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1128",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-1129",
"summary": "A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable.",
"scorev2": "3.3",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1129",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-1130",
"summary": "Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of certain crafted system calls.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1130",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc7"
},
{
"id": "CVE-2018-11412",
"summary": "In the Linux kernel 4.13 through 4.16.11, ext4_read_inline_data() in fs/ext4/inline.c performs a memcpy with an untrusted length value in certain circumstances involving a crafted filesystem that stores the system.data extended attribute value in a dedicated inode.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11412",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc1"
},
{
"id": "CVE-2018-11506",
"summary": "The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux kernel through 4.16.12 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact because sense buffers have different sizes at the CDROM layer and the SCSI layer, as demonstrated by a CDROMREADMODE2 ioctl call.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11506",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc7"
},
{
"id": "CVE-2018-11508",
"summary": "The compat_get_timex function in kernel/compat.c in the Linux kernel before 4.16.9 allows local users to obtain sensitive information from kernel memory via adjtimex.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11508",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc5"
},
{
"id": "CVE-2018-12126",
"summary": "Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf",
"scorev2": "4.7",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12126",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2018-12127",
"summary": "Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf",
"scorev2": "4.7",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12127",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2018-12130",
"summary": "Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf",
"scorev2": "4.7",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12130",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2018-12207",
"summary": "Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may allow an authenticated user to potentially enable denial of service of the host system via local access.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12207",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc2"
},
{
"id": "CVE-2018-12232",
"summary": "In net/socket.c in the Linux kernel through 4.17.1, there is a race condition between fchownat and close in cases where they target the same socket file descriptor, related to the sock_close and sockfs_setattr functions. fchownat does not increment the file descriptor reference count, which allows close to set the socket to NULL during fchownat's execution, leading to a NULL pointer dereference and system crash.",
"scorev2": "7.1",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12232",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc1"
},
{
"id": "CVE-2018-12233",
"summary": "In the ea_get function in fs/jfs/xattr.c in the Linux kernel through 4.17.1, a memory corruption bug in JFS can be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12233",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc2"
},
{
"id": "CVE-2018-12633",
"summary": "An issue was discovered in the Linux kernel through 4.17.2. vbg_misc_device_ioctl() in drivers/virt/vboxguest/vboxguest_linux.c reads the same user data twice with copy_from_user. The header part of the user data is double-fetched, and a malicious user thread can tamper with the critical variables (hdr.size_in and hdr.size_out) in the header between the two fetches because of a race condition, leading to severe kernel errors, such as buffer over-accesses. This bug can cause a local denial of service and information leakage.",
"scorev2": "6.3",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12633",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc1"
},
{
"id": "CVE-2018-12714",
"summary": "An issue was discovered in the Linux kernel through 4.17.2. The filter parsing in kernel/trace/trace_events_filter.c could be called with no filter, which is an N=0 case when it expected at least one line to have been read, thus making the N-1 index invalid. This allows attackers to cause a denial of service (slab out-of-bounds write) or possibly have unspecified other impact via crafted perf_event_open and mmap system calls.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12714",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc2"
},
{
"id": "CVE-2018-12896",
"summary": "An issue was discovered in the Linux kernel through 4.17.3. An Integer Overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically makes the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. For example, a local user can cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12896",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-12904",
"summary": "In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualization is used, local attackers could cause L1 KVM guests to VMEXIT, potentially allowing privilege escalations and denial of service attacks due to lack of checking of CPL.",
"scorev2": "4.4",
"scorev3": "4.9",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12904",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc1"
},
{
"id": "CVE-2018-12928",
"summary": "In the Linux kernel 4.15.0, a NULL pointer dereference was discovered in hfs_ext_read_extent in hfs.ko. This can occur during a mount of a crafted hfs filesystem.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12928"
},
{
"id": "CVE-2018-12929",
"summary": "ntfs_read_locked_inode in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a use-after-free read and possibly cause a denial of service (kernel oops or panic) via a crafted ntfs filesystem.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12929"
},
{
"id": "CVE-2018-12930",
"summary": "ntfs_end_buffer_async_read in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12930"
},
{
"id": "CVE-2018-12931",
"summary": "ntfs_attr_find in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12931"
},
{
"id": "CVE-2018-13053",
"summary": "The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the Linux kernel through 4.17.3 has an integer overflow via a large relative timeout because ktime_add_safe is not used.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13053",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-13093",
"summary": "An issue was discovered in fs/xfs/xfs_icache.c in the Linux kernel through 4.17.3. There is a NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during allocation.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13093",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc1"
},
{
"id": "CVE-2018-13094",
"summary": "An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13094",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc1"
},
{
"id": "CVE-2018-13095",
"summary": "An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.17.3. A denial of service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13095",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc3"
},
{
"id": "CVE-2018-13096",
"summary": "An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.14. A denial of service (out-of-bounds memory access and BUG) can occur upon encountering an abnormal bitmap size when mounting a crafted f2fs image.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13096",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-13097",
"summary": "An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.17.3. There is an out-of-bounds read or a divide-by-zero error for an incorrect user_block_count in a corrupted f2fs image, leading to a denial of service (BUG).",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13097",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-13098",
"summary": "An issue was discovered in fs/f2fs/inode.c in the Linux kernel through 4.17.3. A denial of service (slab out-of-bounds read and BUG) can occur for a modified f2fs filesystem image in which FI_EXTRA_ATTR is set in an inode.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13098",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-13099",
"summary": "An issue was discovered in fs/f2fs/inline.c in the Linux kernel through 4.4. A denial of service (out-of-bounds memory access and BUG) can occur for a modified f2fs filesystem image in which an inline inode contains an invalid reserved blkaddr.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13099",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-13100",
"summary": "An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.17.3, which does not properly validate secs_per_zone in a corrupted f2fs image, as demonstrated by a divide-by-zero error.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13100",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-13405",
"summary": "The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13405",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc4"
},
{
"id": "CVE-2018-13406",
"summary": "An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c in the Linux kernel before 4.17.4 could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13406",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc1"
},
{
"id": "CVE-2018-14609",
"summary": "An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in __del_reloc_root() in fs/btrfs/relocation.c when mounting a crafted btrfs image, related to removing reloc rb_trees when reloc control has not been initialized.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14609",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-14610",
"summary": "An issue was discovered in the Linux kernel through 4.17.10. There is out-of-bounds access in write_extent_buffer() when mounting and operating a crafted btrfs image, because of a lack of verification that each block group has a corresponding chunk at mount time, within btrfs_read_block_groups in fs/btrfs/extent-tree.c.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14610",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-14611",
"summary": "An issue was discovered in the Linux kernel through 4.17.10. There is a use-after-free in try_merge_free_space() when mounting a crafted btrfs image, because of a lack of chunk type flag checks in btrfs_check_chunk_valid in fs/btrfs/volumes.c.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14611",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-14612",
"summary": "An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in btrfs_root_node() when mounting a crafted btrfs image, because of a lack of chunk block group mapping validation in btrfs_read_block_groups in fs/btrfs/extent-tree.c, and a lack of empty-tree checks in check_leaf in fs/btrfs/tree-checker.c.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14612",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-14613",
"summary": "An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image, because of a lack of block group item validation in check_leaf_item in fs/btrfs/tree-checker.c.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14613",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-14614",
"summary": "An issue was discovered in the Linux kernel through 4.17.10. There is an out-of-bounds access in __remove_dirty_segment() in fs/f2fs/segment.c when mounting an f2fs image.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14614",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-14615",
"summary": "An issue was discovered in the Linux kernel through 4.17.10. There is a buffer overflow in truncate_inline_inode() in fs/f2fs/inline.c when umounting an f2fs image, because a length value may be negative.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14615",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-14616",
"summary": "An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference in fscrypt_do_page_crypto() in fs/crypto/crypto.c when operating on a file in a corrupted f2fs image.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14616",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-14617",
"summary": "An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14617",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-14619",
"summary": "A flaw was found in the crypto subsystem of the Linux kernel before version kernel-4.15-rc4. The \"null skcipher\" was being dropped when each af_alg_ctx was freed instead of when the aead_tfm was freed. This can cause the null skcipher to be freed while it is still in use leading to a local user being able to crash the system or possibly escalate privileges.",
"scorev2": "7.2",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14619",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc4"
},
{
"id": "CVE-2018-14625",
"summary": "A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14625",
"detail": "fixed-version",
"description": "Fixed from version 4.20rc6"
},
{
"id": "CVE-2018-14633",
"summary": "A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. Kernel versions 4.18.x, 4.14.x and 3.10.x are believed to be vulnerable.",
"scorev2": "8.3",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14633",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc6"
},
{
"id": "CVE-2018-14634",
"summary": "An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerable.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14634",
"detail": "fixed-version",
"description": "Fixed from version 4.13rc1"
},
{
"id": "CVE-2018-14641",
"summary": "A security flaw was found in the ip_frag_reasm() function in net/ipv4/ip_fragment.c in the Linux kernel from 4.19-rc1 to 4.19-rc3 inclusive, which can cause a later system crash in ip_do_fragment(). With certain non-default, but non-rare, configuration of a victim host, an attacker can trigger this crash remotely, thus leading to a remote denial-of-service.",
"scorev2": "7.1",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14641",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc4"
},
{
"id": "CVE-2018-14646",
"summary": "The Linux kernel before 4.15-rc8 was found to be vulnerable to a NULL pointer dereference bug in the __netlink_ns_capable() function in the net/netlink/af_netlink.c file. A local attacker could exploit this when a net namespace with a netnsid is assigned to cause a kernel panic and a denial of service.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14646",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc8"
},
{
"id": "CVE-2018-14656",
"summary": "A missing address check in the callers of the show_opcodes() in the Linux kernel allows an attacker to dump the kernel memory at an arbitrary kernel address into the dmesg log.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14656",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc2"
},
{
"id": "CVE-2018-14678",
"summary": "An issue was discovered in the Linux kernel through 4.17.11, as used in Xen through 4.11.x. The xen_failsafe_callback entry point in arch/x86/entry/entry_64.S does not properly maintain RBX, which allows local users to cause a denial of service (uninitialized memory usage and system crash). Within Xen, 64-bit x86 PV Linux guest OS users can trigger a guest OS crash or possibly gain privileges.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14678",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc8"
},
{
"id": "CVE-2018-14734",
"summary": "drivers/infiniband/core/ucma.c in the Linux kernel through 4.17.11 allows ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allows attackers to cause a denial of service (use-after-free).",
"scorev2": "6.1",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14734",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc1"
},
{
"id": "CVE-2018-15471",
"summary": "An issue was discovered in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c in the Linux kernel through 4.18.1, as used in Xen through 4.11.x and other products. The Linux netback driver allows frontends to control mapping of requests to request queues. When processing a request to set or change this mapping, some input validation (e.g., for an integer overflow) was missing or flawed, leading to OOB access in hash handling. A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in one or more of privilege escalation, Denial of Service (DoS), or information leaks.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15471",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc7"
},
{
"id": "CVE-2018-15572",
"summary": "The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linux kernel before 4.18.1 does not always fill RSB upon a context switch, which makes it easier for attackers to conduct userspace-userspace spectreRSB attacks.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15572",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-15594",
"summary": "arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certain indirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15594",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-16276",
"summary": "An issue was discovered in yurex_read in drivers/usb/misc/yurex.c in the Linux kernel before 4.17.7. Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16276",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc5"
},
{
"id": "CVE-2018-16597",
"summary": "An issue was discovered in the Linux kernel before 4.8. Incorrect access checking in overlayfs mounts could be used by local attackers to modify or truncate files in the underlying filesystem.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16597",
"detail": "fixed-version",
"description": "Fixed from version 4.8rc1"
},
{
"id": "CVE-2018-16658",
"summary": "An issue was discovered in the Linux kernel before 4.18.6. An information leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940.",
"scorev2": "3.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16658",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc2"
},
{
"id": "CVE-2018-16862",
"summary": "A security flaw was found in the Linux kernel in a way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16862",
"detail": "fixed-version",
"description": "Fixed from version 4.20rc5"
},
{
"id": "CVE-2018-16871",
"summary": "A flaw was found in the Linux kernel's NFS implementation, all versions 3.x and all versions 4.x up to 4.20. An attacker, who is able to mount an exported NFS filesystem, is able to trigger a null pointer dereference by using an invalid NFS sequence. This can panic the machine and deny access to the NFS server. Any outstanding disk writes to the NFS server will be lost.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16871",
"detail": "fixed-version",
"description": "Fixed from version 4.20rc3"
},
{
"id": "CVE-2018-16880",
"summary": "A flaw was found in the Linux kernel's handle_rx() function in the [vhost_net] driver. A malicious virtual guest, under specific conditions, can trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host which may lead to a kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. Versions from v4.16 and newer are vulnerable.",
"scorev2": "6.9",
"scorev3": "5.9",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16880",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc5"
},
{
"id": "CVE-2018-16882",
"summary": "A use-after-free issue was found in the way the Linux kernel's KVM hypervisor processed posted interrupts when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor address, which is later used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash the host kernel resulting in DoS or potentially gain privileged access to a system. Kernel versions before 4.14.91 and before 4.19.13 are vulnerable.",
"scorev2": "7.2",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16882",
"detail": "fixed-version",
"description": "Fixed from version 4.20"
},
{
"id": "CVE-2018-16884",
"summary": "A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.",
"scorev2": "6.7",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16884",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc1"
},
{
"id": "CVE-2018-16885",
"summary": "A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length which causes the read beyond the buffer boundaries, in certain cases causing a memory access fault and a system halt by accessing invalid memory address. This issue only affects kernel version 3.10.x as shipped with Red Hat Enterprise Linux 7.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16885"
},
{
"id": "CVE-2018-17182",
"summary": "An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17182",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc4"
},
{
"id": "CVE-2018-17972",
"summary": "An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak kernel task stack contents.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17972",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc7"
},
{
"id": "CVE-2018-17977",
"summary": "The Linux kernel 4.14.67 mishandles certain interaction among XFRM Netlink messages, IPPROTO_AH packets, and IPPROTO_IP packets, which allows local users to cause a denial of service (memory consumption and system hang) by leveraging root access to execute crafted applications, as demonstrated on CentOS 7.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17977"
},
{
"id": "CVE-2018-18021",
"summary": "arch/arm64/kvm/guest.c in KVM in the Linux kernel before 4.18.12 on the arm64 platform mishandles the KVM_SET_ON_REG ioctl. This is exploitable by attackers who can create virtual machines. An attacker can arbitrarily redirect the hypervisor flow of control (with full register control). An attacker can also cause a denial of service (hypervisor panic) via an illegal exception return. This occurs because of insufficient restrictions on userspace access to the core register file, and because PSTATE.M validation does not prevent unintended execution modes.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18021",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc7"
},
{
"id": "CVE-2018-18281",
"summary": "Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18281",
"detail": "fixed-version",
"description": "Fixed from version 4.19"
},
{
"id": "CVE-2018-18386",
"summary": "drivers/tty/n_tty.c in the Linux kernel before 4.14.11 allows local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18386",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc6"
},
{
"id": "CVE-2018-18397",
"summary": "The userfaultfd implementation in the Linux kernel before 4.19.7 mishandles access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and mm/userfaultfd.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18397",
"detail": "fixed-version",
"description": "Fixed from version 4.20rc5"
},
{
"id": "CVE-2018-18445",
"summary": "In the Linux kernel 4.14.x, 4.15.x, 4.16.x, 4.17.x, and 4.18.x before 4.18.13, faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandles 32-bit right shifts.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18445",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc7"
},
{
"id": "CVE-2018-18559",
"summary": "In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18559",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc2"
},
{
"id": "CVE-2018-18690",
"summary": "In the Linux kernel before 4.17, a local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE operations with conversion of an attr from short to long form.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18690",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc4"
},
{
"id": "CVE-2018-18710",
"summary": "An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18710",
"detail": "fixed-version",
"description": "Fixed from version 4.20rc1"
},
{
"id": "CVE-2018-18955",
"summary": "In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18955",
"detail": "fixed-version",
"description": "Fixed from version 4.20rc2"
},
{
"id": "CVE-2018-19406",
"summary": "kvm_pv_send_ipi in arch/x86/kvm/lapic.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where the apic map is uninitialized.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19406",
"detail": "fixed-version",
"description": "Fixed from version 4.20rc5"
},
{
"id": "CVE-2018-19407",
"summary": "The vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19407",
"detail": "fixed-version",
"description": "Fixed from version 4.20rc5"
},
{
"id": "CVE-2018-19824",
"summary": "In the Linux kernel through 4.19.6, a local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19824",
"detail": "fixed-version",
"description": "Fixed from version 4.20rc6"
},
{
"id": "CVE-2018-19854",
"summary": "An issue was discovered in the Linux kernel before 4.19.3. crypto_report_one() and related functions in crypto/crypto_user.c (the crypto user configuration API) do not fully initialize structures that are copied to userspace, potentially leaking sensitive memory to user programs. NOTE: this is a CVE-2013-2547 regression but with easier exploitability because the attacker does not need a capability (however, the system must have the CONFIG_CRYPTO_USER kconfig option).",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19854",
"detail": "fixed-version",
"description": "Fixed from version 4.20rc3"
},
{
"id": "CVE-2018-19985",
"summary": "The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds (OOB) read that potentially allows arbitrary read in the kernel address space.",
"scorev2": "2.1",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19985",
"detail": "fixed-version",
"description": "Fixed from version 4.20"
},
{
"id": "CVE-2018-20169",
"summary": "An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.",
"scorev2": "7.2",
"scorev3": "6.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20169",
"detail": "fixed-version",
"description": "Fixed from version 4.20rc6"
},
{
"id": "CVE-2018-20449",
"summary": "The hidma_chan_stats function in drivers/dma/qcom/hidma_dbg.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading \"callback=\" lines in a debugfs file.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20449",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc2"
},
{
"id": "CVE-2018-20509",
"summary": "The print_binder_ref_olocked function in drivers/android/binder.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading \" ref *desc *node\" lines in a debugfs file.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20509",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc1"
},
{
"id": "CVE-2018-20510",
"summary": "The print_binder_transaction_ilocked function in drivers/android/binder.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading \"*from *code *flags\" lines in a debugfs file.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20510",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc3"
},
{
"id": "CVE-2018-20511",
"summary": "An issue was discovered in the Linux kernel before 4.18.11. The ipddp_ioctl function in drivers/net/appletalk/ipddp.c allows local users to obtain sensitive kernel address information by leveraging CAP_NET_ADMIN to read the ipddp_route dev and next fields via an SIOCFINDIPDDPRT ioctl call.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20511",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc5"
},
{
"id": "CVE-2018-20669",
"summary": "An issue where a provided address with access_ok() is not checked was discovered in i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Linux kernel through 4.19.13. A local attacker can craft a malicious IOCTL function call to overwrite arbitrary kernel memory, resulting in a Denial of Service or privilege escalation.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20669",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc1"
},
{
"id": "CVE-2018-20784",
"summary": "In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq's, which allows attackers to cause a denial of service (infinite loop in update_blocked_averages) or possibly have unspecified other impact by inducing a high load.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20784",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc1"
},
{
"id": "CVE-2018-20836",
"summary": "An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free.",
"scorev2": "9.3",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20836",
"detail": "fixed-version",
"description": "Fixed from version 4.20rc1"
},
{
"id": "CVE-2018-20854",
"summary": "An issue was discovered in the Linux kernel before 4.20. drivers/phy/mscc/phy-ocelot-serdes.c has an off-by-one error with a resultant ctrl->phys out-of-bounds read.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20854",
"detail": "fixed-version",
"description": "Fixed from version 4.20rc1"
},
{
"id": "CVE-2018-20855",
"summary": "An issue was discovered in the Linux kernel before 4.18.7. In create_qp_common in drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp was never initialized, resulting in a leak of stack memory to userspace.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20855",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-20856",
"summary": "An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an __blk_drain_queue() use-after-free because a certain error case is mishandled.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20856",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-20961",
"summary": "In the Linux kernel before 4.16.4, a double free vulnerability in the f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the f_midi driver may allow attackers to cause a denial of service or possibly have unspecified other impact.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20961",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc1"
},
{
"id": "CVE-2018-20976",
"summary": "An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20976",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc1"
},
{
"id": "CVE-2018-21008",
"summary": "An issue was discovered in the Linux kernel before 4.16.7. A use-after-free can be caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21008",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc1"
},
{
"id": "CVE-2018-25015",
"summary": "An issue was discovered in the Linux kernel before 4.14.16. There is a use-after-free in net/sctp/socket.c for a held lock after a peel off, aka CID-a0ff660058b8.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-25015",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc9"
},
{
"id": "CVE-2018-25020",
"summary": "The BPF subsystem in the Linux kernel before 4.17 mishandles situations with a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions, leading to an overflow. This affects kernel/bpf/core.c and net/core/filter.c.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-25020",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc7"
},
{
"id": "CVE-2018-3620",
"summary": "Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.",
"scorev2": "4.7",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-3620",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-3639",
"summary": "Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-3639",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc7"
},
{
"id": "CVE-2018-3646",
"summary": "Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.",
"scorev2": "4.7",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-3646",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-3665",
"summary": "System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel.",
"scorev2": "4.7",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-3665",
"detail": "fixed-version",
"description": "Fixed from version 3.7rc1"
},
{
"id": "CVE-2018-3693",
"summary": "Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis.",
"scorev2": "4.7",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-3693",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-5332",
"summary": "In the Linux kernel through 3.2, the rds_message_alloc_sgs() function does not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c).",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5332",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc8"
},
{
"id": "CVE-2018-5333",
"summary": "In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5333",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc8"
},
{
"id": "CVE-2018-5344",
"summary": "In the Linux kernel through 4.14.13, drivers/block/loop.c mishandles lo_release serialization, which allows attackers to cause a denial of service (__lock_acquire use-after-free) or possibly have unspecified other impact.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5344",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc8"
},
{
"id": "CVE-2018-5390",
"summary": "Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5390",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc7"
},
{
"id": "CVE-2018-5391",
"summary": "The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5391",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-5703",
"summary": "The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.14.11 allows attackers to cause a denial of service (slab out-of-bounds write) or possibly have unspecified other impact via vectors involving TLS.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5703",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc5"
},
{
"id": "CVE-2018-5750",
"summary": "The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5750",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc1"
},
{
"id": "CVE-2018-5803",
"summary": "In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the \"_sctp_make_chunk()\" function (net/sctp/sm_make_chunk.c) when handling SCTP packets length can be exploited to cause a kernel crash.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5803",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc1"
},
{
"id": "CVE-2018-5814",
"summary": "In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4.133, multiple race condition errors when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5814",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc6"
},
{
"id": "CVE-2018-5848",
"summary": "In the function wmi_set_ie(), the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the 'ie_len' argument can cause a buffer overflow in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5848",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc1"
},
{
"id": "CVE-2018-5873",
"summary": "An issue was discovered in the __ns_get_path function in fs/nsfs.c in the Linux kernel before 4.11. Due to a race condition when accessing files, a Use After Free condition can occur. This also affects all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5873",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc8"
},
{
"id": "CVE-2018-5953",
"summary": "The swiotlb_print_info function in lib/swiotlb.c in the Linux kernel through 4.14.14 allows local users to obtain sensitive address information by reading dmesg data from a \"software IO TLB\" printk call.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5953",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc2"
},
{
"id": "CVE-2018-5995",
"summary": "The pcpu_embed_first_chunk function in mm/percpu.c in the Linux kernel through 4.14.14 allows local users to obtain sensitive address information by reading dmesg data from a \"pages/cpu\" printk call.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5995",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc2"
},
{
"id": "CVE-2018-6412",
"summary": "In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c in the Linux kernel through 4.15, an integer signedness error allows arbitrary information leakage for the FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC commands.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6412",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc5"
},
{
"id": "CVE-2018-6554",
"summary": "Memory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6554",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc1"
},
{
"id": "CVE-2018-6555",
"summary": "The irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6555",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc1"
},
{
"id": "CVE-2018-6559",
"summary": "The Linux kernel, as used in Ubuntu 18.04 LTS and Ubuntu 18.10, allows local users to obtain names of files in which they would not normally be able to access via an overlayfs mount inside of a user namespace.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6559",
"detail": "not-applicable-platform",
"description": "Issue only affects Ubuntu"
},
{
"id": "CVE-2018-6927",
"summary": "The futex_requeue function in kernel/futex.c in the Linux kernel before 4.14.15 might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6927",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc9"
},
{
"id": "CVE-2018-7191",
"summary": "In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. This is similar to CVE-2013-4343.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7191",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc6"
},
{
"id": "CVE-2018-7273",
"summary": "In the Linux kernel through 4.15.4, the floppy driver reveals the addresses of kernel functions and global variables using printk calls within the function show_floppy in drivers/block/floppy.c. An attacker can read this information from dmesg and use the addresses to find the locations of kernel code and data and bypass kernel security protections such as KASLR.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7273",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc2"
},
{
"id": "CVE-2018-7480",
"summary": "The blkcg_init_queue function in block/blk-cgroup.c in the Linux kernel before 4.11 allows local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7480",
"detail": "fixed-version",
"description": "Fixed from version 4.11rc1"
},
{
"id": "CVE-2018-7492",
"summary": "A NULL pointer dereference was found in the net/rds/rdma.c __rds_rdma_map() function in the Linux kernel before 4.14.7 allowing local attackers to cause a system panic and a denial-of-service, related to RDS_GET_MR and RDS_GET_MR_FOR_DEST.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7492",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc3"
},
{
"id": "CVE-2018-7566",
"summary": "The Linux kernel 4.15 has a Buffer Overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by a local user.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7566",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc2"
},
{
"id": "CVE-2018-7740",
"summary": "The resv_map_release function in mm/hugetlb.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (BUG) via a crafted application that makes mmap system calls and has a large pgoff argument to the remap_file_pages system call.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7740",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc7"
},
{
"id": "CVE-2018-7754",
"summary": "The aoedisk_debugfs_show function in drivers/block/aoe/aoeblk.c in the Linux kernel through 4.16.4rc4 allows local users to obtain sensitive address information by reading \"ffree: \" lines in a debugfs file.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7754",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc2"
},
{
"id": "CVE-2018-7755",
"summary": "An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7755",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc5"
},
{
"id": "CVE-2018-7757",
"summary": "Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7757",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc1"
},
{
"id": "CVE-2018-7995",
"summary": "Race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck directory. NOTE: a third party has indicated that this report is not security relevant",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7995",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc5"
},
{
"id": "CVE-2018-8043",
"summary": "The unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c in the Linux kernel through 4.15.8 does not validate certain resource availability, which allows local users to cause a denial of service (NULL pointer dereference).",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8043",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc1"
},
{
"id": "CVE-2018-8087",
"summary": "Memory leak in the hwsim_new_radio_nl function in drivers/net/wireless/mac80211_hwsim.c in the Linux kernel through 4.15.9 allows local users to cause a denial of service (memory consumption) by triggering an out-of-array error case.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8087",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc1"
},
{
"id": "CVE-2018-8781",
"summary": "The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c at the Linux kernel version 3.4 and up to and including 4.15 has an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8781",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc7"
},
{
"id": "CVE-2018-8822",
"summary": "Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c in the Linux kernel through 4.15.11, and in drivers/staging/ncpfs/ncplib_kernel.c in the Linux kernel 4.16-rc through 4.16-rc6, could be exploited by malicious NCPFS servers to crash the kernel or execute code.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8822",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc7"
},
{
"id": "CVE-2018-8897",
"summary": "A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8897",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc7"
},
{
"id": "CVE-2018-9363",
"summary": "In the hidp_process_report in bluetooth, there is an integer overflow. This could lead to an out of bounds write with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-65853588 References: Upstream kernel.",
"scorev2": "7.2",
"scorev3": "8.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9363",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2018-9385",
"summary": "In driver_override_store of bus.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-74128061 References: Upstream kernel.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9385",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc3"
},
{
"id": "CVE-2018-9415",
"summary": "In driver_override_store and driver_override_show of bus.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-69129004 References: Upstream kernel.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9415",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc3"
},
{
"id": "CVE-2018-9422",
"summary": "In get_futex_key of futex.c, there is a use-after-free due to improper locking. This could lead to local escalation of privilege with no additional privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-74250718 References: Upstream kernel.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9422",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc1"
},
{
"id": "CVE-2018-9465",
"summary": "In task_get_unused_fd_flags of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-69164715 References: Upstream kernel.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9465",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc6"
},
{
"id": "CVE-2018-9516",
"summary": "In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-71361580.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9516",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc5"
},
{
"id": "CVE-2018-9517",
"summary": "In pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-38159931.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9517",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc1"
},
{
"id": "CVE-2018-9518",
"summary": "In nfc_llcp_build_sdreq_tlv of llcp_commands.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-73083945.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9518",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc3"
},
{
"id": "CVE-2018-9568",
"summary": "In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-113509306. References: Upstream kernel.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9568",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc4"
},
{
"id": "CVE-2019-0136",
"summary": "Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver before version 21.10 may allow an unauthenticated user to potentially enable denial of service via adjacent access.",
"scorev2": "3.3",
"scorev3": "7.4",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-0136",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc6"
},
{
"id": "CVE-2019-0145",
"summary": "Buffer overflow in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable an escalation of privilege via local access.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-0145",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2019-0146",
"summary": "Resource leak in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 2.8.43 may allow an authenticated user to potentially enable a denial of service via local access.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-0146",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2019-0147",
"summary": "Insufficient input validation in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable a denial of service via local access.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-0147",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2019-0148",
"summary": "Resource leak in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable a denial of service via local access.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-0148",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2019-0149",
"summary": "Insufficient input validation in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 2.8.43 may allow an authenticated user to potentially enable a denial of service via local access.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-0149",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc1"
},
{
"id": "CVE-2019-0154",
"summary": "Insufficient access control in subsystem for Intel (R) processor graphics in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor J, N, Silver and Gold Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series; Intel(R) Atom(R) Processor A and E3900 Series; Intel(R) Xeon(R) Processor E3-1500 v5 and v6 and E-2100 Processor Families may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-0154",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc8"
},
{
"id": "CVE-2019-0155",
"summary": "Insufficient access control in a subsystem for Intel (R) processor graphics in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor J, N, Silver and Gold Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series; Intel(R) Atom(R) Processor A and E3900 Series; Intel(R) Xeon(R) Processor E3-1500 v5 and v6, E-2100 and E-2200 Processor Families; Intel(R) Graphics Driver for Windows before 26.20.100.6813 (DCH) or 26.20.100.6812 and before 21.20.x.5077 (aka15.45.5077), i915 Linux Driver for Intel(R) Processor Graphics before versions 5.4-rc7, 5.3.11, 4.19.84, 4.14.154, 4.9.201, 4.4.201 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-0155",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc8"
},
{
"id": "CVE-2019-10125",
"summary": "An issue was discovered in aio_poll() in fs/aio.c in the Linux kernel through 5.0.4. A file may be released by aio_poll_wake() if an expected event is triggered immediately (e.g., by the close of a pair of pipes) after the return of vfs_poll(), and this will cause a use-after-free.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10125",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc1"
},
{
"id": "CVE-2019-10126",
"summary": "A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences.",
"scorev2": "7.5",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10126",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc6"
},
{
"id": "CVE-2019-10140",
"summary": "A vulnerability was found in Linux kernel's, versions up to 3.10, implementation of overlayfs. An attacker with local access can create a denial of service situation via NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c. This can allow attackers with ability to create directories on overlayfs to crash the kernel creating a denial of service (DOS).",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10140"
},
{
"id": "CVE-2019-10142",
"summary": "A flaw was found in the Linux kernel's freescale hypervisor manager implementation, kernel versions 5.0.x up to, excluding 5.0.17. A parameter passed to an ioctl was incorrectly validated and used in size calculations for the page size calculation. An attacker can use this flaw to crash the system, corrupt memory, or create other adverse security affects.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10142",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2019-10207",
"summary": "A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.",
"scorev2": "2.1",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10207",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc3"
},
{
"id": "CVE-2019-10220",
"summary": "Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists.",
"scorev2": "9.3",
"scorev3": "8.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10220",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc2"
},
{
"id": "CVE-2019-10638",
"summary": "In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10638",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2019-10639",
"summary": "The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to have a dependency on an address associated with a network namespace.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10639",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc4"
},
{
"id": "CVE-2019-11085",
"summary": "Insufficient input validation in Kernel Mode Driver in Intel(R) i915 Graphics for Linux before version 5.0 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11085",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc3"
},
{
"id": "CVE-2019-11091",
"summary": "Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf",
"scorev2": "4.7",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11091",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2019-11135",
"summary": "TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11135",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc8"
},
{
"id": "CVE-2019-11190",
"summary": "The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11190",
"detail": "fixed-version",
"description": "Fixed from version 4.8rc5"
},
{
"id": "CVE-2019-11191",
"summary": "The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is enabled and ia32_aout is loaded, allows local users to bypass ASLR on setuid a.out programs (if any exist) because install_exec_creds() is called too late in load_aout_binary() in fs/binfmt_aout.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. NOTE: the software maintainer disputes that this is a vulnerability because ASLR for a.out format executables has never been supported",
"scorev2": "1.9",
"scorev3": "2.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11191",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc1"
},
{
"id": "CVE-2019-1125",
"summary": "An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries.\nTo exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information that could be used to try to compromise the affected system further.\nOn January 3, 2018, Microsoft released an advisory and security updates\u202frelated to a newly-discovered class of hardware vulnerabilities (known as Spectre) involving speculative execution side channels that affect AMD, ARM, and Intel CPUs to varying degrees. This vulnerability, released on August 6, 2019, is a variant of the Spectre Variant 1 speculative execution side channel vulnerability and has been assigned CVE-2019-1125.\nMicrosoft released a security update on July 9, 2019 that addresses the vulnerability through a software change that mitigates how the CPU speculatively accesses memory. Note that this vulnerability does not require a microcode update from your device OEM.\n",
"scorev2": "2.1",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1125",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc4"
},
{
"id": "CVE-2019-11477",
"summary": "Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11477",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc6"
},
{
"id": "CVE-2019-11478",
"summary": "Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11478",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc6"
},
{
"id": "CVE-2019-11479",
"summary": "Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11479",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc6"
},
{
"id": "CVE-2019-11486",
"summary": "The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11486",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc4"
},
{
"id": "CVE-2019-11487",
"summary": "The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11487",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc5"
},
{
"id": "CVE-2019-11599",
"summary": "The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11599",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc6"
},
{
"id": "CVE-2019-11683",
"summary": "udp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux kernel 5.x before 5.0.13 allows remote attackers to cause a denial of service (slab-out-of-bounds memory corruption) or possibly have unspecified other impact via UDP packets with a 0 payload, because of mishandling of padded packets, aka the \"GRO packet of death\" issue.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11683",
"detail": "fixed-version",
"description": "Fixed from version 5.1"
},
{
"id": "CVE-2019-11810",
"summary": "An issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11810",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc1"
},
{
"id": "CVE-2019-11811",
"summary": "An issue was discovered in the Linux kernel before 5.0.4. There is a use-after-free upon attempted read access to /proc/ioports after the ipmi_si module is removed, related to drivers/char/ipmi/ipmi_si_intf.c, drivers/char/ipmi/ipmi_si_mem_io.c, and drivers/char/ipmi/ipmi_si_port_io.c.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11811",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc1"
},
{
"id": "CVE-2019-11815",
"summary": "An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup.",
"scorev2": "9.3",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11815",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc4"
},
{
"id": "CVE-2019-11833",
"summary": "fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the extent tree block, which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11833",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2019-11884",
"summary": "The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a '\\0' character.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11884",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2019-12378",
"summary": "An issue was discovered in ip6_ra_control in net/ipv6/ipv6_sockglue.c in the Linux kernel through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: This has been disputed as not an issue",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12378",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc3"
},
{
"id": "CVE-2019-12379",
"summary": "An issue was discovered in con_insert_unipair in drivers/tty/vt/consolemap.c in the Linux kernel through 5.1.5. There is a memory leak in a certain case of an ENOMEM outcome of kmalloc. NOTE: This id is disputed as not being an issue",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12379",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc1"
},
{
"id": "CVE-2019-12380",
"summary": "**DISPUTED** An issue was discovered in the efi subsystem in the Linux kernel through 5.1.5. phys_efi_set_virtual_address_map in arch/x86/platform/efi/efi.c and efi_call_phys_prolog in arch/x86/platform/efi/efi_64.c mishandle memory allocation failures. NOTE: This id is disputed as not being an issue because \u201cAll the code touched by the referenced commit runs only at boot, before any user processes are started. Therefore, there is no possibility for an unprivileged user to control it.\u201d.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12380",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc3"
},
{
"id": "CVE-2019-12381",
"summary": "An issue was discovered in ip_ra_control in net/ipv4/ip_sockglue.c in the Linux kernel through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: this is disputed because new_ra is never used if it is NULL",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12381",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc3"
},
{
"id": "CVE-2019-12382",
"summary": "An issue was discovered in drm_load_edid_firmware in drivers/gpu/drm/drm_edid_load.c in the Linux kernel through 5.1.5. There is an unchecked kstrdup of fwstr, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: The vendor disputes this issues as not being a vulnerability because kstrdup() returning NULL is handled sufficiently and there is no chance for a NULL pointer dereference",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12382",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc1"
},
{
"id": "CVE-2019-12454",
"summary": "An issue was discovered in wcd9335_codec_enable_dec in sound/soc/codecs/wcd9335.c in the Linux kernel through 5.1.5. It uses kstrndup instead of kmemdup_nul, which allows attackers to have an unspecified impact via unknown vectors. NOTE: The vendor disputes this issues as not being a vulnerability because switching to kmemdup_nul() would only fix a security issue if the source string wasn't NUL-terminated, which is not the case",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12454",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc1"
},
{
"id": "CVE-2019-12455",
"summary": "An issue was discovered in sunxi_divs_clk_setup in drivers/clk/sunxi/clk-sunxi.c in the Linux kernel through 5.1.5. There is an unchecked kstrndup of derived_name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: This id is disputed as not being an issue because \u201cThe memory allocation that was not checked is part of a code that only runs at boot time, before user processes are started. Therefore, there is no possibility for an unprivileged user to control it, and no denial of service.\u201d",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12455",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc1"
},
{
"id": "CVE-2019-12456",
"summary": "An issue was discovered in the MPT3COMMAND case in _ctl_ioctl_main in drivers/scsi/mpt3sas/mpt3sas_ctl.c in the Linux kernel through 5.1.5. It allows local users to cause a denial of service or possibly have unspecified other impact by changing the value of ioc_number between two kernel reads of that value, aka a \"double fetch\" vulnerability. NOTE: a third party reports that this is unexploitable because the doubly fetched value is not used",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12456"
},
{
"id": "CVE-2019-12614",
"summary": "An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup of prop->name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash).",
"scorev2": "4.7",
"scorev3": "4.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12614",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc1"
},
{
"id": "CVE-2019-12615",
"summary": "An issue was discovered in get_vdev_port_node_info in arch/sparc/kernel/mdesc.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup_const of node_info->vdev_port.name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash).",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12615",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc4"
},
{
"id": "CVE-2019-12817",
"summary": "arch/powerpc/mm/mmu_context_book3s64.c in the Linux kernel before 5.1.15 for powerpc has a bug where unrelated processes may be able to read/write to one another's virtual memory under certain conditions via an mmap above 512 TB. Only a subset of powerpc systems are affected.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12817",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc7"
},
{
"id": "CVE-2019-12818",
"summary": "An issue was discovered in the Linux kernel before 4.20.15. The nfc_llcp_build_tlv function in net/nfc/llcp_commands.c may return NULL. If the caller does not check for this, it will trigger a NULL pointer dereference. This will cause denial of service. This affects nfc_llcp_build_gb in net/nfc/llcp_core.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12818",
"detail": "fixed-version",
"description": "Fixed from version 5.0"
},
{
"id": "CVE-2019-12819",
"summary": "An issue was discovered in the Linux kernel before 5.0. The function __mdiobus_register() in drivers/net/phy/mdio_bus.c calls put_device(), which will trigger a fixed_mdio_bus_init use-after-free. This will cause a denial of service.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12819",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc8"
},
{
"id": "CVE-2019-12881",
"summary": "i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_userptr.c in the Linux kernel 4.15.0 on Ubuntu 18.04.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) or possibly have unspecified other impact via crafted ioctl calls to /dev/dri/card0.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12881",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc1"
},
{
"id": "CVE-2019-12984",
"summary": "A NULL pointer dereference vulnerability in the function nfc_genl_deactivate_target() in net/nfc/netlink.c in the Linux kernel before 5.1.13 can be triggered by a malicious user-mode program that omits certain NFC attributes, leading to denial of service.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12984",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc6"
},
{
"id": "CVE-2019-13233",
"summary": "In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds violation.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13233",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc4"
},
{
"id": "CVE-2019-13272",
"summary": "In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13272",
"detail": "fixed-version",
"description": "Fixed from version 5.2"
},
{
"id": "CVE-2019-13631",
"summary": "In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages.",
"scorev2": "4.6",
"scorev3": "6.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13631",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc1"
},
{
"id": "CVE-2019-13648",
"summary": "In the Linux kernel through 5.2.1 on the powerpc platform, when hardware transactional memory is disabled, a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn() system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13648",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc2"
},
{
"id": "CVE-2019-14283",
"summary": "In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default.",
"scorev2": "4.6",
"scorev3": "6.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14283",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc1"
},
{
"id": "CVE-2019-14284",
"summary": "In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a denial of service by setup_format_params division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should be called. It can be triggered by an unprivileged local user even when a floppy disk has not been inserted. NOTE: QEMU creates the floppy device by default.",
"scorev2": "2.1",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14284",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc1"
},
{
"id": "CVE-2019-14615",
"summary": "Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may allow an unauthenticated user to potentially enable information disclosure via local access.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14615",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc7"
},
{
"id": "CVE-2019-14763",
"summary": "In the Linux kernel before 4.16.4, a double-locking error in drivers/usb/dwc3/gadget.c may potentially cause a deadlock with f_hid.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14763",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc1"
},
{
"id": "CVE-2019-14814",
"summary": "There is heap-based buffer overflow in Linux kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.",
"scorev2": "7.2",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14814",
"detail": "fixed-version",
"description": "Fixed from version 5.3"
},
{
"id": "CVE-2019-14815",
"summary": "A vulnerability was found in Linux Kernel, where a Heap Overflow was found in mwifiex_set_wmm_params() function of Marvell Wifi Driver.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14815",
"detail": "fixed-version",
"description": "Fixed from version 5.3"
},
{
"id": "CVE-2019-14816",
"summary": "There is heap-based buffer overflow in kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.",
"scorev2": "7.2",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14816",
"detail": "fixed-version",
"description": "Fixed from version 5.3"
},
{
"id": "CVE-2019-14821",
"summary": "An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->last' value could be supplied by a host user-space process. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system.",
"scorev2": "7.2",
"scorev3": "7.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14821",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-14835",
"summary": "A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.",
"scorev2": "7.2",
"scorev3": "7.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14835",
"detail": "fixed-version",
"description": "Fixed from version 5.3"
},
{
"id": "CVE-2019-14895",
"summary": "A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service (system crash) or possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "8.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14895",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc3"
},
{
"id": "CVE-2019-14896",
"summary": "A heap-based buffer overflow vulnerability was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP.",
"scorev2": "10.0",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14896",
"detail": "fixed-version",
"description": "Fixed from version 5.5"
},
{
"id": "CVE-2019-14897",
"summary": "A stack-based buffer overflow was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA.",
"scorev2": "7.5",
"scorev3": "6.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14897",
"detail": "fixed-version",
"description": "Fixed from version 5.5"
},
{
"id": "CVE-2019-14898",
"summary": "The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could use this flaw to obtain sensitive information, cause a denial of service, or possibly have other unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14898"
},
{
"id": "CVE-2019-14899",
"summary": "A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel.",
"scorev2": "4.9",
"scorev3": "7.4",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:P/I:P/A:P",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14899"
},
{
"id": "CVE-2019-14901",
"summary": "A heap overflow flaw was found in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The vulnerability allows a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system.",
"scorev2": "10.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14901",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc3"
},
{
"id": "CVE-2019-15030",
"summary": "In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check.",
"scorev2": "3.6",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15030",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc8"
},
{
"id": "CVE-2019-15031",
"summary": "In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via an interrupt. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process, because MSR_TM_ACTIVE is misused in arch/powerpc/kernel/process.c.",
"scorev2": "3.6",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15031",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc8"
},
{
"id": "CVE-2019-15090",
"summary": "An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. In the qedi_dbg_* family of functions, there is an out-of-bounds read.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15090",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc2"
},
{
"id": "CVE-2019-15098",
"summary": "drivers/net/wireless/ath/ath6kl/usb.c in the Linux kernel through 5.2.9 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15098",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-15099",
"summary": "drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel through 5.2.8 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15099",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-15117",
"summary": "parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles a short descriptor, leading to out-of-bounds memory access.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15117",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc5"
},
{
"id": "CVE-2019-15118",
"summary": "check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15118",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc5"
},
{
"id": "CVE-2019-15211",
"summary": "An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15211",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc1"
},
{
"id": "CVE-2019-15212",
"summary": "An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15212",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc3"
},
{
"id": "CVE-2019-15213",
"summary": "An issue was discovered in the Linux kernel before 5.2.3. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15213",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc1"
},
{
"id": "CVE-2019-15214",
"summary": "An issue was discovered in the Linux kernel before 5.0.10. There is a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. This is related to sound/core/init.c and sound/core/info.c.",
"scorev2": "6.9",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15214",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc6"
},
{
"id": "CVE-2019-15215",
"summary": "An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15215",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc1"
},
{
"id": "CVE-2019-15216",
"summary": "An issue was discovered in the Linux kernel before 5.0.14. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15216",
"detail": "fixed-version",
"description": "Fixed from version 5.1"
},
{
"id": "CVE-2019-15217",
"summary": "An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15217",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc1"
},
{
"id": "CVE-2019-15218",
"summary": "An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15218",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc3"
},
{
"id": "CVE-2019-15219",
"summary": "An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15219",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc3"
},
{
"id": "CVE-2019-15220",
"summary": "An issue was discovered in the Linux kernel before 5.2.1. There is a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15220",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc1"
},
{
"id": "CVE-2019-15221",
"summary": "An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15221",
"detail": "fixed-version",
"description": "Fixed from version 5.2"
},
{
"id": "CVE-2019-15222",
"summary": "An issue was discovered in the Linux kernel before 5.2.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15222",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc3"
},
{
"id": "CVE-2019-15223",
"summary": "An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/driver.c driver.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15223",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc3"
},
{
"id": "CVE-2019-15239",
"summary": "In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to be fixed by backporting. Specifically, by adding to a write queue between disconnection and re-connection, a local attacker can trigger multiple use-after-free conditions. This can result in a kernel crash, or potentially in privilege escalation. NOTE: this affects (for example) Linux distributions that use 4.9.x longterm kernels before 4.9.190 or 4.14.x longterm kernels before 4.14.139.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15239"
},
{
"id": "CVE-2019-15291",
"summary": "An issue was discovered in the Linux kernel through 5.2.9. There is a NULL pointer dereference caused by a malicious USB device in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c driver.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15291",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-15292",
"summary": "An issue was discovered in the Linux kernel before 5.0.9. There is a use-after-free in atalk_proc_exit, related to net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and net/appletalk/sysctl_net_atalk.c.",
"scorev2": "10.0",
"scorev3": "4.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15292",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc1"
},
{
"id": "CVE-2019-15504",
"summary": "drivers/net/wireless/rsi/rsi_91x_usb.c in the Linux kernel through 5.2.9 has a Double Free via crafted USB device traffic (which may be remote via usbip or usbredir).",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15504",
"detail": "fixed-version",
"description": "Fixed from version 5.3"
},
{
"id": "CVE-2019-15505",
"summary": "drivers/media/usb/dvb-usb/technisat-usb2.c in the Linux kernel through 5.2.9 has an out-of-bounds read via crafted USB device traffic (which may be remote via usbip or usbredir).",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15505",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-15538",
"summary": "An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15538",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc6"
},
{
"id": "CVE-2019-15666",
"summary": "An issue was discovered in the Linux kernel before 5.0.19. There is an out-of-bounds array access in __xfrm_policy_unlink, which will cause denial of service, because verify_newpolicy_info in net/xfrm/xfrm_user.c mishandles directory validation.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15666",
"detail": "fixed-version",
"description": "Fixed from version 5.1"
},
{
"id": "CVE-2019-15791",
"summary": "In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() installs an fd referencing a file from the lower filesystem without taking an additional reference to that file. After the btrfs ioctl completes this fd is closed, which then puts a reference to that file, leading to a refcount underflow.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15791"
},
{
"id": "CVE-2019-15792",
"summary": "In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() calls fdget(oldfd), then without further checks passes the resulting file* into shiftfs_real_fdget(), which casts file->private_data, a void* that points to a filesystem-dependent type, to a \"struct shiftfs_file_info *\". As the private_data is not required to be a pointer, an attacker can use this to cause a denial of service or possibly execute arbitrary code.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15792"
},
{
"id": "CVE-2019-15793",
"summary": "In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, several locations which shift ids translate user/group ids before performing operations in the lower filesystem were translating them into init_user_ns, whereas they should have been translated into the s_user_ns for the lower filesystem. This resulted in using ids other than the intended ones in the lower fs, which likely did not map into the shifts s_user_ns. A local attacker could use this to possibly bypass discretionary access control permissions.",
"scorev2": "4.6",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15793"
},
{
"id": "CVE-2019-15794",
"summary": "Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replace vma->vm_file in their mmap handlers. On error the original value is not restored, and the reference is put for the file to which vm_file points. On upstream kernels this is not an issue, as no callers dereference vm_file following after call_mmap() returns an error. However, the aufs patchs change mmap_region() to replace the fput() using a local variable with vma_fput(), which will fput() vm_file, leading to a refcount underflow.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15794",
"detail": "fixed-version",
"description": "Fixed from version 5.12"
},
{
"id": "CVE-2019-15807",
"summary": "In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15807",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc3"
},
{
"id": "CVE-2019-15902",
"summary": "A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream \"x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()\" commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped.",
"scorev2": "4.7",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15902"
},
{
"id": "CVE-2019-15916",
"summary": "An issue was discovered in the Linux kernel before 5.0.1. There is a memory leak in register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15916",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc1"
},
{
"id": "CVE-2019-15917",
"summary": "An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15917",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc1"
},
{
"id": "CVE-2019-15918",
"summary": "An issue was discovered in the Linux kernel before 5.0.10. SMB2_negotiate in fs/cifs/smb2pdu.c has an out-of-bounds read because data structures are incompletely updated after a change from smb30 to smb21.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15918",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc6"
},
{
"id": "CVE-2019-15919",
"summary": "An issue was discovered in the Linux kernel before 5.0.10. SMB2_write in fs/cifs/smb2pdu.c has a use-after-free.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15919",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc6"
},
{
"id": "CVE-2019-15920",
"summary": "An issue was discovered in the Linux kernel before 5.0.10. SMB2_read in fs/cifs/smb2pdu.c has a use-after-free. NOTE: this was not fixed correctly in 5.0.10; see the 5.0.11 ChangeLog, which documents a memory leak.",
"scorev2": "4.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15920",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc6"
},
{
"id": "CVE-2019-15921",
"summary": "An issue was discovered in the Linux kernel before 5.0.6. There is a memory leak issue when idr_alloc() fails in genl_register_family() in net/netlink/genetlink.c.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15921",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc3"
},
{
"id": "CVE-2019-15922",
"summary": "An issue was discovered in the Linux kernel before 5.0.9. There is a NULL pointer dereference for a pf data structure if alloc_disk fails in drivers/block/paride/pf.c.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15922",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc4"
},
{
"id": "CVE-2019-15923",
"summary": "An issue was discovered in the Linux kernel before 5.0.9. There is a NULL pointer dereference for a cd data structure if alloc_disk fails in drivers/block/paride/pf.c.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15923",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc4"
},
{
"id": "CVE-2019-15924",
"summary": "An issue was discovered in the Linux kernel before 5.0.11. fm10k_init_module in drivers/net/ethernet/intel/fm10k/fm10k_main.c has a NULL pointer dereference because there is no -ENOMEM upon an alloc_workqueue failure.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15924",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc4"
},
{
"id": "CVE-2019-15925",
"summary": "An issue was discovered in the Linux kernel before 5.2.3. An out of bounds access exists in the function hclge_tm_schd_mode_vnet_base_cfg in the file drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15925",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc1"
},
{
"id": "CVE-2019-15926",
"summary": "An issue was discovered in the Linux kernel before 5.2.3. Out of bounds access exists in the functions ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx in the file drivers/net/wireless/ath/ath6kl/wmi.c.",
"scorev2": "9.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15926",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc1"
},
{
"id": "CVE-2019-15927",
"summary": "An issue was discovered in the Linux kernel before 4.20.2. An out-of-bounds access exists in the function build_audio_procunit in the file sound/usb/mixer.c.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15927",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc2"
},
{
"id": "CVE-2019-16089",
"summary": "An issue was discovered in the Linux kernel through 5.2.13. nbd_genl_status in drivers/block/nbd.c does not check the nla_nest_start_noflag return value.",
"scorev2": "4.7",
"scorev3": "4.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16089"
},
{
"id": "CVE-2019-16229",
"summary": "drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: The security community disputes this issues as not being serious enough to be deserving a CVE id",
"scorev2": "4.7",
"scorev3": "4.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16229",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-16230",
"summary": "drivers/gpu/drm/radeon/radeon_display.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: A third-party software maintainer states that the work queue allocation is happening during device initialization, which for a graphics card occurs during boot. It is not attacker controllable and OOM at that time is highly unlikely",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16230",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-16231",
"summary": "drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.",
"scorev2": "4.7",
"scorev3": "4.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16231",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc6"
},
{
"id": "CVE-2019-16232",
"summary": "drivers/net/wireless/marvell/libertas/if_sdio.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.",
"scorev2": "4.7",
"scorev3": "4.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16232",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-16233",
"summary": "drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.",
"scorev2": "4.7",
"scorev3": "4.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16233",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc5"
},
{
"id": "CVE-2019-16234",
"summary": "drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16234",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc4"
},
{
"id": "CVE-2019-16413",
"summary": "An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16413",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc1"
},
{
"id": "CVE-2019-16714",
"summary": "In the Linux kernel before 5.2.14, rds6_inc_info_copy in net/rds/recv.c allows attackers to obtain sensitive information from kernel stack memory because tos and flags fields are not initialized.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16714",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc7"
},
{
"id": "CVE-2019-16746",
"summary": "An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16746",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc2"
},
{
"id": "CVE-2019-16921",
"summary": "In the Linux kernel before 4.17, hns_roce_alloc_ucontext in drivers/infiniband/hw/hns/hns_roce_main.c does not initialize the resp data structure, which might allow attackers to obtain sensitive information from kernel stack memory, aka CID-df7e40425813.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16921",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc1"
},
{
"id": "CVE-2019-16994",
"summary": "In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka CID-07f12b26e21a.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16994",
"detail": "fixed-version",
"description": "Fixed from version 5.0"
},
{
"id": "CVE-2019-16995",
"summary": "In the Linux kernel before 5.0.3, a memory leak exits in hsr_dev_finalize() in net/hsr/hsr_device.c if hsr_add_port fails to add a port, which may cause denial of service, aka CID-6caabe7f197d.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16995",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc1"
},
{
"id": "CVE-2019-17052",
"summary": "ax25_create in net/ax25/af_ax25.c in the AF_AX25 network module in the Linux kernel 3.16 through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-0614e2b73768.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17052",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-17053",
"summary": "ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-e69dbd4619e7.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17053",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-17054",
"summary": "atalk_create in net/appletalk/ddp.c in the AF_APPLETALK network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-6cc03e8aa36c.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17054",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-17055",
"summary": "base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17055",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-17056",
"summary": "llcp_sock_create in net/nfc/llcp_sock.c in the AF_NFC network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-3a359798b176.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17056",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-17075",
"summary": "An issue was discovered in write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel through 5.3.2. The cxgb4 driver is directly calling dma_map_single (a DMA function) from a stack variable. This could allow an attacker to trigger a Denial of Service, exploitable if this driver is used on an architecture for which this stack/DMA interaction has security relevance.",
"scorev2": "7.1",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17075",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc3"
},
{
"id": "CVE-2019-17133",
"summary": "In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a long SSID IE, leading to a Buffer Overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17133",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc4"
},
{
"id": "CVE-2019-17351",
"summary": "An issue was discovered in drivers/xen/balloon.c in the Linux kernel before 5.2.3, as used in Xen through 4.12.x, allowing guest OS users to cause a denial of service because of unrestricted resource consumption during the mapping of guest memory, aka CID-6ef36ab967c7.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17351",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc1"
},
{
"id": "CVE-2019-17666",
"summary": "rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.",
"scorev2": "8.3",
"scorev3": "8.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17666",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc6"
},
{
"id": "CVE-2019-18198",
"summary": "In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18198",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-18282",
"summary": "The flow_dissector feature in the Linux kernel 4.3 through 5.x before 5.3.10 has a device tracking vulnerability, aka CID-55667441c84f. This occurs because the auto flowlabel of a UDP IPv6 packet relies on a 32-bit hashrnd value as a secret, and because jhash (instead of siphash) is used. The hashrnd value remains the same starting from boot time, and can be inferred by an attacker. This affects net/core/flow_dissector.c and related code.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18282",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc6"
},
{
"id": "CVE-2019-18660",
"summary": "The Linux kernel before 5.4.1 on powerpc allows Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs, aka CID-39e72bf96f58. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18660",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-18675",
"summary": "The Linux kernel through 5.3.13 has a start_offset+size Integer Overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allows local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18675",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc5"
},
{
"id": "CVE-2019-18680",
"summary": "An issue was discovered in the Linux kernel 4.4.x before 4.4.195. There is a NULL pointer dereference in rds_tcp_kill_sock() in net/rds/tcp.c that will cause denial of service, aka CID-91573ae4aed0.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18680"
},
{
"id": "CVE-2019-18683",
"summary": "An issue was discovered in drivers/media/platform/vivid in the Linux kernel through 5.3.8. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18683",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-18786",
"summary": "In the Linux kernel through 5.3.8, f->fmt.sdr.reserved is uninitialized in rcar_drif_g_fmt_sdr_cap in drivers/media/platform/rcar_drif.c, which could cause a memory disclosure problem.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18786",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-18805",
"summary": "An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel before 5.0.11. There is a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact, aka CID-19fad20d15a6.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18805",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc7"
},
{
"id": "CVE-2019-18806",
"summary": "A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux kernel before 5.3.5 allows local users to cause a denial of service (memory consumption) by triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18806",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc2"
},
{
"id": "CVE-2019-18807",
"summary": "Two memory leaks in the sja1105_static_config_upload() function in drivers/net/dsa/sja1105/sja1105_spi.c in the Linux kernel before 5.3.5 allow attackers to cause a denial of service (memory consumption) by triggering static_config_buf_prepare_for_upload() or sja1105_inhibit_tx() failures, aka CID-68501df92d11.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18807",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc2"
},
{
"id": "CVE-2019-18808",
"summary": "A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18808",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-18809",
"summary": "A memory leak in the af9005_identify_state() function in drivers/media/usb/dvb-usb/af9005.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-2289adbfa559.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18809",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-18810",
"summary": "A memory leak in the komeda_wb_connector_add() function in drivers/gpu/drm/arm/display/komeda/komeda_wb_connector.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service (memory consumption) by triggering drm_writeback_connector_init() failures, aka CID-a0ecd6fdbf5d.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18810",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc2"
},
{
"id": "CVE-2019-18811",
"summary": "A memory leak in the sof_set_get_large_ctrl_data() function in sound/soc/sof/ipc.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering sof_get_ctrl_copy_params() failures, aka CID-45c1380358b1.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18811",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc7"
},
{
"id": "CVE-2019-18812",
"summary": "A memory leak in the sof_dfsentry_write() function in sound/soc/sof/debug.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-c0a333d842ef.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18812",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc7"
},
{
"id": "CVE-2019-18813",
"summary": "A memory leak in the dwc3_pci_probe() function in drivers/usb/dwc3/dwc3-pci.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering platform_device_add_properties() failures, aka CID-9bbfceea12a8.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18813",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc6"
},
{
"id": "CVE-2019-18814",
"summary": "An issue was discovered in the Linux kernel through 5.3.9. There is a use-after-free when aa_label_parse() fails in aa_audit_rule_init() in security/apparmor/audit.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18814",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc7"
},
{
"id": "CVE-2019-18885",
"summary": "fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka CID-09ba3bc9dd15.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18885",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc1"
},
{
"id": "CVE-2019-19036",
"summary": "btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19036",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-19037",
"summary": "ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19037",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc3"
},
{
"id": "CVE-2019-19039",
"summary": "__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program. NOTE: The BTRFS development team disputes this issues as not being a vulnerability because \u201c1) The kernel provide facilities to restrict access to dmesg - dmesg_restrict=1 sysctl option. So it's really up to the system administrator to judge whether dmesg access shall be disallowed or not. 2) WARN/WARN_ON are widely used macros in the linux kernel. If this CVE is considered valid this would mean there are literally thousands CVE lurking in the kernel - something which clearly is not the case.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19039",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc1"
},
{
"id": "CVE-2019-19043",
"summary": "A memory leak in the i40e_setup_macvlans() function in drivers/net/ethernet/intel/i40e/i40e_main.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering i40e_setup_channel() failures, aka CID-27d461333459.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19043",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19044",
"summary": "Two memory leaks in the v3d_submit_cl_ioctl() function in drivers/gpu/drm/v3d/v3d_gem.c in the Linux kernel before 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering kcalloc() or v3d_job_init() failures, aka CID-29cd13cfd762.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19044",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc6"
},
{
"id": "CVE-2019-19045",
"summary": "A memory leak in the mlx5_fpga_conn_create_cq() function in drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures, aka CID-c8c2a057fdc7.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19045",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc6"
},
{
"id": "CVE-2019-19046",
"summary": "A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering ida_simple_get() failure, aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance of this because an attacker cannot realistically control this failure at probe time",
"scorev2": "6.8",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19046",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19047",
"summary": "A memory leak in the mlx5_fw_fatal_reporter_dump() function in drivers/net/ethernet/mellanox/mlx5/core/health.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mlx5_crdump_collect() failures, aka CID-c7ed6d0183d5.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19047",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc6"
},
{
"id": "CVE-2019-19048",
"summary": "A memory leak in the crypto_reportstat() function in drivers/virt/vboxguest/vboxguest_utils.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering copy_form_user() failures, aka CID-e0b0cb938864.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19048",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc3"
},
{
"id": "CVE-2019-19049",
"summary": "A memory leak in the unittest_data_add() function in drivers/of/unittest.c in the Linux kernel before 5.3.10 allows attackers to cause a denial of service (memory consumption) by triggering of_fdt_unflatten_tree() failures, aka CID-e13de8fe0d6a. NOTE: third parties dispute the relevance of this because unittest.c can only be reached during boot",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19049",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc5"
},
{
"id": "CVE-2019-19050",
"summary": "A memory leak in the crypto_reportstat() function in crypto/crypto_user_stat.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_reportstat_alg() failures, aka CID-c03b04dcdba1.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19050",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19051",
"summary": "A memory leak in the i2400m_op_rfkill_sw_toggle() function in drivers/net/wimax/i2400m/op-rfkill.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-6f3ef5c25cc7.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19051",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc6"
},
{
"id": "CVE-2019-19052",
"summary": "A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-fb5be6a7b486.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19052",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc7"
},
{
"id": "CVE-2019-19053",
"summary": "A memory leak in the rpmsg_eptdev_write_iter() function in drivers/rpmsg/rpmsg_char.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering copy_from_iter_full() failures, aka CID-bbe692e349e2.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19053",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19054",
"summary": "A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19054",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19055",
"summary": "A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of this because it occurs on a code path where a successful allocation has already occurred",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19055",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc4"
},
{
"id": "CVE-2019-19056",
"summary": "A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-db8fd2cde932.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19056",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19057",
"summary": "Two memory leaks in the mwifiex_pcie_init_evt_ring() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-d10dcb615c8e.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19057",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19058",
"summary": "A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures, aka CID-b4b814fec1a5.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19058",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc4"
},
{
"id": "CVE-2019-19059",
"summary": "Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or dma_alloc_coherent() failures, aka CID-0f4f199443fa.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19059",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc4"
},
{
"id": "CVE-2019-19060",
"summary": "A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19060",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc3"
},
{
"id": "CVE-2019-19061",
"summary": "A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-9c0530e898f3.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19061",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc3"
},
{
"id": "CVE-2019-19062",
"summary": "A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19062",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19063",
"summary": "Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19063",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19064",
"summary": "A memory leak in the fsl_lpspi_probe() function in drivers/spi/spi-fsl-lpspi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering pm_runtime_get_sync() failures, aka CID-057b8945f78f. NOTE: third parties dispute the relevance of this because an attacker cannot realistically control these failures at probe time",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19064",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19065",
"summary": "A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures, aka CID-34b3be18a04e. NOTE: This has been disputed as not a vulnerability because \"rhashtable_init() can only fail if it is passed invalid values in the second parameter's struct, but when invoked from sdma_init() that is a pointer to a static const struct, so an attacker could only trigger failure if they could corrupt kernel memory (in which case a small memory leak is not a significant problem).",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19065",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc3"
},
{
"id": "CVE-2019-19066",
"summary": "A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures, aka CID-0e62395da2bd.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19066",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19067",
"summary": "Four memory leaks in the acp_hw_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in the Linux kernel before 5.3.8 allow attackers to cause a denial of service (memory consumption) by triggering mfd_add_hotplug_devices() or pm_genpd_add_device() failures, aka CID-57be09c6e874. NOTE: third parties dispute the relevance of this because the attacker must already have privileges for module loading",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19067",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc2"
},
{
"id": "CVE-2019-19068",
"summary": "A memory leak in the rtl8xxxu_submit_int_urb() function in drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-a2cdd07488e6.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19068",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19069",
"summary": "A memory leak in the fastrpc_dma_buf_attach() function in drivers/misc/fastrpc.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering dma_get_sgtable() failures, aka CID-fc739a058d99.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19069",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc3"
},
{
"id": "CVE-2019-19070",
"summary": "A memory leak in the spi_gpio_probe() function in drivers/spi/spi-gpio.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering devm_add_action_or_reset() failures, aka CID-d3b0ffa1d75d. NOTE: third parties dispute the relevance of this because the system must have already been out of memory before the probe began",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19070",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19071",
"summary": "A memory leak in the rsi_send_beacon() function in drivers/net/wireless/rsi/rsi_91x_mgmt.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering rsi_prepare_beacon() failures, aka CID-d563131ef23c.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19071",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19072",
"summary": "A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-96c5c6e6a5b6.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19072",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-19073",
"summary": "Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function, aka CID-853acf7caf10.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19073",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-19074",
"summary": "A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19074",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-19075",
"summary": "A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures, aka CID-6402939ec86e.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19075",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc2"
},
{
"id": "CVE-2019-19076",
"summary": "A memory leak in the nfp_abm_u32_knode_replace() function in drivers/net/ethernet/netronome/nfp/abm/cls.c in the Linux kernel before 5.3.6 allows attackers to cause a denial of service (memory consumption), aka CID-78beef629fd9. NOTE: This has been argued as not a valid vulnerability. The upstream commit 78beef629fd9 was reverted",
"scorev2": "7.1",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19076",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-19077",
"summary": "A memory leak in the bnxt_re_create_srq() function in drivers/infiniband/hw/bnxt_re/ib_verbs.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering copy to udata failures, aka CID-4a9d46a9fe14.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19077",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-19078",
"summary": "A memory leak in the ath10k_usb_hif_tx_sg() function in drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-b8d17e7d93d2.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19078",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19079",
"summary": "A memory leak in the qrtr_tun_write_iter() function in net/qrtr/tun.c in the Linux kernel before 5.3 allows attackers to cause a denial of service (memory consumption), aka CID-a21b7f0cff19.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19079",
"detail": "fixed-version",
"description": "Fixed from version 5.3"
},
{
"id": "CVE-2019-19080",
"summary": "Four memory leaks in the nfp_flower_spawn_phy_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel before 5.3.4 allow attackers to cause a denial of service (memory consumption), aka CID-8572cea1461a.",
"scorev2": "7.1",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19080",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-19081",
"summary": "A memory leak in the nfp_flower_spawn_vnic_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel before 5.3.4 allows attackers to cause a denial of service (memory consumption), aka CID-8ce39eb5a67a.",
"scorev2": "7.1",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19081",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-19082",
"summary": "Memory leaks in *create_resource_pool() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption). This affects the dce120_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c, the dce110_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c, the dce100_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c, the dcn10_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c, and the dce112_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c, aka CID-104c307147ad.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19082",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-19083",
"summary": "Memory leaks in *clock_source_create() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel before 5.3.8 allow attackers to cause a denial of service (memory consumption). This affects the dce112_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c, the dce100_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c, the dcn10_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c, the dcn20_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c, the dce120_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c, the dce110_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c, and the dce80_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c, aka CID-055e547478a1.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19083",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc2"
},
{
"id": "CVE-2019-19227",
"summary": "In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19227",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc3"
},
{
"id": "CVE-2019-19241",
"summary": "In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is related to fs/io-wq.c, fs/io_uring.c, and net/socket.c. For example, an attacker can bypass intended restrictions on adding an IPv4 address to the loopback interface. This occurs because IORING_OP_SENDMSG operations, although requested in the context of an unprivileged user, are sometimes performed by a kernel worker thread without considering that context.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19241",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19252",
"summary": "vcs_write in drivers/tty/vt/vc_screen.c in the Linux kernel through 5.3.13 does not prevent write access to vcsu devices, aka CID-0c9acb1af77a.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19252",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19318",
"summary": "In the Linux kernel 5.3.11, mounting a crafted btrfs image twice can cause an rwsem_down_write_slowpath use-after-free because (in rwsem_can_spin_on_owner in kernel/locking/rwsem.c) rwsem_owner_flags returns an already freed pointer,",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19318",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-19319",
"summary": "In the Linux kernel before 5.2, a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call, aka CID-345c0dbf3a30.",
"scorev2": "4.4",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19319",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2019-19332",
"summary": "An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use this flaw to crash the system, resulting in a denial of service.",
"scorev2": "5.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19332",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19338",
"summary": "A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19338",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19377",
"summary": "In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and unmounting can lead to a use-after-free in btrfs_queue_work in fs/btrfs/async-thread.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19377",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc1"
},
{
"id": "CVE-2019-19378",
"summary": "In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image can lead to slab-out-of-bounds write access in index_rbio_pages in fs/btrfs/raid56.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19378"
},
{
"id": "CVE-2019-19447",
"summary": "In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19447",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19448",
"summary": "In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to a right data structure.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19448",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc1"
},
{
"id": "CVE-2019-19449",
"summary": "In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can lead to slab-out-of-bounds read access in f2fs_build_segment_manager in fs/f2fs/segment.c, related to init_min_max_mtime in fs/f2fs/segment.c (because the second argument to get_seg_entry is not validated).",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19449",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc1"
},
{
"id": "CVE-2019-19462",
"summary": "relay_open in kernel/relay.c in the Linux kernel through 5.4.1 allows local users to cause a denial of service (such as relay blockage) by triggering a NULL alloc_percpu result.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19462",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc1"
},
{
"id": "CVE-2019-19523",
"summary": "In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19523",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc3"
},
{
"id": "CVE-2019-19524",
"summary": "In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19524",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc8"
},
{
"id": "CVE-2019-19525",
"summary": "In the Linux kernel before 5.3.6, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver, aka CID-7fd25e6fc035.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19525",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc2"
},
{
"id": "CVE-2019-19526",
"summary": "In the Linux kernel before 5.3.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19526",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc4"
},
{
"id": "CVE-2019-19527",
"summary": "In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e.",
"scorev2": "7.2",
"scorev3": "6.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19527",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc4"
},
{
"id": "CVE-2019-19528",
"summary": "In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d.",
"scorev2": "5.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19528",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc3"
},
{
"id": "CVE-2019-19529",
"summary": "In the Linux kernel before 5.3.11, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c driver, aka CID-4d6636498c41.",
"scorev2": "6.9",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19529",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc7"
},
{
"id": "CVE-2019-19530",
"summary": "In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19530",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc5"
},
{
"id": "CVE-2019-19531",
"summary": "In the Linux kernel before 5.2.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver, aka CID-fc05481b2fca.",
"scorev2": "4.6",
"scorev3": "6.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19531",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc4"
},
{
"id": "CVE-2019-19532",
"summary": "In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.",
"scorev2": "4.6",
"scorev3": "6.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19532",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc6"
},
{
"id": "CVE-2019-19533",
"summary": "In the Linux kernel before 5.3.4, there is an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464.",
"scorev2": "2.1",
"scorev3": "2.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19533",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-19534",
"summary": "In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29.",
"scorev2": "2.1",
"scorev3": "2.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19534",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc7"
},
{
"id": "CVE-2019-19535",
"summary": "In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka CID-30a8beeb3042.",
"scorev2": "2.1",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19535",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc4"
},
{
"id": "CVE-2019-19536",
"summary": "In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver, aka CID-ead16e53c2f0.",
"scorev2": "2.1",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19536",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc4"
},
{
"id": "CVE-2019-19537",
"summary": "In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c.",
"scorev2": "4.7",
"scorev3": "4.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19537",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc5"
},
{
"id": "CVE-2019-19543",
"summary": "In the Linux kernel before 5.1.6, there is a use-after-free in serial_ir_init_module() in drivers/media/rc/serial_ir.c.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19543",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2019-19602",
"summary": "fpregs_state_valid in arch/x86/include/asm/fpu/internal.h in the Linux kernel before 5.4.2, when GCC 9 is used, allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact because of incorrect fpu_fpregs_owner_ctx caching, as demonstrated by mishandling of signal-based non-cooperative preemption in Go 1.14 prereleases on amd64, aka CID-59c4bd853abc.",
"scorev2": "5.4",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19602",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19767",
"summary": "The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19767",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2019-19768",
"summary": "In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-buffer).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19768",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc4"
},
{
"id": "CVE-2019-19769",
"summary": "In the Linux kernel 5.3.10, there is a use-after-free (read) in the perf_trace_lock_acquire function (related to include/trace/events/lock.h).",
"scorev2": "6.5",
"scorev3": "6.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19769",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc5"
},
{
"id": "CVE-2019-19770",
"summary": "In the Linux kernel 4.19.83, there is a use-after-free (read) in the debugfs_remove function in fs/debugfs/inode.c (which is used to remove a file or directory in debugfs that was previously created with a call to another debugfs function such as debugfs_create_file). NOTE: Linux kernel developers dispute this issue as not being an issue with debugfs, instead this is an issue with misuse of debugfs within blktrace",
"scorev2": "6.4",
"scorev3": "8.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19770",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc1"
},
{
"id": "CVE-2019-19807",
"summary": "In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for a different purpose after refactoring.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19807",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc7"
},
{
"id": "CVE-2019-19813",
"summary": "In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in __mutex_lock in kernel/locking/mutex.c. This is related to mutex_can_spin_on_owner in kernel/locking/mutex.c, __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and btrfs_insert_delayed_items in fs/btrfs/delayed-inode.c.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19813",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2019-19814",
"summary": "In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can cause __remove_dirty_segment slab-out-of-bounds write access because an array is bounded by the number of dirty types (8) but the array index can exceed this.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19814"
},
{
"id": "CVE-2019-19815",
"summary": "In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can cause a NULL pointer dereference in f2fs_recover_fsync_data in fs/f2fs/recovery.c. This is related to F2FS_P_SB in fs/f2fs/f2fs.h.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19815",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc1"
},
{
"id": "CVE-2019-19816",
"summary": "In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image and performing some operations can cause slab-out-of-bounds write access in __btrfs_map_block in fs/btrfs/volumes.c, because a value of 1 for the number of data stripes is mishandled.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19816",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2019-19922",
"summary": "kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words, although this slice expiration would typically be seen with benign workloads, it is possible that an attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray requests. An attack does not affect the stability of the kernel; it only causes mismanagement of application execution.)",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19922",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-19927",
"summary": "In the Linux kernel 5.0.0-rc7 (as distributed in ubuntu/linux.git on kernel.ubuntu.com), mounting a crafted f2fs filesystem image and performing some operations can lead to slab-out-of-bounds read access in ttm_put_pages in drivers/gpu/drm/ttm/ttm_page_alloc.c. This is related to the vmwgfx or ttm module.",
"scorev2": "3.6",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19927",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc6"
},
{
"id": "CVE-2019-19947",
"summary": "In the Linux kernel through 5.4.6, there are information leaks of uninitialized memory to a USB device in the drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c driver, aka CID-da2311a6385c.",
"scorev2": "2.1",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19947",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc3"
},
{
"id": "CVE-2019-19965",
"summary": "In the Linux kernel through 5.4.6, there is a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19965",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc2"
},
{
"id": "CVE-2019-19966",
"summary": "In the Linux kernel before 5.1.6, there is a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service, aka CID-dea37a972655.",
"scorev2": "2.1",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19966",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2019-1999",
"summary": "In binder_alloc_free_page of binder_alloc.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-120025196.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1999",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc3"
},
{
"id": "CVE-2019-20054",
"summary": "In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20054",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc3"
},
{
"id": "CVE-2019-20095",
"summary": "mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will cause a memory leak and denial of service.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20095",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2019-20096",
"summary": "In the Linux kernel before 5.1, there is a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service, aka CID-1d3ff0950e2b.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20096",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc4"
},
{
"id": "CVE-2019-2024",
"summary": "In em28xx_unregister_dvb of em28xx-dvb.c, there is a possible use after free issue. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-111761954References: Upstream kernel",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-2024",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc1"
},
{
"id": "CVE-2019-2025",
"summary": "In binder_thread_read of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-116855682References: Upstream kernel",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-2025",
"detail": "fixed-version",
"description": "Fixed from version 4.20rc5"
},
{
"id": "CVE-2019-20422",
"summary": "In the Linux kernel before 5.3.4, fib6_rule_lookup in net/ipv6/ip6_fib.c mishandles the RT6_LOOKUP_F_DST_NOREF flag in a reference-count decision, leading to (for example) a crash that was identified by syzkaller, aka CID-7b09c2d052db.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20422",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-2054",
"summary": "In the seccomp implementation prior to kernel version 4.8, there is a possible seccomp bypass due to seccomp policies that allow the use of ptrace. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-119769499",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-2054",
"detail": "fixed-version",
"description": "Fixed from version 4.8rc1"
},
{
"id": "CVE-2019-20636",
"summary": "In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20636",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc6"
},
{
"id": "CVE-2019-20794",
"summary": "An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace, and mount a FUSE filesystem. Upon interaction with this FUSE filesystem, if the userspace component is terminated via a kill of the PID namespace's pid 1, it will result in a hung task, and resources being permanently locked up until system reboot. This can result in resource exhaustion.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20794"
},
{
"id": "CVE-2019-20806",
"summary": "An issue was discovered in the Linux kernel before 5.2. There is a NULL pointer dereference in tw5864_handle_frame() in drivers/media/pci/tw5864/tw5864-video.c, which may cause denial of service, aka CID-2e7682ebfc75.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20806",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2019-20810",
"summary": "go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20810",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc1"
},
{
"id": "CVE-2019-20811",
"summary": "An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20811",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc3"
},
{
"id": "CVE-2019-20812",
"summary": "An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20812",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc3"
},
{
"id": "CVE-2019-20908",
"summary": "An issue was discovered in drivers/firmware/efi/efi.c in the Linux kernel before 5.4. Incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032.",
"scorev2": "6.9",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20908",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2019-20934",
"summary": "An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.",
"scorev2": "5.4",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20934",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc2"
},
{
"id": "CVE-2019-2101",
"summary": "In uvc_parse_standard_control of uvc_driver.c, there is a possible out-of-bound read due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-111760968.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-2101",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc1"
},
{
"id": "CVE-2019-2181",
"summary": "In binder_transaction of binder.c in the Android kernel, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-2181",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2019-2182",
"summary": "In the Android kernel in the kernel MMU code there is a possible execution path leaving some kernel text and rodata pages writable. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-2182",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc3"
},
{
"id": "CVE-2019-2213",
"summary": "In binder_free_transaction of binder.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-133758011References: Upstream kernel",
"scorev2": "6.9",
"scorev3": "7.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-2213",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc6"
},
{
"id": "CVE-2019-2214",
"summary": "In binder_transaction of binder.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-136210786References: Upstream kernel",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-2214",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc2"
},
{
"id": "CVE-2019-2215",
"summary": "A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-2215",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc1"
},
{
"id": "CVE-2019-25044",
"summary": "The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-25044",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc4"
},
{
"id": "CVE-2019-25045",
"summary": "An issue was discovered in the Linux kernel before 5.0.19. The XFRM subsystem has a use-after-free, related to an xfrm_state_fini panic, aka CID-dbb2483b2a46.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-25045",
"detail": "fixed-version",
"description": "Fixed from version 5.1"
},
{
"id": "CVE-2019-25160",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlabel: fix out-of-bounds memory accesses\n\nThere are two array out-of-bounds memory accesses, one in\ncipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk(). Both\nerrors are embarassingly simple, and the fixes are straightforward.\n\nAs a FYI for anyone backporting this patch to kernels prior to v4.8,\nyou'll want to apply the netlbl_bitmap_walk() patch to\ncipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before\nLinux v4.8.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-25160"
},
{
"id": "CVE-2019-25162",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: Fix a potential use after free\n\nFree the adap structure only after we are done using it.\nThis patch just moves the put_device() down a bit to avoid the\nuse after free.\n\n[wsa: added comment to the code, added Fixes tag]",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-25162"
},
{
"id": "CVE-2019-3016",
"summary": "In a Linux KVM guest that has PV TLB enabled, a process in the guest kernel may be able to read memory locations from another process in the same guest. This problem is limit to the host running linux kernel 4.10 with a guest running linux kernel 4.16 or later. The problem mainly affects AMD processors but Intel CPUs cannot be ruled out.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3016",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc1"
},
{
"id": "CVE-2019-3459",
"summary": "A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel before 5.1-rc1.",
"scorev2": "3.3",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3459",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc1"
},
{
"id": "CVE-2019-3460",
"summary": "A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP was found in the Linux kernel before 5.1-rc1.",
"scorev2": "3.3",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3460",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc1"
},
{
"id": "CVE-2019-3701",
"summary": "An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through 4.19.13. The CAN frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field. The privileged user \"root\" with CAP_NET_ADMIN can create a CAN frame modification rule that makes the data length code a higher value than the available CAN frame data size. In combination with a configured checksum calculation where the result is stored relatively to the end of the data (e.g. cgw_csum_xor_rel) the tail of the skb (e.g. frag_list pointer in skb_shared_info) can be rewritten which finally can cause a system crash. Because of a missing check, the CAN drivers may write arbitrary content beyond the data registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3701",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc3"
},
{
"id": "CVE-2019-3819",
"summary": "A flaw was found in the Linux kernel in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged user (\"root\") can cause a system lock up and a denial of service. Versions from v4.18 and newer are vulnerable.",
"scorev2": "4.9",
"scorev3": "4.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3819",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc6"
},
{
"id": "CVE-2019-3837",
"summary": "It was found that the net_dma code in tcp_recvmsg() in the 2.6.32 kernel as shipped in RHEL6 is thread-unsafe. So an unprivileged multi-threaded userspace application calling recvmsg() for the same network socket in parallel executed on ioatdma-enabled hardware with net_dma enabled can leak the memory, crash the host leading to a denial-of-service or cause a random memory corruption.",
"scorev2": "4.9",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3837",
"detail": "fixed-version",
"description": "Fixed from version 3.18rc1"
},
{
"id": "CVE-2019-3846",
"summary": "A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network.",
"scorev2": "8.3",
"scorev3": "8.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3846",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc6"
},
{
"id": "CVE-2019-3874",
"summary": "The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are believed to be vulnerable.",
"scorev2": "3.3",
"scorev3": "5.3",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3874",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2019-3882",
"summary": "A flaw was found in the Linux kernel's vfio interface implementation that permits violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS). Versions 3.10, 4.14 and 4.18 are vulnerable.",
"scorev2": "4.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3882",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc4"
},
{
"id": "CVE-2019-3887",
"summary": "A flaw was found in the way KVM hypervisor handled x2APIC Machine Specific Rregister (MSR) access with nested(=1) virtualization enabled. In that, L1 guest could access L0's APIC register values via L2 guest, when 'virtualize x2APIC mode' is enabled. A guest could use this flaw to potentially crash the host kernel resulting in DoS issue. Kernel versions from 4.16 and newer are vulnerable to this issue.",
"scorev2": "4.7",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3887",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc4"
},
{
"id": "CVE-2019-3896",
"summary": "A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3896",
"detail": "fixed-version",
"description": "Fixed from version 2.6.35rc1"
},
{
"id": "CVE-2019-3900",
"summary": "An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario.",
"scorev2": "6.8",
"scorev3": "6.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3900",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc4"
},
{
"id": "CVE-2019-3901",
"summary": "A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs. As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it is possible for the specified target task to perform an execve() syscall with setuid execution before perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls. This issue affects kernel versions before 4.8.",
"scorev2": "1.9",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3901",
"detail": "fixed-version",
"description": "Fixed from version 4.6rc6"
},
{
"id": "CVE-2019-5108",
"summary": "An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations before the required authentication process has completed. This could lead to different denial-of-service scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge Authentication and Association Request packets to trigger this vulnerability.",
"scorev2": "3.3",
"scorev3": "7.4",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5108",
"detail": "fixed-version",
"description": "Fixed from version 5.3"
},
{
"id": "CVE-2019-5489",
"summary": "The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5489"
},
{
"id": "CVE-2019-6133",
"summary": "In PolicyKit (aka polkit) 0.115, the \"start time\" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c.",
"scorev2": "4.4",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6133",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc2"
},
{
"id": "CVE-2019-6974",
"summary": "In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6974",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc6"
},
{
"id": "CVE-2019-7221",
"summary": "The KVM implementation in the Linux kernel through 4.20.5 has a Use-after-Free.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7221",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc6"
},
{
"id": "CVE-2019-7222",
"summary": "The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7222",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc6"
},
{
"id": "CVE-2019-7308",
"summary": "kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks.",
"scorev2": "4.7",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7308",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc3"
},
{
"id": "CVE-2019-8912",
"summary": "In the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8912",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc8"
},
{
"id": "CVE-2019-8956",
"summary": "In the Linux Kernel before versions 4.20.8 and 4.19.21 a use-after-free error in the \"sctp_sendmsg()\" function (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited to corrupt memory.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8956",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc6"
},
{
"id": "CVE-2019-8980",
"summary": "A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8980",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc1"
},
{
"id": "CVE-2019-9003",
"summary": "In the Linux kernel before 4.20.5, attackers can trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a \"service ipmievd restart\" loop.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9003",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc4"
},
{
"id": "CVE-2019-9162",
"summary": "In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and write operations possible, leading to an OOPS or local privilege escalation. This affects snmp_version and snmp_helper.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9162",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc7"
},
{
"id": "CVE-2019-9213",
"summary": "In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9213",
"detail": "fixed-version",
"description": "Fixed from version 5.0"
},
{
"id": "CVE-2019-9245",
"summary": "In the Android kernel in the f2fs driver there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9245",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc1"
},
{
"id": "CVE-2019-9444",
"summary": "In the Android kernel in sync debug fs driver there is a kernel pointer leak due to the usage of printf with %p. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9444",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc2"
},
{
"id": "CVE-2019-9445",
"summary": "In the Android kernel in F2FS driver there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9445",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc1"
},
{
"id": "CVE-2019-9453",
"summary": "In the Android kernel in F2FS touch driver there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9453",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2019-9454",
"summary": "In the Android kernel in i2c driver there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9454",
"detail": "fixed-version",
"description": "Fixed from version 4.15rc9"
},
{
"id": "CVE-2019-9455",
"summary": "In the Android kernel in the video driver there is a kernel pointer leak due to a WARN_ON statement. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.",
"scorev2": "2.1",
"scorev3": "2.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9455",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc1"
},
{
"id": "CVE-2019-9456",
"summary": "In the Android kernel in Pixel C USB monitor driver there is a possible OOB write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9456",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc6"
},
{
"id": "CVE-2019-9458",
"summary": "In the Android kernel in the video driver there is a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9458",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc7"
},
{
"id": "CVE-2019-9500",
"summary": "The Broadcom brcmfmac WiFi driver prior to commit 1b5e2423164b3670e8bc9174e4762d297990deff is vulnerable to a heap buffer overflow. If the Wake-up on Wireless LAN functionality is configured, a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results function. This vulnerability can be exploited with compromised chipsets to compromise the host, or when used in combination with CVE-2019-9503, can be used remotely. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.",
"scorev2": "7.9",
"scorev3": "8.3",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9500",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc1"
},
{
"id": "CVE-2019-9503",
"summary": "The Broadcom brcmfmac WiFi driver prior to commit a4176ec356c73a46c07c181c6d04039fafa34a9f is vulnerable to a frame validation bypass. If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and unprocessed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be bypassed if the bus used is USB (for instance by a wifi dongle). This can allow firmware event frames from a remote source to be processed. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.",
"scorev2": "7.9",
"scorev3": "8.3",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9503",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc1"
},
{
"id": "CVE-2019-9506",
"summary": "The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka \"KNOB\") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.",
"scorev2": "4.8",
"scorev3": "7.6",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9506",
"detail": "fixed-version",
"description": "Fixed from version 5.2"
},
{
"id": "CVE-2019-9857",
"summary": "In the Linux kernel through 5.0.2, the function inotify_update_existing_watch() in fs/notify/inotify/inotify_user.c neglects to call fsnotify_put_mark() with IN_MASK_CREATE after fsnotify_find_mark(), which will cause a memory leak (aka refcount leak). Finally, this will cause a denial of service.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9857",
"detail": "fixed-version",
"description": "Fixed from version 5.1rc2"
},
{
"id": "CVE-2020-0009",
"summary": "In calc_vm_may_flags of ashmem.c, there is a possible arbitrary write to shared memory due to a permissions bypass. This could lead to local escalation of privilege by corrupting memory shared between processes, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-142938932",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0009",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc3"
},
{
"id": "CVE-2020-0030",
"summary": "In binder_thread_release of binder.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-145286050References: Upstream kernel",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0030",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc3"
},
{
"id": "CVE-2020-0041",
"summary": "In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-145988638References: Upstream kernel",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0041",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc2"
},
{
"id": "CVE-2020-0066",
"summary": "In the netlink driver, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-65025077",
"scorev2": "6.9",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0066",
"detail": "fixed-version",
"description": "Fixed from version 4.3rc7"
},
{
"id": "CVE-2020-0067",
"summary": "In f2fs_xattr_generic_list of xattr.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not required for exploitation.Product: Android. Versions: Android kernel. Android ID: A-120551147.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0067",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2020-0110",
"summary": "In psi_write of psi.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-148159562References: Upstream kernel",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0110",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc2"
},
{
"id": "CVE-2020-0305",
"summary": "In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-153467744",
"scorev2": "4.4",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0305",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc6"
},
{
"id": "CVE-2020-0404",
"summary": "In uvc_scan_chain_forward of uvc_driver.c, there is a possible linked list corruption due to an unusual root cause. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-111893654References: Upstream kernel",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0404",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc1"
},
{
"id": "CVE-2020-0423",
"summary": "In binder_release_work of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-161151868References: N/A",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0423",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc1"
},
{
"id": "CVE-2020-0427",
"summary": "In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0427",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2020-0429",
"summary": "In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-152735806",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0429",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc4"
},
{
"id": "CVE-2020-0430",
"summary": "In skb_headlen of /include/linux/skbuff.h, there is a possible out of bounds read due to memory corruption. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-153881554",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0430",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc1"
},
{
"id": "CVE-2020-0431",
"summary": "In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-144161459",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0431",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc6"
},
{
"id": "CVE-2020-0432",
"summary": "In skb_to_mamac of networking.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-143560807",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0432",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc1"
},
{
"id": "CVE-2020-0433",
"summary": "In blk_mq_queue_tag_busy_iter of blk-mq-tag.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-151939299",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0433",
"detail": "fixed-version",
"description": "Fixed from version 4.19rc1"
},
{
"id": "CVE-2020-0444",
"summary": "In audit_free_lsm_field of auditfilter.c, there is a possible bad kfree due to a logic error in audit_data_to_entry. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-150693166References: Upstream kernel",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0444",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc4"
},
{
"id": "CVE-2020-0465",
"summary": "In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-162844689References: Upstream kernel",
"scorev2": "7.2",
"scorev3": "6.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0465",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc4"
},
{
"id": "CVE-2020-0466",
"summary": "In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-147802478References: Upstream kernel",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0466",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc2"
},
{
"id": "CVE-2020-0543",
"summary": "Incomplete cleanup from specific special register read operations in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0543",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc1"
},
{
"id": "CVE-2020-10135",
"summary": "Legacy pairing and secure-connections pairing authentication in Bluetooth BR/EDR Core Specification v5.2 and earlier may allow an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key.",
"scorev2": "4.8",
"scorev3": "5.4",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10135",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc1"
},
{
"id": "CVE-2020-10690",
"summary": "There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed, it can cause an exploitable condition as the process wakes up to terminate and clean all attached files. The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the inode.",
"scorev2": "4.4",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10690",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc5"
},
{
"id": "CVE-2020-10711",
"summary": "A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7. This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network user to crash the system kernel, resulting in a denial of service.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10711",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc6"
},
{
"id": "CVE-2020-10720",
"summary": "A flaw was found in the Linux kernel's implementation of GRO in versions before 5.2. This flaw allows an attacker with local access to crash the system.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10720",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc3"
},
{
"id": "CVE-2020-10732",
"summary": "A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an attacker with a local account to crash a trivial program and exfiltrate private kernel data.",
"scorev2": "3.6",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10732",
"detail": "fixed-version",
"description": "Fixed from version 5.7"
},
{
"id": "CVE-2020-10742",
"summary": "A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause a kernel panic. The highest threat from this vulnerability is to data confidentiality and system availability.",
"scorev2": "3.6",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10742",
"detail": "fixed-version",
"description": "Fixed from version 3.16rc1"
},
{
"id": "CVE-2020-10751",
"summary": "A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.",
"scorev2": "3.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10751",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc4"
},
{
"id": "CVE-2020-10757",
"summary": "A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10757",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc1"
},
{
"id": "CVE-2020-10766",
"summary": "A logic bug flaw was found in Linux kernel before 5.8-rc1 in the implementation of SSBD. A bug in the logic handling allows an attacker with a local account to disable SSBD protection during a context switch when additional speculative execution mitigations are in place. This issue was introduced when the per task/process conditional STIPB switching was added on top of the existing SSBD switching. The highest threat from this vulnerability is to confidentiality.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10766",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc1"
},
{
"id": "CVE-2020-10767",
"summary": "A flaw was found in the Linux kernel before 5.8-rc1 in the implementation of the Enhanced IBPB (Indirect Branch Prediction Barrier). The IBPB mitigation will be disabled when STIBP is not available or when the Enhanced Indirect Branch Restricted Speculation (IBRS) is available. This flaw allows a local attacker to perform a Spectre V2 style attack when this configuration is active. The highest threat from this vulnerability is to confidentiality.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10767",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc1"
},
{
"id": "CVE-2020-10768",
"summary": "A flaw was found in the Linux Kernel before 5.8-rc1 in the prctl() function, where it can be used to enable indirect branch speculation after it has been disabled. This call incorrectly reports it as being 'force disabled' when it is not and opens the system to Spectre v2 attacks. The highest threat from this vulnerability is to confidentiality.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10768",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc1"
},
{
"id": "CVE-2020-10769",
"summary": "A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4 bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat, leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of service.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10769",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc3"
},
{
"id": "CVE-2020-10773",
"summary": "A stack information leak flaw was found in s390/s390x in the Linux kernel\u2019s memory manager functionality, where it incorrectly writes to the /proc/sys/vm/cmm_timeout file. This flaw allows a local user to see the kernel data.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10773",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc6"
},
{
"id": "CVE-2020-10774",
"summary": "A memory disclosure flaw was found in the Linux kernel's versions before 4.18.0-193.el8 in the sysctl subsystem when reading the /proc/sys/kernel/rh_features file. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10774"
},
{
"id": "CVE-2020-10781",
"summary": "A flaw was found in the Linux Kernel before 5.8-rc6 in the ZRAM kernel module, where a user with a local account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in the /dev/ directory. This read allocates kernel memory and is not accounted for a user that triggers the creation of that ZRAM device. With this vulnerability, continually reading the device may consume a large amount of system memory and cause the Out-of-Memory (OOM) killer to activate and terminate random userspace processes, possibly making the system inoperable.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10781",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc6"
},
{
"id": "CVE-2020-10942",
"summary": "In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls.",
"scorev2": "5.4",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10942",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc4"
},
{
"id": "CVE-2020-11494",
"summary": "An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel 3.16 through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11494",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc1"
},
{
"id": "CVE-2020-11565",
"summary": "An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability because the issue \u201cis a bug in parsing mount options which can only be specified by a privileged user, so triggering the bug does not grant any powers not already held.\u201d",
"scorev2": "3.6",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11565",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc1"
},
{
"id": "CVE-2020-11608",
"summary": "An issue was discovered in the Linux kernel before 5.6.1. drivers/media/usb/gspca/ov519.c allows NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints, aka CID-998912346c0d.",
"scorev2": "4.9",
"scorev3": "4.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11608",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc1"
},
{
"id": "CVE-2020-11609",
"summary": "An issue was discovered in the stv06xx subsystem in the Linux kernel before 5.6.1. drivers/media/usb/gspca/stv06xx/stv06xx.c and drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c mishandle invalid descriptors, as demonstrated by a NULL pointer dereference, aka CID-485b06aadb93.",
"scorev2": "4.9",
"scorev3": "4.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11609",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc1"
},
{
"id": "CVE-2020-11668",
"summary": "In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770.",
"scorev2": "5.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11668",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc1"
},
{
"id": "CVE-2020-11669",
"summary": "An issue was discovered in the Linux kernel before 5.2 on the powerpc platform. arch/powerpc/kernel/idle_book3s.S does not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka CID-53a712bae5dd.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11669",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2020-11725",
"summary": "snd_ctl_elem_add in sound/core/control.c in the Linux kernel through 5.6.3 has a count=info->owner line, which later affects a private_size*count multiplication for unspecified \"interesting side effects.\" NOTE: kernel engineers dispute this finding, because it could be relevant only if new callers were added that were unfamiliar with the misuse of the info->owner field to represent data unrelated to the \"owner\" concept. The existing callers, SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE, have been designed to misuse the info->owner field in a safe way",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11725"
},
{
"id": "CVE-2020-11884",
"summary": "In the Linux kernel 4.19 through 5.6.7 on the s390 platform, code execution may occur because of a race condition, as demonstrated by code in enable_sacf_uaccess in arch/s390/lib/uaccess.c that fails to protect against a concurrent page table upgrade, aka CID-3f777e19d171. A crash could also occur.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11884",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc4"
},
{
"id": "CVE-2020-12114",
"summary": "A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a denial of service (panic) by corrupting a mountpoint reference counter.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12114",
"detail": "fixed-version",
"description": "Fixed from version 5.3rc1"
},
{
"id": "CVE-2020-12351",
"summary": "Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.",
"scorev2": "5.8",
"scorev3": "8.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12351",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc1"
},
{
"id": "CVE-2020-12352",
"summary": "Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.",
"scorev2": "3.3",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12352",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc1"
},
{
"id": "CVE-2020-12362",
"summary": "Integer overflow in the firmware for some Intel(R) Graphics Drivers for Windows * before version 26.20.100.7212 and before Linux kernel version 5.5 may allow a privileged user to potentially enable an escalation of privilege via local access.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12362",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc1"
},
{
"id": "CVE-2020-12363",
"summary": "Improper input validation in some Intel(R) Graphics Drivers for Windows* before version 26.20.100.7212 and before Linux kernel version 5.5 may allow a privileged user to potentially enable a denial of service via local access.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12363",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc1"
},
{
"id": "CVE-2020-12364",
"summary": "Null pointer reference in some Intel(R) Graphics Drivers for Windows* before version 26.20.100.7212 and before version Linux kernel version 5.5 may allow a privileged user to potentially enable a denial of service via local access.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12364",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc1"
},
{
"id": "CVE-2020-12464",
"summary": "usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference, aka CID-056ad39ee925.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12464",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc3"
},
{
"id": "CVE-2020-12465",
"summary": "An array overflow was discovered in mt76_add_fragment in drivers/net/wireless/mediatek/mt76/dma.c in the Linux kernel before 5.5.10, aka CID-b102f0c522cf. An oversized packet with too many rx fragments can corrupt memory of adjacent pages.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12465",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc6"
},
{
"id": "CVE-2020-12652",
"summary": "The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the Linux kernel before 5.4.14 allows local users to hold an incorrect lock during the ioctl operation and trigger a race condition, i.e., a \"double fetch\" vulnerability, aka CID-28d76df18f0a. NOTE: the vendor states \"The security impact of this bug is not as bad as it could have been because these operations are all privileged and root already has enormous destructive power.\"",
"scorev2": "4.7",
"scorev3": "4.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12652",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc7"
},
{
"id": "CVE-2020-12653",
"summary": "An issue was found in Linux kernel before 5.5.4. The mwifiex_cmd_append_vsie_tlv() function in drivers/net/wireless/marvell/mwifiex/scan.c allows local users to gain privileges or cause a denial of service because of an incorrect memcpy and buffer overflow, aka CID-b70261a288ea.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12653",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc1"
},
{
"id": "CVE-2020-12654",
"summary": "An issue was found in Linux kernel before 5.5.4. mwifiex_ret_wmm_get_status() in drivers/net/wireless/marvell/mwifiex/wmm.c allows a remote AP to trigger a heap-based buffer overflow because of an incorrect memcpy, aka CID-3a9b153c5591.",
"scorev2": "4.3",
"scorev3": "7.1",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12654",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc1"
},
{
"id": "CVE-2020-12655",
"summary": "An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12655",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc1"
},
{
"id": "CVE-2020-12656",
"summary": "gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c in the rpcsec_gss_krb5 implementation in the Linux kernel through 5.6.10 lacks certain domain_release calls, leading to a memory leak. Note: This was disputed with the assertion that the issue does not grant any access not already available. It is a problem that on unloading a specific kernel module some memory is leaked, but loading kernel modules is a privileged operation. A user could also write a kernel module to consume any amount of memory they like and load that replicating the effect of this bug",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12656",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc1"
},
{
"id": "CVE-2020-12657",
"summary": "An issue was discovered in the Linux kernel before 5.6.5. There is a use-after-free in block/bfq-iosched.c related to bfq_idle_slice_timer_body.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12657",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc1"
},
{
"id": "CVE-2020-12659",
"summary": "An issue was discovered in the Linux kernel before 5.6.7. xdp_umem_reg in net/xdp/xdp_umem.c has an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) because of a lack of headroom validation.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12659",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc2"
},
{
"id": "CVE-2020-12768",
"summary": "An issue was discovered in the Linux kernel before 5.6. svm_cpu_uninit in arch/x86/kvm/svm.c has a memory leak, aka CID-d80b64ff297e. NOTE: third parties dispute this issue because it's a one-time leak at the boot, the size is negligible, and it can't be triggered at will",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12768",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc4"
},
{
"id": "CVE-2020-12769",
"summary": "An issue was discovered in the Linux kernel before 5.4.17. drivers/spi/spi-dw.c allows attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one, aka CID-19b61392c5a8.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12769",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc6"
},
{
"id": "CVE-2020-12770",
"summary": "An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12770",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc3"
},
{
"id": "CVE-2020-12771",
"summary": "An issue was discovered in the Linux kernel through 5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c has a deadlock if a coalescing operation fails.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12771",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc2"
},
{
"id": "CVE-2020-12826",
"summary": "A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2. Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in a different security domain. Exploitation limitations include the amount of elapsed time before an integer overflow occurs, and the lack of scenarios where signals to a parent process present a substantial operational threat.",
"scorev2": "4.4",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12826",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc1"
},
{
"id": "CVE-2020-12888",
"summary": "The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory space.",
"scorev2": "4.7",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12888",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc1"
},
{
"id": "CVE-2020-12912",
"summary": "A potential vulnerability in the AMD extension to Linux \"hwmon\" service may allow an attacker to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. In line with industry partners, AMD has updated the RAPL interface to require privileged access.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12912",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc4"
},
{
"id": "CVE-2020-13143",
"summary": "gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c in the Linux kernel 3.16 through 5.6.13 relies on kstrdup without considering the possibility of an internal '\\0' value, which allows attackers to trigger an out-of-bounds read, aka CID-15753588bcd4.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13143",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc6"
},
{
"id": "CVE-2020-13974",
"summary": "An issue was discovered in the Linux kernel 4.4 through 5.7.1. drivers/tty/vt/keyboard.c has an integer overflow if k_ascii is called several times in a row, aka CID-b86dab054059. NOTE: Members in the community argue that the integer overflow does not lead to a security issue in this case.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13974",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc1"
},
{
"id": "CVE-2020-14304",
"summary": "A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14304"
},
{
"id": "CVE-2020-14305",
"summary": "An out-of-bounds memory write flaw was found in how the Linux kernel\u2019s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "8.3",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14305",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc1"
},
{
"id": "CVE-2020-14314",
"summary": "A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash the system if the directory exists. The highest threat from this vulnerability is to system availability.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14314",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc2"
},
{
"id": "CVE-2020-14331",
"summary": "A flaw was found in the Linux kernel\u2019s implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to the VGA console to crash the system, potentially escalating their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"scorev2": "7.2",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14331",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc1"
},
{
"id": "CVE-2020-14351",
"summary": "A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14351",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc1"
},
{
"id": "CVE-2020-14356",
"summary": "A flaw null pointer dereference in the Linux kernel cgroupv2 subsystem in versions before 5.7.10 was found in the way when reboot the system. A local user could use this flaw to crash the system or escalate their privileges on the system.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14356",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc5"
},
{
"id": "CVE-2020-14381",
"summary": "A flaw was found in the Linux kernel\u2019s futex implementation. This flaw allows a local attacker to corrupt system memory or escalate their privileges when creating a futex on a filesystem that is about to be unmounted. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14381",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc6"
},
{
"id": "CVE-2020-14385",
"summary": "A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability.",
"scorev2": "4.7",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14385",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc4"
},
{
"id": "CVE-2020-14386",
"summary": "A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14386",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc4"
},
{
"id": "CVE-2020-14390",
"summary": "A flaw was found in the Linux kernel in versions before 5.9-rc6. When changing screen size, an out-of-bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.",
"scorev2": "4.6",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14390",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc6"
},
{
"id": "CVE-2020-14416",
"summary": "In the Linux kernel before 5.4.16, a race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c.",
"scorev2": "4.7",
"scorev3": "4.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14416",
"detail": "fixed-version",
"description": "Fixed from version 5.5"
},
{
"id": "CVE-2020-15393",
"summary": "In the Linux kernel 4.4 through 5.7.6, usbtest_disconnect in drivers/usb/misc/usbtest.c has a memory leak, aka CID-28ebeb8db770.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15393",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc3"
},
{
"id": "CVE-2020-15436",
"summary": "Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15436",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc2"
},
{
"id": "CVE-2020-15437",
"summary": "The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in drivers/tty/serial/8250/8250_core.c:serial8250_isa_init_ports() that allows local users to cause a denial of service by using the p->serial_in pointer which uninitialized.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15437",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc7"
},
{
"id": "CVE-2020-15780",
"summary": "An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15780",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc3"
},
{
"id": "CVE-2020-15852",
"summary": "An issue was discovered in the Linux kernel 5.5 through 5.7.9, as used in Xen through 4.13.x for x86 PV guests. An attacker may be granted the I/O port permissions of an unrelated task. This occurs because tss_invalidate_io_bitmap mishandling causes a loss of synchronization between the I/O bitmaps of TSS and Xen, aka CID-cadfad870154.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15852",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc6"
},
{
"id": "CVE-2020-16119",
"summary": "Use-after-free vulnerability in the Linux kernel exploitable by a local attacker due to reuse of a DCCP socket with an attached dccps_hc_tx_ccid object as a listener after being released. Fixed in Ubuntu Linux kernel 5.4.0-51.56, 5.3.0-68.63, 4.15.0-121.123, 4.4.0-193.224, 3.13.0.182.191 and 3.2.0-149.196.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16119",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc2"
},
{
"id": "CVE-2020-16120",
"summary": "Overlayfs did not properly perform permission checking when copying up files in an overlayfs and could be exploited from within a user namespace, if, for example, unprivileged user namespaces were allowed. It was possible to have a file not readable by an unprivileged user to be copied to a mountpoint controlled by the user, like a removable device. This was introduced in kernel version 4.19 by commit d1d04ef (\"ovl: stack file ops\"). This was fixed in kernel version 5.8 by commits 56230d9 (\"ovl: verify permissions in ovl_path_open()\"), 48bd024 (\"ovl: switch to mounter creds in readdir\") and 05acefb (\"ovl: check permission to open real file\"). Additionally, commits 130fdbc (\"ovl: pass correct flags for opening real directory\") and 292f902 (\"ovl: call secutiry hook in ovl_real_ioctl()\") in kernel 5.8 might also be desired or necessary. These additional commits introduced a regression in overlay mounts within user namespaces which prevented access to files with ownership outside of the user namespace. This regression was mitigated by subsequent commit b6650da (\"ovl: do not fail because of O_NOATIMEi\") in kernel 5.11.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16120",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc1"
},
{
"id": "CVE-2020-16166",
"summary": "The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to drivers/char/random.c and kernel/time/timer.c.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16166",
"detail": "fixed-version",
"description": "Fixed from version 5.8"
},
{
"id": "CVE-2020-1749",
"summary": "A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1749",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2020-24394",
"summary": "In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the current umask is not considered.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24394",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc4"
},
{
"id": "CVE-2020-24490",
"summary": "Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. This affects all Linux kernel versions that support BlueZ.",
"scorev2": "3.3",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24490",
"detail": "fixed-version",
"description": "Fixed from version 5.8"
},
{
"id": "CVE-2020-24504",
"summary": "Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24504",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2020-24586",
"summary": "The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.",
"scorev2": "2.9",
"scorev3": "3.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24586",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc4"
},
{
"id": "CVE-2020-24587",
"summary": "The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.",
"scorev2": "1.8",
"scorev3": "2.6",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24587",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc4"
},
{
"id": "CVE-2020-24588",
"summary": "The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets.",
"scorev2": "2.9",
"scorev3": "3.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24588",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc4"
},
{
"id": "CVE-2020-25211",
"summary": "In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.",
"scorev2": "3.6",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25211",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc7"
},
{
"id": "CVE-2020-25212",
"summary": "A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25212",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc1"
},
{
"id": "CVE-2020-25220",
"summary": "The Linux kernel 4.9.x before 4.9.233, 4.14.x before 4.14.194, and 4.19.x before 4.19.140 has a use-after-free because skcd->no_refcnt was not considered during a backport of a CVE-2020-14356 patch. This is related to the cgroups feature.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25220"
},
{
"id": "CVE-2020-25221",
"summary": "get_gate_page in mm/gup.c in the Linux kernel 5.7.x and 5.8.x before 5.8.7 allows privilege escalation because of incorrect reference counting (caused by gate page mishandling) of the struct page that backs the vsyscall page. The result is a refcount underflow. This can be triggered by any 64-bit process that can use ptrace() or process_vm_readv(), aka CID-9fa2dd946743.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25221",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc4"
},
{
"id": "CVE-2020-25284",
"summary": "The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap rbd block devices, aka CID-f44d04e696fe.",
"scorev2": "1.9",
"scorev3": "4.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25284",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc5"
},
{
"id": "CVE-2020-25285",
"summary": "A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified other impact, aka CID-17743798d812.",
"scorev2": "4.4",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25285",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc4"
},
{
"id": "CVE-2020-25639",
"summary": "A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw allows a local user to crash the system.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25639",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2020-25641",
"summary": "A flaw was found in the Linux kernel's implementation of biovecs in versions before 5.9-rc7. A zero-length biovec request issued by the block subsystem could cause the kernel to enter an infinite loop, causing a denial of service. This flaw allows a local attacker with basic privileges to issue requests to a block device, resulting in a denial of service. The highest threat from this vulnerability is to system availability.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25641",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc4"
},
{
"id": "CVE-2020-25643",
"summary": "A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"scorev2": "7.5",
"scorev3": "7.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25643",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc7"
},
{
"id": "CVE-2020-25645",
"summary": "A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25645",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc7"
},
{
"id": "CVE-2020-25656",
"summary": "A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality.",
"scorev2": "1.9",
"scorev3": "4.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25656",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc2"
},
{
"id": "CVE-2020-25668",
"summary": "A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25668",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc3"
},
{
"id": "CVE-2020-25669",
"summary": "A vulnerability was found in the Linux Kernel where the function sunkbd_reinit having been scheduled by sunkbd_interrupt before sunkbd being freed. Though the dangling pointer is set to NULL in sunkbd_disconnect, there is still an alias in sunkbd_reinit causing Use After Free.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25669",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc5"
},
{
"id": "CVE-2020-25670",
"summary": "A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25670",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc7"
},
{
"id": "CVE-2020-25671",
"summary": "A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-free which might lead to privilege escalations.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25671",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc7"
},
{
"id": "CVE-2020-25672",
"summary": "A memory leak vulnerability was found in Linux kernel in llcp_sock_connect",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25672",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc7"
},
{
"id": "CVE-2020-25673",
"summary": "A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak and eventually hanging-up the system.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25673",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc7"
},
{
"id": "CVE-2020-25704",
"summary": "A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of service.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25704",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc3"
},
{
"id": "CVE-2020-25705",
"summary": "A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that relies on UDP source port randomization are indirectly affected as well on the Linux Based Products (RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4, SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7 LTE EU: Version",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25705",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc1"
},
{
"id": "CVE-2020-26088",
"summary": "A missing CAP_NET_RAW check in NFC socket creation in net/nfc/rawsock.c in the Linux kernel before 5.8.2 could be used by local attackers to create raw sockets, bypassing security mechanisms, aka CID-26896f01467a.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-26088",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc1"
},
{
"id": "CVE-2020-26139",
"summary": "An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients.",
"scorev2": "2.9",
"scorev3": "5.3",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-26139",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc4"
},
{
"id": "CVE-2020-26141",
"summary": "An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.",
"scorev2": "3.3",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-26141",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc4"
},
{
"id": "CVE-2020-26145",
"summary": "An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.",
"scorev2": "3.3",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-26145",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc4"
},
{
"id": "CVE-2020-26147",
"summary": "An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.",
"scorev2": "3.2",
"scorev3": "5.4",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-26147",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc4"
},
{
"id": "CVE-2020-26541",
"summary": "The Linux kernel through 5.8.13 does not properly enforce the Secure Boot Forbidden Signature Database (aka dbx) protection mechanism. This affects certs/blacklist.c and certs/system_keyring.c.",
"scorev2": "6.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-26541",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc1"
},
{
"id": "CVE-2020-26555",
"summary": "Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN.",
"scorev2": "4.8",
"scorev3": "5.4",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-26555",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc1"
},
{
"id": "CVE-2020-26558",
"summary": "Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.",
"scorev2": "4.3",
"scorev3": "4.2",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-26558",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc1"
},
{
"id": "CVE-2020-27066",
"summary": "In xfrm6_tunnel_free_spi of net/ipv6/xfrm6_tunnel.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-168043318",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27066",
"detail": "fixed-version",
"description": "Fixed from version 5.6"
},
{
"id": "CVE-2020-27067",
"summary": "In the l2tp subsystem, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-152409173",
"scorev2": "4.4",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27067",
"detail": "fixed-version",
"description": "Fixed from version 4.14rc4"
},
{
"id": "CVE-2020-27068",
"summary": "Product: AndroidVersions: Android kernelAndroid ID: A-127973231References: Upstream kernel",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27068",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc2"
},
{
"id": "CVE-2020-27152",
"summary": "An issue was discovered in ioapic_lazy_update_eoi in arch/x86/kvm/ioapic.c in the Linux kernel before 5.9.2. It has an infinite loop related to improper interaction between a resampler and edge triggering, aka CID-77377064c3a9.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27152",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc1"
},
{
"id": "CVE-2020-27170",
"summary": "An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects pointer types that do not define a ptr_limit.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27170",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc5"
},
{
"id": "CVE-2020-27171",
"summary": "An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.",
"scorev2": "3.6",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27171",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc5"
},
{
"id": "CVE-2020-27194",
"summary": "An issue was discovered in the Linux kernel before 5.8.15. scalar32_min_max_or in kernel/bpf/verifier.c mishandles bounds tracking during use of 64-bit values, aka CID-5b9fbeb75b6a.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27194",
"detail": "fixed-version",
"description": "Fixed from version 5.9"
},
{
"id": "CVE-2020-2732",
"summary": "A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest.",
"scorev2": "2.3",
"scorev3": "6.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-2732",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc4"
},
{
"id": "CVE-2020-27418",
"summary": "A Use After Free vulnerability in Fedora Linux kernel 5.9.0-rc9 allows attackers to obatin sensitive information via vgacon_invert_region() function.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27418",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc5"
},
{
"id": "CVE-2020-27673",
"summary": "An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27673",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc1"
},
{
"id": "CVE-2020-27675",
"summary": "An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race condition). This can cause a use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash via events for an in-reconfiguration paravirtualized device, aka CID-073d0552ead5.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27675",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc1"
},
{
"id": "CVE-2020-27777",
"summary": "A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27777",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc1"
},
{
"id": "CVE-2020-27784",
"summary": "A vulnerability was found in the Linux kernel, where accessing a deallocated instance in printer_ioctl() printer_ioctl() tries to access of a printer_dev instance. However, use-after-free arises because it had been freed by gprinter_free().",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27784",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc1"
},
{
"id": "CVE-2020-27786",
"summary": "A flaw was found in the Linux kernel\u2019s implementation of MIDI, where an attacker with a local account and the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to this specific memory while freed and before use causes the flow of execution to change and possibly allow for memory corruption or privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27786",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc6"
},
{
"id": "CVE-2020-27815",
"summary": "A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the ability to set extended attributes to panic the system, causing memory corruption or escalating privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "6.1",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27815",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc1"
},
{
"id": "CVE-2020-27820",
"summary": "A vulnerability was found in Linux kernel, where a use-after-frees in nouveau's postclose() handler could happen if removing device (that is not common to remove video card physically without power-off, but same happens if \"unbind\" the driver).",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27820",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc1"
},
{
"id": "CVE-2020-27825",
"summary": "A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat.",
"scorev2": "5.4",
"scorev3": "5.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27825",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc1"
},
{
"id": "CVE-2020-27830",
"summary": "A vulnerability was found in Linux Kernel where in the spk_ttyio_receive_buf2() function, it would dereference spk_ttyio_synth without checking whether it is NULL or not, and may lead to a NULL-ptr deref crash.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27830",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc7"
},
{
"id": "CVE-2020-27835",
"summary": "A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27835",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc6"
},
{
"id": "CVE-2020-28097",
"summary": "The vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85.",
"scorev2": "3.6",
"scorev3": "5.9",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28097",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc6"
},
{
"id": "CVE-2020-28374",
"summary": "In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore.",
"scorev2": "5.5",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28374",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc4"
},
{
"id": "CVE-2020-28588",
"summary": "An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so it\u2019s likely that all versions in between are affected. An attacker can read /proc/pid/syscall to trigger this vulnerability, which leads to the kernel leaking memory contents.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28588",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc7"
},
{
"id": "CVE-2020-28915",
"summary": "A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def.",
"scorev2": "6.1",
"scorev3": "5.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28915",
"detail": "fixed-version",
"description": "Fixed from version 5.9"
},
{
"id": "CVE-2020-28941",
"summary": "An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9. Local attackers on systems with the speakup driver could cause a local denial of service attack, aka CID-d41227544427. This occurs because of an invalid free when the line discipline is used more than once.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28941",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc5"
},
{
"id": "CVE-2020-28974",
"summary": "A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height.",
"scorev2": "6.1",
"scorev3": "5.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28974",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc3"
},
{
"id": "CVE-2020-29368",
"summary": "An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29368",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc1"
},
{
"id": "CVE-2020-29369",
"summary": "An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29369",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc7"
},
{
"id": "CVE-2020-29370",
"summary": "An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29370",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc7"
},
{
"id": "CVE-2020-29371",
"summary": "An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29371",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc2"
},
{
"id": "CVE-2020-29372",
"summary": "An issue was discovered in do_madvise in mm/madvise.c in the Linux kernel before 5.6.8. There is a race condition between coredump operations and the IORING_OP_MADVISE implementation, aka CID-bc0c4d1e176e.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29372",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc3"
},
{
"id": "CVE-2020-29373",
"summary": "An issue was discovered in fs/io_uring.c in the Linux kernel before 5.6. It unsafely handles the root directory during path lookups, and thus a process inside a mount namespace can escape to unintended filesystem locations, aka CID-ff002b30181d.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29373",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc2"
},
{
"id": "CVE-2020-29374",
"summary": "An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c. The get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly consider the semantics of read operations and therefore can grant unintended write access, aka CID-17839856fd58.",
"scorev2": "3.3",
"scorev3": "3.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29374",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc1"
},
{
"id": "CVE-2020-29534",
"summary": "An issue was discovered in the Linux kernel before 5.9.3. io_uring takes a non-refcounted reference to the files_struct of the process that submitted a request, causing execve() to incorrectly optimize unshare_fd(), aka CID-0f2122045b94.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29534",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc1"
},
{
"id": "CVE-2020-29568",
"summary": "An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29568",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc1"
},
{
"id": "CVE-2020-29569",
"summary": "An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.",
"scorev2": "7.2",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29569",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc1"
},
{
"id": "CVE-2020-29660",
"summary": "A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29660",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc7"
},
{
"id": "CVE-2020-29661",
"summary": "A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29661",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc7"
},
{
"id": "CVE-2020-35499",
"summary": "A NULL pointer dereference flaw in Linux kernel versions prior to 5.11 may be seen if sco_sock_getsockopt function in net/bluetooth/sco.c do not have a sanity check for a socket connection, when using BT_SNDMTU/BT_RCVMTU for SCO sockets. This could allow a local attacker with a special user privilege to crash the system (DOS) or leak kernel internal information.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35499",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc1"
},
{
"id": "CVE-2020-35501",
"summary": "A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem",
"scorev2": "3.6",
"scorev3": "3.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35501"
},
{
"id": "CVE-2020-35508",
"summary": "A flaw possibility of race condition and incorrect initialization of the process id was found in the Linux kernel child/parent process identification handling while filtering signal handlers. A local attacker is able to abuse this flaw to bypass checks to send any signal to a privileged process.",
"scorev2": "4.4",
"scorev3": "4.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35508",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc3"
},
{
"id": "CVE-2020-35513",
"summary": "A flaw incorrect umask during file or directory modification in the Linux kernel NFS (network file system) functionality was found in the way user create and delete object using NFSv4.2 or newer if both simultaneously accessing the NFS by the other process that is not using new NFSv4.2. A user with access to the NFS could use this flaw to starve the resources causing denial of service.",
"scorev2": "4.0",
"scorev3": "4.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35513",
"detail": "fixed-version",
"description": "Fixed from version 4.17rc1"
},
{
"id": "CVE-2020-35519",
"summary": "An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35519",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc7"
},
{
"id": "CVE-2020-36158",
"summary": "mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36158",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc1"
},
{
"id": "CVE-2020-36310",
"summary": "An issue was discovered in the Linux kernel before 5.8. arch/x86/kvm/svm/svm.c allows a set_memory_region_test infinite loop for certain nested page faults, aka CID-e72436bc3a52.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36310",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc1"
},
{
"id": "CVE-2020-36311",
"summary": "An issue was discovered in the Linux kernel before 5.9. arch/x86/kvm/svm/sev.c allows attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions), aka CID-7be74942f184.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36311",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc5"
},
{
"id": "CVE-2020-36312",
"summary": "An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36312",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc5"
},
{
"id": "CVE-2020-36313",
"summary": "An issue was discovered in the Linux kernel before 5.7. The KVM subsystem allows out-of-range access to memslots after a deletion, aka CID-0774a964ef56. This affects arch/s390/kvm/kvm-s390.c, include/linux/kvm_host.h, and virt/kvm/kvm_main.c.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36313",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc1"
},
{
"id": "CVE-2020-36322",
"summary": "An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36322",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc1"
},
{
"id": "CVE-2020-36385",
"summary": "An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after-free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called, aka CID-f5449e74802c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36385",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc1"
},
{
"id": "CVE-2020-36386",
"summary": "An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf.",
"scorev2": "5.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36386",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc1"
},
{
"id": "CVE-2020-36387",
"summary": "An issue was discovered in the Linux kernel before 5.8.2. fs/io_uring.c has a use-after-free related to io_async_task_func and ctx reference holding, aka CID-6d816e088c35.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36387",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc1"
},
{
"id": "CVE-2020-36516",
"summary": "An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session or terminate that session.",
"scorev2": "4.9",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36516",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc2"
},
{
"id": "CVE-2020-36557",
"summary": "A race condition in the Linux kernel before 5.6.2 between the VT_DISALLOCATE ioctl and closing/opening of ttys could lead to a use-after-free.",
"scorev2": "0.0",
"scorev3": "5.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36557",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc1"
},
{
"id": "CVE-2020-36558",
"summary": "A race condition in the Linux kernel before 5.5.7 involving VT_RESIZEX could lead to a NULL pointer dereference and general protection fault.",
"scorev2": "0.0",
"scorev3": "5.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36558",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc3"
},
{
"id": "CVE-2020-36691",
"summary": "An issue was discovered in the Linux kernel before 5.8. lib/nlattr.c allows attackers to cause a denial of service (unbounded recursion) via a nested Netlink policy with a back reference.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36691",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc1"
},
{
"id": "CVE-2020-36694",
"summary": "An issue was discovered in netfilter in the Linux kernel before 5.10. There can be a use-after-free in the packet processing context, because the per-CPU sequence count is mishandled during concurrent iptables rules replacement. This could be exploited with the CAP_NET_ADMIN capability in an unprivileged namespace. NOTE: cc00bca was reverted in 5.12.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36694",
"detail": "fixed-version",
"description": "Fixed from version 5.10"
},
{
"id": "CVE-2020-36766",
"summary": "An issue was discovered in the Linux kernel before 5.8.6. drivers/media/cec/core/cec-api.c leaks one byte of kernel memory on specific hardware to unprivileged users, because of directly assigning log_addrs with a hole in the struct.",
"scorev2": "0.0",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36766",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc1"
},
{
"id": "CVE-2020-36775",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid potential deadlock\n\nUsing f2fs_trylock_op() in f2fs_write_compressed_pages() to avoid potential\ndeadlock like we did in f2fs_write_single_data_page().",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36775"
},
{
"id": "CVE-2020-36776",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/cpufreq_cooling: Fix slab OOB issue\n\nSlab OOB issue is scanned by KASAN in cpu_power_to_freq().\nIf power is limited below the power of OPP0 in EM table,\nit will cause slab out-of-bound issue with negative array\nindex.\n\nReturn the lowest frequency if limited power cannot found\na suitable OPP in EM table to fix this issue.\n\nBacktrace:\n[] die+0x104/0x5ac\n[] bug_handler+0x64/0xd0\n[] brk_handler+0x160/0x258\n[] do_debug_exception+0x248/0x3f0\n[] el1_dbg+0x14/0xbc\n[] __kasan_report+0x1dc/0x1e0\n[] kasan_report+0x10/0x20\n[] __asan_report_load8_noabort+0x18/0x28\n[] cpufreq_power2state+0x180/0x43c\n[] power_actor_set_power+0x114/0x1d4\n[] allocate_power+0xaec/0xde0\n[] power_allocator_throttle+0x3ec/0x5a4\n[] handle_thermal_trip+0x160/0x294\n[] thermal_zone_device_check+0xe4/0x154\n[] process_one_work+0x5e4/0xe28\n[] worker_thread+0xa4c/0xfac\n[] kthread+0x33c/0x358\n[] ret_from_fork+0xc/0x18",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36776"
},
{
"id": "CVE-2020-36777",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvbdev: Fix memory leak in dvb_media_device_free()\n\ndvb_media_device_free() is leaking memory. Free `dvbdev->adapter->conn`\nbefore setting it to NULL, as documented in include/media/media-device.h:\n\"The media_entity instance itself must be freed explicitly by the driver\nif required.\"",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36777"
},
{
"id": "CVE-2020-3702",
"summary": "u'Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8053, IPQ4019, IPQ8064, MSM8909W, MSM8996AU, QCA9531, QCN5502, QCS405, SDX20, SM6150, SM7150",
"scorev2": "3.3",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-3702",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2020-4788",
"summary": "IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296.",
"scorev2": "1.9",
"scorev3": "5.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-4788",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc5"
},
{
"id": "CVE-2020-7053",
"summary": "In the Linux kernel 4.14 longterm through 4.14.165 and 4.19 longterm through 4.19.96 (and 5.x before 5.2), there is a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c, aka CID-7dc40713618c. This is related to i915_gem_context_destroy_ioctl in drivers/gpu/drm/i915/i915_gem_context.c.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-7053",
"detail": "fixed-version",
"description": "Fixed from version 5.2rc1"
},
{
"id": "CVE-2020-8428",
"summary": "fs/namei.c in the Linux kernel before 5.5 has a may_create_in_sticky use-after-free, which allows local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9. One attack vector may be an open system call for a UNIX domain socket, if the socket is being moved to a new parent directory and its old parent directory is being removed.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8428",
"detail": "fixed-version",
"description": "Fixed from version 5.5"
},
{
"id": "CVE-2020-8647",
"summary": "There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c.",
"scorev2": "3.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8647",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc5"
},
{
"id": "CVE-2020-8648",
"summary": "There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the n_tty_receive_buf_common function in drivers/tty/n_tty.c.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8648",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc3"
},
{
"id": "CVE-2020-8649",
"summary": "There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c.",
"scorev2": "3.6",
"scorev3": "5.9",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8649",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc5"
},
{
"id": "CVE-2020-8694",
"summary": "Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8694",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc4"
},
{
"id": "CVE-2020-8834",
"summary": "KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to panic. There were two commits that, according to the reporter, introduced the vulnerability: f024ee098476 (\"KVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures\") 87a11bb6a7f7 (\"KVM: PPC: Book3S HV: Work around XER[SO] bug in fake suspend mode\") The former landed in 4.8, the latter in 4.17. This was fixed without realizing the impact in 4.18 with the following three commits, though it's believed the first is the only strictly necessary commit: 6f597c6b63b6 (\"KVM: PPC: Book3S PR: Add guest MSR parameter for kvmppc_save_tm()/kvmppc_restore_tm()\") 7b0e827c6970 (\"KVM: PPC: Book3S HV: Factor fake-suspend handling out of kvmppc_save/restore_tm\") 009c872a8bc4 (\"KVM: PPC: Book3S PR: Move kvmppc_save_tm/kvmppc_restore_tm to separate file\")",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8834",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc1"
},
{
"id": "CVE-2020-8835",
"summary": "In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8835",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc1"
},
{
"id": "CVE-2020-8992",
"summary": "ext4_protect_reserved_inode in fs/ext4/block_validity.c in the Linux kernel through 5.5.3 allows attackers to cause a denial of service (soft lockup) via a crafted journal size.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8992",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc2"
},
{
"id": "CVE-2020-9383",
"summary": "An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-9383",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc4"
},
{
"id": "CVE-2020-9391",
"summary": "An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 on the AArch64 architecture. It ignores the top byte in the address passed to the brk system call, potentially moving the memory break downwards when the application expects it to move upwards, aka CID-dcde237319e6. This has been observed to cause heap corruption with the GNU C Library malloc implementation.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-9391",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc3"
},
{
"id": "CVE-2021-0129",
"summary": "Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-0129",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc1"
},
{
"id": "CVE-2021-0342",
"summary": "In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required. User interaction is not required for exploitation. Product: Android; Versions: Android kernel; Android ID: A-146554327.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-0342",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc1"
},
{
"id": "CVE-2021-0512",
"summary": "In __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-173843328References: Upstream kernel",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-0512",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2021-0605",
"summary": "In pfkey_dump of af_key.c, there is a possible out-of-bounds read due to a missing bounds check. This could lead to local information disclosure in the kernel with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-110373476",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-0605",
"detail": "fixed-version",
"description": "Fixed from version 5.8"
},
{
"id": "CVE-2021-0707",
"summary": "In dma_buf_release of dma-buf.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-155756045References: Upstream kernel",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-0707",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc3"
},
{
"id": "CVE-2021-0920",
"summary": "In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References: Upstream kernel",
"scorev2": "6.9",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-0920",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc4"
},
{
"id": "CVE-2021-0929",
"summary": "In ion_dma_buf_end_cpu_access and related functions of ion.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-187527909References: Upstream kernel",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-0929",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc1"
},
{
"id": "CVE-2021-0935",
"summary": "In ip6_xmit of ip6_output.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-168607263References: Upstream kernel",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-0935",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc7"
},
{
"id": "CVE-2021-0938",
"summary": "In memzero_explicit of compiler-clang.h, there is a possible bypass of defense in depth due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-171418586References: Upstream kernel",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-0938",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc4"
},
{
"id": "CVE-2021-0941",
"summary": "In bpf_skb_change_head of filter.c, there is a possible out of bounds read due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-154177719References: Upstream kernel",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-0941",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2021-1048",
"summary": "In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-204573007References: Upstream kernel",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-1048",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc4"
},
{
"id": "CVE-2021-20177",
"summary": "A flaw was found in the Linux kernel's implementation of string matching within a packet. A privileged user (with root or CAP_NET_ADMIN) when inserting iptables rules could insert a rule which can panic the system. Kernel before kernel 5.5-rc1 is affected.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20177",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc1"
},
{
"id": "CVE-2021-20194",
"summary": "There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20194",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc1"
},
{
"id": "CVE-2021-20219",
"summary": "A denial of service vulnerability was found in n_tty_receive_char_special in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could delay the loop (due to a changing ldata->read_head, and a missing sanity check) and cause a threat to the system availability.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20219"
},
{
"id": "CVE-2021-20226",
"summary": "A use-after-free flaw was found in the io_uring in Linux kernel, where a local attacker with a user privilege could cause a denial of service problem on the system The issue results from the lack of validating the existence of an object prior to performing operations on the object by not incrementing the file reference counter while in use. The highest threat from this vulnerability is to data integrity, confidentiality and system availability.",
"scorev2": "6.1",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20226",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc1"
},
{
"id": "CVE-2021-20239",
"summary": "A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an attacker with a local account to leak information about kernel internal addresses. The highest threat from this vulnerability is to confidentiality.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20239",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc1"
},
{
"id": "CVE-2021-20261",
"summary": "A race condition was found in the Linux kernels implementation of the floppy disk drive controller driver software. The impact of this issue is lessened by the fact that the default permissions on the floppy device (/dev/fd0) are restricted to root. If the permissions on the device have changed the impact changes greatly. In the default configuration root (or equivalent) permissions are required to attack this flaw.",
"scorev2": "4.4",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20261",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc5"
},
{
"id": "CVE-2021-20265",
"summary": "A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. This flaw allows an unprivileged local user to crash the system by exhausting available memory. The highest threat from this vulnerability is to system availability.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20265",
"detail": "fixed-version",
"description": "Fixed from version 4.5rc3"
},
{
"id": "CVE-2021-20268",
"summary": "An out-of-bounds access flaw was found in the Linux kernel's implementation of the eBPF code verifier in the way a user running the eBPF script calls dev_map_init_map or sock_map_alloc. This flaw allows a local user to crash the system or possibly escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20268",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc5"
},
{
"id": "CVE-2021-20292",
"summary": "There is a flaw reported in the Linux kernel in versions before 5.9 in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20292",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc1"
},
{
"id": "CVE-2021-20317",
"summary": "A flaw was found in the Linux kernel. A corrupted timer tree caused the task wakeup to be missing in the timerqueue_add function in lib/timerqueue.c. This flaw allows a local attacker with special user privileges to cause a denial of service, slowing and eventually stopping the system while running OSP.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20317",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2021-20320",
"summary": "A flaw was found in s390 eBPF JIT in bpf_jit_insn in arch/s390/net/bpf_jit_comp.c in the Linux kernel. In this flaw, a local attacker with special user privilege can circumvent the verifier and may lead to a confidentiality problem.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20320",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc3"
},
{
"id": "CVE-2021-20321",
"summary": "A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20321",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc5"
},
{
"id": "CVE-2021-20322",
"summary": "A flaw in the processing of received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found to allow the ability to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypass the source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20322",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc1"
},
{
"id": "CVE-2021-21781",
"summary": "An information disclosure vulnerability exists in the ARM SIGPAGE functionality of Linux Kernel v5.4.66 and v5.4.54. The latest version (5.11-rc4) seems to still be vulnerable. A userland application can read the contents of the sigpage, which can leak kernel memory contents. An attacker can read a process\u2019s memory at a specific offset to trigger this vulnerability. This was fixed in kernel releases: 4.14.222 4.19.177 5.4.99 5.10.17 5.11",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-21781",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc7"
},
{
"id": "CVE-2021-22543",
"summary": "An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22543",
"detail": "fixed-version",
"description": "Fixed from version 5.13"
},
{
"id": "CVE-2021-22555",
"summary": "A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22555",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc8"
},
{
"id": "CVE-2021-22600",
"summary": "A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service. We recommend upgrading kernel past the effected versions or rebuilding past ec6af094ea28f0f2dda1a6a33b14cd57e36a9755",
"scorev2": "7.2",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22600",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc6"
},
{
"id": "CVE-2021-23133",
"summary": "A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23133",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc8"
},
{
"id": "CVE-2021-23134",
"summary": "Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23134",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc1"
},
{
"id": "CVE-2021-26401",
"summary": "LFENCE/JMP (mitigation V2-2) may not sufficiently mitigate CVE-2017-5715 on some AMD CPUs.",
"scorev2": "1.9",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-26401",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc8"
},
{
"id": "CVE-2021-26708",
"summary": "A local privilege escalation was discovered in the Linux kernel before 5.10.13. Multiple race conditions in the AF_VSOCK implementation are caused by wrong locking in net/vmw_vsock/af_vsock.c. The race conditions were implicitly introduced in the commits that added VSOCK multi-transport support.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-26708",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc7"
},
{
"id": "CVE-2021-26930",
"summary": "An issue was discovered in the Linux kernel 3.11 through 5.10.16, as used by Xen. To service requests to the PV backend, the driver maps grant references provided by the frontend. In this process, errors may be encountered. In one case, an error encountered earlier might be discarded by later processing, resulting in the caller assuming successful mapping, and hence subsequent operations trying to access space that wasn't mapped. In another case, internal state would be insufficiently updated, preventing safe recovery from the error. This affects drivers/block/xen-blkback/blkback.c.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-26930",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2021-26931",
"summary": "An issue was discovered in the Linux kernel 2.6.39 through 5.10.16, as used in Xen. Block, net, and SCSI backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors potentially being at least under the influence of guests (such as out of memory conditions), it isn't correct to assume a plain bug. Memory allocations potentially causing such crashes occur only when Linux is running in PV mode, though. This affects drivers/block/xen-blkback/blkback.c and drivers/xen/xen-scsiback.c.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-26931",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2021-26932",
"summary": "An issue was discovered in the Linux kernel 3.2 through 5.10.16, as used by Xen. Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one is reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation. Unfortunately, when running in PV mode, the Linux backend drivers mishandle this: Some errors are ignored, effectively implying their success from the success of related batch elements. In other cases, errors resulting from one batch element lead to further batch elements not being inspected, and hence successful ones to not be possible to properly unmap upon error recovery. Only systems with Linux backends running in PV mode are vulnerable. Linux backends run in HVM / PVH modes are not vulnerable. This affects arch/*/xen/p2m.c and drivers/xen/gntdev.c.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-26932",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2021-26934",
"summary": "An issue was discovered in the Linux kernel 4.18 through 5.10.16, as used by Xen. The backend allocation (aka be-alloc) mode of the drm_xen_front drivers was not meant to be a supported configuration, but this wasn't stated accordingly in its support status entry.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-26934"
},
{
"id": "CVE-2021-27363",
"summary": "An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables.",
"scorev2": "3.6",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27363",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc2"
},
{
"id": "CVE-2021-27364",
"summary": "An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27364",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc2"
},
{
"id": "CVE-2021-27365",
"summary": "An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27365",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc2"
},
{
"id": "CVE-2021-28038",
"summary": "An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28038",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc2"
},
{
"id": "CVE-2021-28039",
"summary": "An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV guest OS user can crash a Dom0 or driver domain via a large amount of I/O activity. The issue relates to misuse of guest physical addresses when a configuration has CONFIG_XEN_UNPOPULATED_ALLOC but not CONFIG_XEN_BALLOON_MEMORY_HOTPLUG.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28039",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc2"
},
{
"id": "CVE-2021-28375",
"summary": "An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka CID-20c40794eb85. This is a related issue to CVE-2019-2308.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28375",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc3"
},
{
"id": "CVE-2021-28660",
"summary": "rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6 allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases, CVE IDs are not normally used for drivers/staging/* (unfinished work); however, system integrators may have situations in which a drivers/staging issue is relevant to their own customer base.",
"scorev2": "8.3",
"scorev3": "8.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28660",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc3"
},
{
"id": "CVE-2021-28688",
"summary": "The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable. XSA-365 was classified to affect versions back to at least 3.11.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28688",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc6"
},
{
"id": "CVE-2021-28691",
"summary": "Guest triggered use-after-free in Linux xen-netback A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet. Such kernel thread termination will lead to a use-after-free in Linux netback when the backend is destroyed, as the kernel thread associated with queue 0 will have already exited and thus the call to kthread_stop will be performed against a stale pointer.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28691",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc6"
},
{
"id": "CVE-2021-28711",
"summary": "Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as \"driver domains\". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28711",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc7"
},
{
"id": "CVE-2021-28712",
"summary": "Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as \"driver domains\". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28712",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc7"
},
{
"id": "CVE-2021-28713",
"summary": "Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as \"driver domains\". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28713",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc7"
},
{
"id": "CVE-2021-28714",
"summary": "Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714)",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28714",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc7"
},
{
"id": "CVE-2021-28715",
"summary": "Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714)",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28715",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc7"
},
{
"id": "CVE-2021-28950",
"summary": "An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A \"stall on CPU\" can occur because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28950",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc4"
},
{
"id": "CVE-2021-28951",
"summary": "An issue was discovered in fs/io_uring.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (deadlock) because exit may be waiting to park a SQPOLL thread, but concurrently that SQPOLL thread is waiting for a signal to start, aka CID-3ebba796fa25.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28951",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc2"
},
{
"id": "CVE-2021-28952",
"summary": "An issue was discovered in the Linux kernel through 5.11.8. The sound/soc/qcom/sdm845.c soundwire device driver has a buffer overflow when an unexpected port ID number is encountered, aka CID-1c668e1c0a0f. (This has been fixed in 5.12-rc4.)",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28952",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc4"
},
{
"id": "CVE-2021-28964",
"summary": "A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer before a cloning operation, aka CID-dbcc7d57bffc.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28964",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc4"
},
{
"id": "CVE-2021-28971",
"summary": "In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28971",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc4"
},
{
"id": "CVE-2021-28972",
"summary": "In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\\0' termination, aka CID-cc7a0bb058b8.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28972",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc4"
},
{
"id": "CVE-2021-29154",
"summary": "BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29154",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc7"
},
{
"id": "CVE-2021-29155",
"summary": "An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29155",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc8"
},
{
"id": "CVE-2021-29264",
"summary": "An issue was discovered in the Linux kernel through 5.11.10. drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver allows attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled, aka CID-d8861bab48b6.",
"scorev2": "4.7",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29264",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc3"
},
{
"id": "CVE-2021-29265",
"summary": "An issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status, aka CID-9380afd6df70.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29265",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc3"
},
{
"id": "CVE-2021-29266",
"summary": "An issue was discovered in the Linux kernel before 5.11.9. drivers/vhost/vdpa.c has a use-after-free because v->config_ctx has an invalid value upon re-opening a character device, aka CID-f6bbf0010ba0.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29266",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc4"
},
{
"id": "CVE-2021-29646",
"summary": "An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_retrieve_key in net/tipc/node.c does not properly validate certain data sizes, aka CID-0217ed2848e8.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29646",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc5"
},
{
"id": "CVE-2021-29647",
"summary": "An issue was discovered in the Linux kernel before 5.11.11. qrtr_recvmsg in net/qrtr/qrtr.c allows attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure, aka CID-50535249f624.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29647",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc5"
},
{
"id": "CVE-2021-29648",
"summary": "An issue was discovered in the Linux kernel before 5.11.11. The BPF subsystem does not properly consider that resolved_ids and resolved_sizes are intentionally uninitialized in the vmlinux BPF Type Format (BTF), which can cause a system crash upon an unexpected access attempt (in map_create in kernel/bpf/syscall.c or check_btf_info in kernel/bpf/verifier.c), aka CID-350a5c4dd245.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29648",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc5"
},
{
"id": "CVE-2021-29649",
"summary": "An issue was discovered in the Linux kernel before 5.11.11. The user mode driver (UMD) has a copy_process() memory leak, related to a lack of cleanup steps in kernel/usermode_driver.c and kernel/bpf/preload/bpf_preload_kern.c, aka CID-f60a85cad677.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29649",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc5"
},
{
"id": "CVE-2021-29650",
"summary": "An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29650",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc5"
},
{
"id": "CVE-2021-29657",
"summary": "arch/x86/kvm/svm/nested.c in the Linux kernel before 5.11.12 has a use-after-free in which an AMD KVM guest can bypass access control on host OS MSRs when there are nested guests, aka CID-a58d9166a756. This occurs because of a TOCTOU race condition associated with a VMCB12 double fetch in nested_svm_vmrun.",
"scorev2": "6.9",
"scorev3": "7.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29657",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc6"
},
{
"id": "CVE-2021-30002",
"summary": "An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.",
"scorev2": "2.1",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-30002",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2021-30178",
"summary": "An issue was discovered in the Linux kernel through 5.11.11. synic_get in arch/x86/kvm/hyperv.c has a NULL pointer dereference for certain accesses to the SynIC Hyper-V context, aka CID-919f4ebc5987.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-30178",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc2"
},
{
"id": "CVE-2021-31440",
"summary": "This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-13661.",
"scorev2": "6.9",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-31440",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc1"
},
{
"id": "CVE-2021-3178",
"summary": "fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior",
"scorev2": "5.5",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3178",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc5"
},
{
"id": "CVE-2021-31829",
"summary": "kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-31829",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc1"
},
{
"id": "CVE-2021-31916",
"summary": "An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.",
"scorev2": "6.1",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-31916",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc5"
},
{
"id": "CVE-2021-32078",
"summary": "An Out-of-Bounds Read was discovered in arch/arm/mach-footbridge/personal-pci.c in the Linux kernel through 5.12.11 because of the lack of a check for a value that shouldn't be negative, e.g., access to element -2 of an array, aka CID-298a58e165e4.",
"scorev2": "6.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-32078",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc1"
},
{
"id": "CVE-2021-32399",
"summary": "net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-32399",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc1"
},
{
"id": "CVE-2021-32606",
"summary": "In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-32606",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc4"
},
{
"id": "CVE-2021-33033",
"summary": "The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33033",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc3"
},
{
"id": "CVE-2021-33034",
"summary": "In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33034",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc1"
},
{
"id": "CVE-2021-33061",
"summary": "Insufficient control flow management for the Intel(R) 82599 Ethernet Controllers and Adapters may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33061",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2021-33098",
"summary": "Improper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33098",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc4"
},
{
"id": "CVE-2021-33135",
"summary": "Uncontrolled resource consumption in the Linux kernel drivers for Intel(R) SGX may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33135",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc8"
},
{
"id": "CVE-2021-33200",
"summary": "kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33200",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc4"
},
{
"id": "CVE-2021-3347",
"summary": "An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3347",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc6"
},
{
"id": "CVE-2021-3348",
"summary": "nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3348",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc6"
},
{
"id": "CVE-2021-33624",
"summary": "In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33624",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc7"
},
{
"id": "CVE-2021-33630",
"summary": "NULL Pointer Dereference vulnerability in openEuler kernel on Linux (network modules) allows Pointer Manipulation. This vulnerability is associated with program files net/sched/sch_cbs.C.\n\nThis issue affects openEuler kernel: from 4.19.90 before 4.19.90-2401.3.\n\n",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33630",
"detail": "fixed-version",
"description": "Fixed from version 5.4rc1"
},
{
"id": "CVE-2021-33631",
"summary": "Integer Overflow or Wraparound vulnerability in openEuler kernel on Linux (filesystem modules) allows Forced Integer Overflow.This issue affects openEuler kernel: from 4.19.90 before 4.19.90-2401.3, from 5.10.0-60.18.0 before 5.10.0-183.0.0.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33631",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc1"
},
{
"id": "CVE-2021-33655",
"summary": "When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33655",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc6"
},
{
"id": "CVE-2021-33656",
"summary": "When setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds.",
"scorev2": "0.0",
"scorev3": "6.8",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33656",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2021-33909",
"summary": "fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33909",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc3"
},
{
"id": "CVE-2021-3411",
"summary": "A flaw was found in the Linux kernel in versions prior to 5.10. A violation of memory access was found while detecting a padding of int3 in the linking state. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3411",
"detail": "fixed-version",
"description": "Fixed from version 5.10"
},
{
"id": "CVE-2021-3428",
"summary": "A flaw was found in the Linux kernel. A denial of service problem is identified if an extent tree is corrupted in a crafted ext4 filesystem in fs/ext4/extents.c in ext4_es_cache_extent. Fabricating an integer overflow, A local attacker with a special user privilege may cause a system crash problem which can lead to an availability threat.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3428",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc2"
},
{
"id": "CVE-2021-3444",
"summary": "The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in the upstream kernel in commit 9b00f1b78809 (\"bpf: Fix truncation handling for mod32 dst reg wrt zero\") and in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3444",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2021-34556",
"summary": "In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-34556",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc4"
},
{
"id": "CVE-2021-34693",
"summary": "net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-34693",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc7"
},
{
"id": "CVE-2021-3483",
"summary": "A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions before kernel 5.12-rc6 are affected",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3483",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc6"
},
{
"id": "CVE-2021-34866",
"summary": "This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.14-rc3. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs, which can result in a type confusion condition. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-14689.",
"scorev2": "7.2",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-34866",
"detail": "fixed-version",
"description": "Fixed from version 5.14"
},
{
"id": "CVE-2021-3489",
"summary": "The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (\"bpf, ringbuf: Deny reserve of buffers larger than ringbuf\") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (\"bpf: Implement BPF ring buffer and verifier support for it\") (v5.8-rc1).",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3489",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc4"
},
{
"id": "CVE-2021-3490",
"summary": "The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e (\"bpf: Fix alu32 const subreg bound tracking on bitwise operations\") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 (\"bpf:Fix a verifier failure with xor\") ( 5.10-rc1).",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3490",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc4"
},
{
"id": "CVE-2021-3491",
"summary": "The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (\"io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\") (v5.7-rc1).",
"scorev2": "7.2",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3491",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc1"
},
{
"id": "CVE-2021-3493",
"summary": "The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3493",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc1"
},
{
"id": "CVE-2021-34981",
"summary": "Linux Kernel Bluetooth CMTP Module Double Free Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the CMTP module. The issue results from the lack of validating the existence of an object prior to performing further free operations on the object. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the kernel. Was ZDI-CAN-11977.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-34981",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc1"
},
{
"id": "CVE-2021-3501",
"summary": "A flaw was found in the Linux kernel in versions before 5.12. The value of internal.ndata, in the KVM API, is mapped to an array index, which can be updated by a user process at anytime which could lead to an out-of-bounds write. The highest threat from this vulnerability is to data integrity and system availability.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3501",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc8"
},
{
"id": "CVE-2021-35039",
"summary": "kernel/module.c in the Linux kernel before 5.12.14 mishandles Signature Verification, aka CID-0c18f29aae7c. Without CONFIG_MODULE_SIG, verification that a kernel module is signed, for loading via init_module, does not occur for a module.sig_enforce=1 command-line argument.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-35039",
"detail": "fixed-version",
"description": "Fixed from version 5.13"
},
{
"id": "CVE-2021-3506",
"summary": "An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.",
"scorev2": "5.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3506",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc1"
},
{
"id": "CVE-2021-3543",
"summary": "A flaw null pointer dereference in the Nitro Enclaves kernel driver was found in the way that Enclaves VMs forces closures on the enclave file descriptor. A local user of a host machine could use this flaw to crash the system or escalate their privileges on the system.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3543",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc1"
},
{
"id": "CVE-2021-35477",
"summary": "In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled value.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-35477",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc4"
},
{
"id": "CVE-2021-3564",
"summary": "A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. This flaw affects all the Linux kernel versions starting from 3.13.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3564",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc5"
},
{
"id": "CVE-2021-3573",
"summary": "A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev() together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(), hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5.",
"scorev2": "6.9",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3573",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc5"
},
{
"id": "CVE-2021-3600",
"summary": "It was discovered that the eBPF implementation in the Linux kernel did not properly track bounds information for 32 bit registers when performing div and mod operations. A local attacker could use this to possibly execute arbitrary code.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3600",
"detail": "fixed-version",
"description": "Fixed from version 5.11"
},
{
"id": "CVE-2021-3609",
"summary": ".A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges. This race condition in net/can/bcm.c in the Linux kernel allows for local privilege escalation to root.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3609",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc1"
},
{
"id": "CVE-2021-3612",
"summary": "An out-of-bounds memory write flaw was found in the Linux kernel's joystick devices subsystem in versions before 5.9-rc1, in the way the user calls ioctl JSIOCSBTNMAP. This flaw allows a local user to crash the system or possibly escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3612",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2021-3635",
"summary": "A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7. A user with root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3635",
"detail": "fixed-version",
"description": "Fixed from version 5.5rc7"
},
{
"id": "CVE-2021-3640",
"summary": "A flaw use-after-free in function sco_sock_sendmsg() of the Linux kernel HCI subsystem was found in the way user calls ioct UFFDIO_REGISTER or other way triggers race condition of the call sco_conn_del() together with the call sco_sock_sendmsg() with the expected controllable faulting memory page. A privileged local user could use this flaw to crash the system or escalate their privileges on the system.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3640",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc1"
},
{
"id": "CVE-2021-3653",
"summary": "A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the \"int_ctl\" field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7.",
"scorev2": "6.1",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3653",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc7"
},
{
"id": "CVE-2021-3655",
"summary": "A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3655",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc1"
},
{
"id": "CVE-2021-3656",
"summary": "A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the \"virt_ext\" field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape.",
"scorev2": "7.2",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3656",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc7"
},
{
"id": "CVE-2021-3659",
"summary": "A NULL pointer dereference flaw was found in the Linux kernel\u2019s IEEE 802.15.4 wireless networking subsystem in the way the user closes the LR-WPAN connection. This flaw allows a local user to crash the system. The highest threat from this vulnerability is to system availability.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3659",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc7"
},
{
"id": "CVE-2021-3669",
"summary": "A flaw was found in the Linux kernel. Measuring usage of the shared memory does not scale with large shared memory segment counts which could lead to resource exhaustion and DoS.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3669",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc1"
},
{
"id": "CVE-2021-3679",
"summary": "A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3679",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc3"
},
{
"id": "CVE-2021-3714",
"summary": "A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3714"
},
{
"id": "CVE-2021-3715",
"summary": "A flaw was found in the \"Routing decision\" classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition. This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3715",
"detail": "fixed-version",
"description": "Fixed from version 5.6"
},
{
"id": "CVE-2021-37159",
"summary": "hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.",
"scorev2": "4.4",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37159",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc3"
},
{
"id": "CVE-2021-3732",
"summary": "A flaw was found in the Linux kernel's OverlayFS subsystem in the way the user mounts the TmpFS filesystem with OverlayFS. This flaw allows a local user to gain access to hidden files that should not be accessible.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3732",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc6"
},
{
"id": "CVE-2021-3736",
"summary": "A flaw was found in the Linux kernel. A memory leak problem was found in mbochs_ioctl in samples/vfio-mdev/mbochs.c in Virtual Function I/O (VFIO) Mediated devices. This flaw could allow a local attacker to leak internal kernel information.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3736",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc1"
},
{
"id": "CVE-2021-3739",
"summary": "A NULL pointer dereference flaw was found in the btrfs_rm_device function in fs/btrfs/volumes.c in the Linux Kernel, where triggering the bug requires \u2018CAP_SYS_ADMIN\u2019. This flaw allows a local attacker to crash the system or leak kernel internal information. The highest threat from this vulnerability is to system availability.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3739",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc1"
},
{
"id": "CVE-2021-3743",
"summary": "An out-of-bounds (OOB) memory read flaw was found in the Qualcomm IPC router protocol in the Linux kernel. A missing sanity check allows a local attacker to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3743",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc7"
},
{
"id": "CVE-2021-3744",
"summary": "A memory leak flaw was found in the Linux kernel in the ccp_run_aes_gcm_cmd() function in drivers/crypto/ccp/ccp-ops.c, which allows attackers to cause a denial of service (memory consumption). This vulnerability is similar with the older CVE-2019-18808.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3744",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc4"
},
{
"id": "CVE-2021-3752",
"summary": "A use-after-free flaw was found in the Linux kernel\u2019s Bluetooth subsystem in the way user calls connect to the socket and disconnect simultaneously due to a race condition. This flaw allows a user to crash the system or escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "7.9",
"scorev3": "7.1",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3752",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc1"
},
{
"id": "CVE-2021-3753",
"summary": "A race problem was seen in the vt_k_ioctl in drivers/tty/vt/vt_ioctl.c in the Linux kernel, which may cause an out of bounds read in vt as the write access to vc_mode is not protected by lock-in vt_ioctl (KDSETMDE). The highest threat from this vulnerability is to data confidentiality.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3753",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc1"
},
{
"id": "CVE-2021-37576",
"summary": "arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37576",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc3"
},
{
"id": "CVE-2021-3759",
"summary": "A memory overflow vulnerability was found in the Linux kernel\u2019s ipc functionality of the memcg subsystem, in the way a user calls the semget function multiple times, creating semaphores. This flaw allows a local user to starve the resources, causing a denial of service. The highest threat from this vulnerability is to system availability.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3759",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc1"
},
{
"id": "CVE-2021-3760",
"summary": "A flaw was found in the Linux kernel. A use-after-free vulnerability in the NFC stack can lead to a threat to confidentiality, integrity, and system availability.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3760",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc6"
},
{
"id": "CVE-2021-3764",
"summary": "A memory leak flaw was found in the Linux kernel's ccp_run_aes_gcm_cmd() function that allows an attacker to cause a denial of service. The vulnerability is similar to the older CVE-2019-18808. The highest threat from this vulnerability is to system availability.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3764",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc4"
},
{
"id": "CVE-2021-3772",
"summary": "A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses.",
"scorev2": "5.8",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3772",
"detail": "fixed-version",
"description": "Fixed from version 5.15"
},
{
"id": "CVE-2021-3773",
"summary": "A flaw in netfilter could allow a network-connected attacker to infer openvpn connection endpoint information for further use in traditional network attacks.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3773"
},
{
"id": "CVE-2021-38160",
"summary": "In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE: the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38160",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc1"
},
{
"id": "CVE-2021-38166",
"summary": "In kernel/bpf/hashtab.c in the Linux kernel through 5.13.8, there is an integer overflow and out-of-bounds write when many elements are placed in a single bucket. NOTE: exploitation might be impractical without the CAP_SYS_ADMIN capability.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38166",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc6"
},
{
"id": "CVE-2021-38198",
"summary": "arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38198",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc6"
},
{
"id": "CVE-2021-38199",
"summary": "fs/nfs/nfs4client.c in the Linux kernel before 5.13.4 has incorrect connection-setup ordering, which allows operators of remote NFSv4 servers to cause a denial of service (hanging of mounts) by arranging for those servers to be unreachable during trunking detection.",
"scorev2": "3.3",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38199",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc1"
},
{
"id": "CVE-2021-38200",
"summary": "arch/powerpc/perf/core-book3s.c in the Linux kernel before 5.12.13, on systems with perf_event_paranoid=-1 and no specific PMU driver support registered, allows local users to cause a denial of service (perf_instruction_pointer NULL pointer dereference and OOPS) via a \"perf record\" command.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38200",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc7"
},
{
"id": "CVE-2021-38201",
"summary": "net/sunrpc/xdr.c in the Linux kernel before 5.13.4 allows remote attackers to cause a denial of service (xdr_set_page_base slab-out-of-bounds access) by performing many NFS 4.2 READ_PLUS operations.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38201",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc1"
},
{
"id": "CVE-2021-38202",
"summary": "fs/nfsd/trace.h in the Linux kernel before 5.13.4 might allow remote attackers to cause a denial of service (out-of-bounds read in strlen) by sending NFS traffic when the trace event framework is being used for nfsd.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38202",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc1"
},
{
"id": "CVE-2021-38203",
"summary": "btrfs in the Linux kernel before 5.13.4 allows attackers to cause a denial of service (deadlock) via processes that trigger allocation of new system chunks during times when there is a shortage of free space in the system space_info.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38203",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc2"
},
{
"id": "CVE-2021-38204",
"summary": "drivers/usb/host/max3421-hcd.c in the Linux kernel before 5.13.6 allows physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations.",
"scorev2": "4.6",
"scorev3": "6.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38204",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc3"
},
{
"id": "CVE-2021-38205",
"summary": "drivers/net/ethernet/xilinx/xilinx_emaclite.c in the Linux kernel before 5.13.3 makes it easier for attackers to defeat an ASLR protection mechanism because it prints a kernel pointer (i.e., the real IOMEM pointer).",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38205",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc1"
},
{
"id": "CVE-2021-38206",
"summary": "The mac80211 subsystem in the Linux kernel before 5.12.13, when a device supporting only 5 GHz is used, allows attackers to cause a denial of service (NULL pointer dereference in the radiotap parser) by injecting a frame with 802.11a rates.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38206",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc7"
},
{
"id": "CVE-2021-38207",
"summary": "drivers/net/ethernet/xilinx/ll_temac_main.c in the Linux kernel before 5.12.13 allows remote attackers to cause a denial of service (buffer overflow and lockup) by sending heavy network traffic for about ten minutes.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38207",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc7"
},
{
"id": "CVE-2021-38208",
"summary": "net/nfc/llcp_sock.c in the Linux kernel before 5.12.10 allows local unprivileged users to cause a denial of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure of a bind call.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38208",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc5"
},
{
"id": "CVE-2021-38209",
"summary": "net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in any net namespace because these changes are leaked into all other net namespaces. This is related to the NF_SYSCTL_CT_MAX, NF_SYSCTL_CT_EXPECT_MAX, and NF_SYSCTL_CT_BUCKETS sysctls.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38209",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc1"
},
{
"id": "CVE-2021-38300",
"summary": "arch/mips/net/bpf_jit.c in the Linux kernel before 5.4.10 can generate undesirable machine code when transforming unprivileged cBPF programs, allowing execution of arbitrary code within the kernel context. This occurs because conditional branches can exceed the 128 KB limit of the MIPS architecture.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38300",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc4"
},
{
"id": "CVE-2021-3847",
"summary": "An unauthorized access to the execution of the setuid file with capabilities flaw in the Linux kernel OverlayFS subsystem was found in the way user copying a capable file from a nosuid mount into another mount. A local user could use this flaw to escalate their privileges on the system.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3847"
},
{
"id": "CVE-2021-3864",
"summary": "A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3864"
},
{
"id": "CVE-2021-3923",
"summary": "A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms.",
"scorev2": "0.0",
"scorev3": "2.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3923",
"detail": "fixed-version",
"description": "Fixed from version 5.16"
},
{
"id": "CVE-2021-39633",
"summary": "In gre_handle_offloads of ip_gre.c, there is a possible page fault due to an invalid memory access. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-150694665References: Upstream kernel",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-39633",
"detail": "fixed-version",
"description": "Fixed from version 5.14"
},
{
"id": "CVE-2021-39634",
"summary": "In fs/eventpoll.c, there is a possible use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-204450605References: Upstream kernel",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-39634",
"detail": "fixed-version",
"description": "Fixed from version 5.9rc8"
},
{
"id": "CVE-2021-39636",
"summary": "In do_ipt_get_ctl and do_ipt_set_ctl of ip_tables.c, there is a possible way to leak kernel information due to uninitialized data. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-120612905References: Upstream kernel",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-39636",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc1"
},
{
"id": "CVE-2021-39648",
"summary": "In gadget_dev_desc_UDC_show of configfs.c, there is a possible disclosure of kernel heap memory due to a race condition. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-160822094References: Upstream kernel",
"scorev2": "1.9",
"scorev3": "4.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-39648",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc3"
},
{
"id": "CVE-2021-39656",
"summary": "In __configfs_open_file of file.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-174049066References: Upstream kernel",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-39656",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc3"
},
{
"id": "CVE-2021-39657",
"summary": "In ufshcd_eh_device_reset_handler of ufshcd.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-194696049References: Upstream kernel",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-39657",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc4"
},
{
"id": "CVE-2021-39685",
"summary": "In various setup methods of the USB gadget subsystem, there is a possible out of bounds write due to an incorrect flag check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-210292376References: Upstream kernel",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-39685",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc5"
},
{
"id": "CVE-2021-39686",
"summary": "In several functions of binder.c, there is a possible way to represent the wrong domain to SELinux due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-200688826References: Upstream kernel",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-39686",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc1"
},
{
"id": "CVE-2021-39698",
"summary": "In aio_poll_complete_work of aio.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-185125206References: Upstream kernel",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-39698",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc5"
},
{
"id": "CVE-2021-39711",
"summary": "In bpf_prog_test_run_skb of test_run.c, there is a possible out of bounds read due to Incorrect Size Value. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-154175781References: Upstream kernel",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-39711",
"detail": "fixed-version",
"description": "Fixed from version 4.18rc6"
},
{
"id": "CVE-2021-39713",
"summary": "Product: AndroidVersions: Android kernelAndroid ID: A-173788806References: Upstream kernel",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-39713",
"detail": "fixed-version",
"description": "Fixed from version 4.20rc1"
},
{
"id": "CVE-2021-39714",
"summary": "In ion_buffer_kmap_get of ion.c, there is a possible use-after-free due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-205573273References: Upstream kernel",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-39714",
"detail": "fixed-version",
"description": "Fixed from version 4.12rc1"
},
{
"id": "CVE-2021-4001",
"summary": "A race condition was found in the Linux kernel's ebpf verifier between bpf_map_update_elem and bpf_map_freeze due to a missing lock in kernel/bpf/syscall.c. In this flaw, a local user with a special privilege (cap_sys_admin or cap_bpf) can modify the frozen mapped address space. This flaw affects kernel versions prior to 5.16 rc2.",
"scorev2": "4.7",
"scorev3": "4.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:C/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4001",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc2"
},
{
"id": "CVE-2021-4002",
"summary": "A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data.",
"scorev2": "3.6",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4002",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc3"
},
{
"id": "CVE-2021-4023",
"summary": "A flaw was found in the io-workqueue implementation in the Linux kernel versions prior to 5.15-rc1. The kernel can panic when an improper cancellation operation triggers the submission of new io-uring operations during a shortage of free space. This flaw allows a local user with permissions to execute io-uring requests to possibly crash the system.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4023",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc1"
},
{
"id": "CVE-2021-4028",
"summary": "A flaw in the Linux kernel's implementation of RDMA communications manager listener code allowed an attacker with local access to setup a socket to listen on a high port allowing for a list element to be used after free. Given the ability to execute code, a local attacker could leverage this use-after-free to crash the system or possibly escalate privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4028",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc4"
},
{
"id": "CVE-2021-4032",
"summary": "A vulnerability was found in the Linux kernel's KVM subsystem in arch/x86/kvm/lapic.c kvm_free_lapic when a failure allocation was detected. In this flaw the KVM subsystem may crash the kernel due to mishandling of memory errors that happens during VCPU construction, which allows an attacker with special user privilege to cause a denial of service. This flaw affects kernel versions prior to 5.15 rc7.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4032",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc7"
},
{
"id": "CVE-2021-4037",
"summary": "A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. This vulnerability is similar to the previous CVE-2018-13405 and adds the missed fix for the XFS.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4037",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2021-40490",
"summary": "A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through 5.13.13.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-40490",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc1"
},
{
"id": "CVE-2021-4083",
"summary": "A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system. This flaw affects Linux kernel versions prior to 5.16-rc4.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4083",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc4"
},
{
"id": "CVE-2021-4090",
"summary": "An out-of-bounds (OOB) memory write flaw was found in the NFSD in the Linux kernel. Missing sanity may lead to a write beyond bmval[bmlen-1] in nfsd4_decode_bitmap4 in fs/nfsd/nfs4xdr.c. In this flaw, a local attacker with user privilege may gain access to out-of-bounds memory, leading to a system integrity and confidentiality threat.",
"scorev2": "6.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4090",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc2"
},
{
"id": "CVE-2021-4093",
"summary": "A flaw was found in the KVM's AMD code for supporting the Secure Encrypted Virtualization-Encrypted State (SEV-ES). A KVM guest using SEV-ES can trigger out-of-bounds reads and writes in the host kernel via a malicious VMGEXIT for a string I/O instruction (for example, outs or ins) using the exit reason SVM_EXIT_IOIO. This issue results in a crash of the entire system or a potential guest-to-host escape scenario.",
"scorev2": "7.2",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4093",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc7"
},
{
"id": "CVE-2021-4095",
"summary": "A NULL pointer dereference was found in the Linux kernel's KVM when dirty ring logging is enabled without an active vCPU context. An unprivileged local attacker on the host may use this flaw to cause a kernel oops condition and thus a denial of service by issuing a KVM_XEN_HVM_SET_ATTR ioctl. This flaw affects Linux kernel versions prior to 5.17-rc1.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4095",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc1"
},
{
"id": "CVE-2021-41073",
"summary": "loop_rw_iter in fs/io_uring.c in the Linux kernel 5.10 through 5.14.6 allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer, as demonstrated by using /proc//maps for exploitation.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41073",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc2"
},
{
"id": "CVE-2021-4135",
"summary": "A memory leak vulnerability was found in the Linux kernel's eBPF for the Simulated networking device driver in the way user uses BPF for the device such that function nsim_map_alloc_elem being called. A local user could use this flaw to get unauthorized access to some data.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4135",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc6"
},
{
"id": "CVE-2021-4148",
"summary": "A vulnerability was found in the Linux kernel's block_invalidatepage in fs/buffer.c in the filesystem. A missing sanity check may allow a local attacker with user privilege to cause a denial of service (DOS) problem.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4148",
"detail": "fixed-version",
"description": "Fixed from version 5.15"
},
{
"id": "CVE-2021-4149",
"summary": "A vulnerability was found in btrfs_alloc_tree_b in fs/btrfs/extent-tree.c in the Linux kernel due to an improper lock operation in btrfs. In this flaw, a user with a local privilege may cause a denial of service (DOS) due to a deadlock problem.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4149",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc6"
},
{
"id": "CVE-2021-4150",
"summary": "A use-after-free flaw was found in the add_partition in block/partitions/core.c in the Linux kernel. A local attacker with user privileges could cause a denial of service on the system. The issue results from the lack of code cleanup when device_add call fails when adding a partition to the disk.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4150",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc7"
},
{
"id": "CVE-2021-4154",
"summary": "A use-after-free flaw was found in cgroup1_parse_param in kernel/cgroup/cgroup-v1.c in the Linux kernel's cgroup v1 parser. A local attacker with a user privilege could cause a privilege escalation by exploiting the fsconfig syscall parameter leading to a container breakout and a denial of service on the system.",
"scorev2": "7.2",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4154",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc2"
},
{
"id": "CVE-2021-4155",
"summary": "A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4155",
"detail": "fixed-version",
"description": "Fixed from version 5.16"
},
{
"id": "CVE-2021-4157",
"summary": "An out of memory bounds write flaw (1 or 2 bytes of memory) in the Linux kernel NFS subsystem was found in the way users use mirroring (replication of files with NFS). A user, having access to the NFS mount, could potentially use this flaw to crash the system or escalate privileges on the system.",
"scorev2": "7.4",
"scorev3": "8.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4157",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc1"
},
{
"id": "CVE-2021-4159",
"summary": "A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures. Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4159",
"detail": "fixed-version",
"description": "Fixed from version 5.7rc1"
},
{
"id": "CVE-2021-41864",
"summary": "prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel before 5.14.12 allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41864",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc5"
},
{
"id": "CVE-2021-4197",
"summary": "An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces subsystem was found in the way users have access to some less privileged process that are controlled by cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of control groups. A local user could use this flaw to crash the system or escalate their privileges on the system.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4197",
"detail": "fixed-version",
"description": "Fixed from version 5.16"
},
{
"id": "CVE-2021-42008",
"summary": "The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42008",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc7"
},
{
"id": "CVE-2021-4202",
"summary": "A use-after-free flaw was found in nci_request in net/nfc/nci/core.c in NFC Controller Interface (NCI) in the Linux kernel. This flaw could allow a local attacker with user privileges to cause a data race problem while the device is getting removed, leading to a privilege escalation problem.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4202",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc2"
},
{
"id": "CVE-2021-4203",
"summary": "A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information.",
"scorev2": "4.9",
"scorev3": "6.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4203",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc4"
},
{
"id": "CVE-2021-4204",
"summary": "An out-of-bounds (OOB) memory access flaw was found in the Linux kernel's eBPF due to an Improper Input Validation. This flaw allows a local attacker with a special privilege to crash the system or leak internal information.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4204",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc1"
},
{
"id": "CVE-2021-4218",
"summary": "A flaw was found in the Linux kernel\u2019s implementation of reading the SVC RDMA counters. Reading the counter sysctl panics the system. This flaw allows a local attacker with local access to cause a denial of service while the system reboots. The issue is specific to CentOS/RHEL.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4218",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc1"
},
{
"id": "CVE-2021-42252",
"summary": "An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42252",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc1"
},
{
"id": "CVE-2021-42327",
"summary": "dp_link_settings_write in drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c in the Linux kernel through 5.14.14 allows a heap-based buffer overflow by an attacker who can write a string to the AMD GPU display drivers debug filesystem. There are no checks on size within parse_write_buffer_into_params when it uses the size of copy_from_user to copy a userspace buffer into a 40-byte heap buffer.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42327",
"detail": "fixed-version",
"description": "Fixed from version 5.15"
},
{
"id": "CVE-2021-42739",
"summary": "The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandles bounds checking.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42739",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc1"
},
{
"id": "CVE-2021-43056",
"summary": "An issue was discovered in the Linux kernel for powerpc before 5.14.15. It allows a malicious KVM guest to crash the host, when the host is running on Power8, due to an arch/powerpc/kvm/book3s_hv_rmhandlers.S implementation bug in the handling of the SRR1 register values.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43056",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc6"
},
{
"id": "CVE-2021-43057",
"summary": "An issue was discovered in the Linux kernel before 5.14.8. A use-after-free in selinux_ptrace_traceme (aka the SELinux handler for PTRACE_TRACEME) could be used by local attackers to cause memory corruption and escalate privileges, aka CID-a3727a8bac0a. This occurs because of an attempt to access the subjective credentials of another task.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43057",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc3"
},
{
"id": "CVE-2021-43267",
"summary": "An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16. The Transparent Inter-Process Communication (TIPC) functionality allows remote attackers to exploit insufficient validation of user-supplied sizes for the MSG_CRYPTO message type.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43267",
"detail": "fixed-version",
"description": "Fixed from version 5.15"
},
{
"id": "CVE-2021-43389",
"summary": "An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43389",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc6"
},
{
"id": "CVE-2021-43975",
"summary": "In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43975",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc2"
},
{
"id": "CVE-2021-43976",
"summary": "In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).",
"scorev2": "2.1",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43976",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc1"
},
{
"id": "CVE-2021-44733",
"summary": "A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11. This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-44733",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc7"
},
{
"id": "CVE-2021-44879",
"summary": "In gc_data_segment in fs/f2fs/gc.c in the Linux kernel before 5.16.3, special files are not considered, leading to a move_data_page NULL pointer dereference.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-44879",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc1"
},
{
"id": "CVE-2021-45095",
"summary": "pep_sock_accept in net/phonet/pep.c in the Linux kernel through 5.15.8 has a refcount leak.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45095",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc6"
},
{
"id": "CVE-2021-45100",
"summary": "The ksmbd server through 3.4.2, as used in the Linux kernel through 5.15.8, sometimes communicates in cleartext even though encryption has been enabled. This occurs because it sets the SMB2_GLOBAL_CAP_ENCRYPTION flag when using the SMB 3.1.1 protocol, which is a violation of the SMB protocol specification. When Windows 10 detects this protocol violation, it disables encryption.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45100",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc7"
},
{
"id": "CVE-2021-45402",
"summary": "The check_alu_op() function in kernel/bpf/verifier.c in the Linux kernel through v5.16-rc5 did not properly update bounds while handling the mov32 instruction, which allows local users to obtain potentially sensitive address information, aka a \"pointer leak.\"",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45402",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc6"
},
{
"id": "CVE-2021-45469",
"summary": "In __f2fs_setxattr in fs/f2fs/xattr.c in the Linux kernel through 5.15.11, there is an out-of-bounds memory access when an inode has an invalid last xattr entry.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45469",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc1"
},
{
"id": "CVE-2021-45480",
"summary": "An issue was discovered in the Linux kernel before 5.15.11. There is a memory leak in the __rds_conn_create() function in net/rds/connection.c in a certain combination of circumstances.",
"scorev2": "4.7",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45480",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc6"
},
{
"id": "CVE-2021-45485",
"summary": "In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45485",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc1"
},
{
"id": "CVE-2021-45486",
"summary": "In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak because the hash table is very small.",
"scorev2": "2.7",
"scorev3": "3.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45486",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc1"
},
{
"id": "CVE-2021-45868",
"summary": "In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a corrupted quota file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45868",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc1"
},
{
"id": "CVE-2021-46283",
"summary": "nf_tables_newset in net/netfilter/nf_tables_api.c in the Linux kernel before 5.12.13 allows local users to cause a denial of service (NULL pointer dereference and general protection fault) because of the missing initialization for nft_set_elem_expr_alloc. A local user can set a netfilter table expression in their own namespace.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46283",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc7"
},
{
"id": "CVE-2021-46904",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hso: fix null-ptr-deref during tty device unregistration\n\nMultiple ttys try to claim the same the minor number causing a double\nunregistration of the same device. The first unregistration succeeds\nbut the next one results in a null-ptr-deref.\n\nThe get_free_serial_index() function returns an available minor number\nbut doesn't assign it immediately. The assignment is done by the caller\nlater. But before this assignment, calls to get_free_serial_index()\nwould return the same minor number.\n\nFix this by modifying get_free_serial_index to assign the minor number\nimmediately after one is found to be and rename it to obtain_minor()\nto better reflect what it does. Similary, rename set_serial_by_index()\nto release_minor() and modify it to free up the minor number of the\ngiven hso_serial. Every obtain_minor() should have corresponding\nrelease_minor() call.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46904"
},
{
"id": "CVE-2021-46905",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hso: fix NULL-deref on disconnect regression\n\nCommit 8a12f8836145 (\"net: hso: fix null-ptr-deref during tty device\nunregistration\") fixed the racy minor allocation reported by syzbot, but\nintroduced an unconditional NULL-pointer dereference on every disconnect\ninstead.\n\nSpecifically, the serial device table must no longer be accessed after\nthe minor has been released by hso_serial_tty_unregister().",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46905"
},
{
"id": "CVE-2021-46906",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: usbhid: fix info leak in hid_submit_ctrl\n\nIn hid_submit_ctrl(), the way of calculating the report length doesn't\ntake into account that report->size can be zero. When running the\nsyzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to\ncalculate transfer_buffer_length as 16384. When this urb is passed to\nthe usb core layer, KMSAN reports an info leak of 16384 bytes.\n\nTo fix this, first modify hid_report_len() to account for the zero\nreport size case by using DIV_ROUND_UP for the division. Then, call it\nfrom hid_submit_ctrl().",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46906"
},
{
"id": "CVE-2021-46908",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Use correct permission flag for mixed signed bounds arithmetic\n\nWe forbid adding unknown scalars with mixed signed bounds due to the\nspectre v1 masking mitigation. Hence this also needs bypass_spec_v1\nflag instead of allow_ptr_leaks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46908"
},
{
"id": "CVE-2021-46909",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: footbridge: fix PCI interrupt mapping\n\nSince commit 30fdfb929e82 (\"PCI: Add a call to pci_assign_irq() in\npci_device_probe()\"), the PCI code will call the IRQ mapping function\nwhenever a PCI driver is probed. If these are marked as __init, this\ncauses an oops if a PCI driver is loaded or bound after the kernel has\ninitialised.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46909"
},
{
"id": "CVE-2021-46910",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9063/1: mm: reduce maximum number of CPUs if DEBUG_KMAP_LOCAL is enabled\n\nThe debugging code for kmap_local() doubles the number of per-CPU fixmap\nslots allocated for kmap_local(), in order to use half of them as guard\nregions. This causes the fixmap region to grow downwards beyond the start\nof its reserved window if the supported number of CPUs is large, and collide\nwith the newly added virtual DT mapping right below it, which is obviously\nnot good.\n\nOne manifestation of this is EFI boot on a kernel built with NR_CPUS=32\nand CONFIG_DEBUG_KMAP_LOCAL=y, which may pass the FDT in highmem, resulting\nin block entries below the fixmap region that the fixmap code misidentifies\nas fixmap table entries, and subsequently tries to dereference using a\nphys-to-virt translation that is only valid for lowmem. This results in a\ncryptic splat such as the one below.\n\n ftrace: allocating 45548 entries in 89 pages\n 8<--- cut here ---\n Unable to handle kernel paging request at virtual address fc6006f0\n pgd = (ptrval)\n [fc6006f0] *pgd=80000040207003, *pmd=00000000\n Internal error: Oops: a06 [#1] SMP ARM\n Modules linked in:\n CPU: 0 PID: 0 Comm: swapper Not tainted 5.11.0+ #382\n Hardware name: Generic DT based system\n PC is at cpu_ca15_set_pte_ext+0x24/0x30\n LR is at __set_fixmap+0xe4/0x118\n pc : [] lr : [] psr: 400000d3\n sp : c1601ed8 ip : 00400000 fp : 00800000\n r10: 0000071f r9 : 00421000 r8 : 00c00000\n r7 : 00c00000 r6 : 0000071f r5 : ffade000 r4 : 4040171f\n r3 : 00c00000 r2 : 4040171f r1 : c041ac78 r0 : fc6006f0\n Flags: nZcv IRQs off FIQs off Mode SVC_32 ISA ARM Segment none\n Control: 30c5387d Table: 40203000 DAC: 00000001\n Process swapper (pid: 0, stack limit = 0x(ptrval))\n\nSo let's limit CONFIG_NR_CPUS to 16 when CONFIG_DEBUG_KMAP_LOCAL=y. Also,\nfix the BUILD_BUG_ON() check that was supposed to catch this, by checking\nwhether the region grows below the start address rather than above the end\naddress.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46910"
},
{
"id": "CVE-2021-46911",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nch_ktls: Fix kernel panic\n\nTaking page refcount is not ideal and causes kernel panic\nsometimes. It's better to take tx_ctx lock for the complete\nskb transmit, to avoid page cleanup if ACK received in middle.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46911"
},
{
"id": "CVE-2021-46912",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Make tcp_allowed_congestion_control readonly in non-init netns\n\nCurrently, tcp_allowed_congestion_control is global and writable;\nwriting to it in any net namespace will leak into all other net\nnamespaces.\n\ntcp_available_congestion_control and tcp_allowed_congestion_control are\nthe only sysctls in ipv4_net_table (the per-netns sysctl table) with a\nNULL data pointer; their handlers (proc_tcp_available_congestion_control\nand proc_allowed_congestion_control) have no other way of referencing a\nstruct net. Thus, they operate globally.\n\nBecause ipv4_net_table does not use designated initializers, there is no\neasy way to fix up this one \"bad\" table entry. However, the data pointer\nupdating logic shouldn't be applied to NULL pointers anyway, so we\ninstead force these entries to be read-only.\n\nThese sysctls used to exist in ipv4_table (init-net only), but they were\nmoved to the per-net ipv4_net_table, presumably without realizing that\ntcp_allowed_congestion_control was writable and thus introduced a leak.\n\nBecause the intent of that commit was only to know (i.e. read) \"which\ncongestion algorithms are available or allowed\", this read-only solution\nshould be sufficient.\n\nThe logic added in recent commit\n31c4d2f160eb: (\"net: Ensure net namespace isolation of sysctls\")\ndoes not and cannot check for NULL data pointers, because\nother table entries (e.g. /proc/sys/net/netfilter/nf_log/) have\n.data=NULL but use other methods (.extra2) to access the struct net.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46912"
},
{
"id": "CVE-2021-46913",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nftables: clone set element expression template\n\nmemcpy() breaks when using connlimit in set elements. Use\nnft_expr_clone() to initialize the connlimit expression list, otherwise\nconnlimit garbage collector crashes when walking on the list head copy.\n\n[ 493.064656] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]\n[ 493.064685] RIP: 0010:find_or_evict+0x5a/0x90 [nf_conncount]\n[ 493.064694] Code: 2b 43 40 83 f8 01 77 0d 48 c7 c0 f5 ff ff ff 44 39 63 3c 75 df 83 6d 18 01 48 8b 43 08 48 89 de 48 8b 13 48 8b 3d ee 2f 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 03 48 83\n[ 493.064699] RSP: 0018:ffffc90000417dc0 EFLAGS: 00010297\n[ 493.064704] RAX: 0000000000000000 RBX: ffff888134f38410 RCX: 0000000000000000\n[ 493.064708] RDX: 0000000000000000 RSI: ffff888134f38410 RDI: ffff888100060cc0\n[ 493.064711] RBP: ffff88812ce594a8 R08: ffff888134f38438 R09: 00000000ebb9025c\n[ 493.064714] R10: ffffffff8219f838 R11: 0000000000000017 R12: 0000000000000001\n[ 493.064718] R13: ffffffff82146740 R14: ffff888134f38410 R15: 0000000000000000\n[ 493.064721] FS: 0000000000000000(0000) GS:ffff88840e440000(0000) knlGS:0000000000000000\n[ 493.064725] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 493.064729] CR2: 0000000000000008 CR3: 00000001330aa002 CR4: 00000000001706e0\n[ 493.064733] Call Trace:\n[ 493.064737] nf_conncount_gc_list+0x8f/0x150 [nf_conncount]\n[ 493.064746] nft_rhash_gc+0x106/0x390 [nf_tables]",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46913"
},
{
"id": "CVE-2021-46914",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: fix unbalanced device enable/disable in suspend/resume\n\npci_disable_device() called in __ixgbe_shutdown() decreases\ndev->enable_cnt by 1. pci_enable_device_mem() which increases\ndev->enable_cnt by 1, was removed from ixgbe_resume() in commit\n6f82b2558735 (\"ixgbe: use generic power management\"). This caused\nunbalanced increase/decrease. So add pci_enable_device_mem() back.\n\nFix the following call trace.\n\n ixgbe 0000:17:00.1: disabling already-disabled device\n Call Trace:\n __ixgbe_shutdown+0x10a/0x1e0 [ixgbe]\n ixgbe_suspend+0x32/0x70 [ixgbe]\n pci_pm_suspend+0x87/0x160\n ? pci_pm_freeze+0xd0/0xd0\n dpm_run_callback+0x42/0x170\n __device_suspend+0x114/0x460\n async_suspend+0x1f/0xa0\n async_run_entry_fn+0x3c/0xf0\n process_one_work+0x1dd/0x410\n worker_thread+0x34/0x3f0\n ? cancel_delayed_work+0x90/0x90\n kthread+0x14c/0x170\n ? kthread_park+0x90/0x90\n ret_from_fork+0x1f/0x30",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46914"
},
{
"id": "CVE-2021-46915",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_limit: avoid possible divide error in nft_limit_init\n\ndiv_u64() divides u64 by u32.\n\nnft_limit_init() wants to divide u64 by u64, use the appropriate\nmath function (div64_u64)\n\ndivide error: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 PID: 8390 Comm: syz-executor188 Not tainted 5.12.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:div_u64_rem include/linux/math64.h:28 [inline]\nRIP: 0010:div_u64 include/linux/math64.h:127 [inline]\nRIP: 0010:nft_limit_init+0x2a2/0x5e0 net/netfilter/nft_limit.c:85\nCode: ef 4c 01 eb 41 0f 92 c7 48 89 de e8 38 a5 22 fa 4d 85 ff 0f 85 97 02 00 00 e8 ea 9e 22 fa 4c 0f af f3 45 89 ed 31 d2 4c 89 f0 <49> f7 f5 49 89 c6 e8 d3 9e 22 fa 48 8d 7d 48 48 b8 00 00 00 00 00\nRSP: 0018:ffffc90009447198 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000200000000000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff875152e6 RDI: 0000000000000003\nRBP: ffff888020f80908 R08: 0000200000000000 R09: 0000000000000000\nR10: ffffffff875152d8 R11: 0000000000000000 R12: ffffc90009447270\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 000000000097a300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000200001c4 CR3: 0000000026a52000 CR4: 00000000001506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n nf_tables_newexpr net/netfilter/nf_tables_api.c:2675 [inline]\n nft_expr_init+0x145/0x2d0 net/netfilter/nf_tables_api.c:2713\n nft_set_elem_expr_alloc+0x27/0x280 net/netfilter/nf_tables_api.c:5160\n nf_tables_newset+0x1997/0x3150 net/netfilter/nf_tables_api.c:4321\n nfnetlink_rcv_batch+0x85a/0x21b0 net/netfilter/nfnetlink.c:456\n nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline]\n nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598\n netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]\n netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338\n netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927\n sock_sendmsg_nosec net/socket.c:654 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:674\n ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350\n ___sys_sendmsg+0xf3/0x170 net/socket.c:2404\n __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46915"
},
{
"id": "CVE-2021-46916",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: Fix NULL pointer dereference in ethtool loopback test\n\nThe ixgbe driver currently generates a NULL pointer dereference when\nperforming the ethtool loopback test. This is due to the fact that there\nisn't a q_vector associated with the test ring when it is setup as\ninterrupts are not normally added to the test rings.\n\nTo address this I have added code that will check for a q_vector before\nreturning a napi_id value. If a q_vector is not present it will return a\nvalue of 0.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46916"
},
{
"id": "CVE-2021-46917",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: fix wq cleanup of WQCFG registers\n\nA pre-release silicon erratum workaround where wq reset does not clear\nWQCFG registers was leaked into upstream code. Use wq reset command\ninstead of blasting the MMIO region. This also address an issue where\nwe clobber registers in future devices.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46917"
},
{
"id": "CVE-2021-46918",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: clear MSIX permission entry on shutdown\n\nAdd disabling/clearing of MSIX permission entries on device shutdown to\nmirror the enabling of the MSIX entries on probe. Current code left the\nMSIX enabled and the pasid entries still programmed at device shutdown.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46918"
},
{
"id": "CVE-2021-46919",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: fix wq size store permission state\n\nWQ size can only be changed when the device is disabled. Current code\nallows change when device is enabled but wq is disabled. Change the check\nto detect device state.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46919"
},
{
"id": "CVE-2021-46920",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback\n\nCurrent code blindly writes over the SWERR and the OVERFLOW bits. Write\nback the bits actually read instead so the driver avoids clobbering the\nOVERFLOW bit that comes after the register is read.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46920"
},
{
"id": "CVE-2021-46921",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlocking/qrwlock: Fix ordering in queued_write_lock_slowpath()\n\nWhile this code is executed with the wait_lock held, a reader can\nacquire the lock without holding wait_lock. The writer side loops\nchecking the value with the atomic_cond_read_acquire(), but only truly\nacquires the lock when the compare-and-exchange is completed\nsuccessfully which isn\u2019t ordered. This exposes the window between the\nacquire and the cmpxchg to an A-B-A problem which allows reads\nfollowing the lock acquisition to observe values speculatively before\nthe write lock is truly acquired.\n\nWe've seen a problem in epoll where the reader does a xchg while\nholding the read lock, but the writer can see a value change out from\nunder it.\n\n Writer | Reader\n --------------------------------------------------------------------------------\n ep_scan_ready_list() |\n |- write_lock_irq() |\n |- queued_write_lock_slowpath() |\n\t|- atomic_cond_read_acquire() |\n\t\t\t\t | read_lock_irqsave(&ep->lock, flags);\n --> (observes value before unlock) | chain_epi_lockless()\n | | epi->next = xchg(&ep->ovflist, epi);\n | | read_unlock_irqrestore(&ep->lock, flags);\n | |\n | atomic_cmpxchg_relaxed() |\n |-- READ_ONCE(ep->ovflist); |\n\nA core can order the read of the ovflist ahead of the\natomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire\nsemantics addresses this issue at which point the atomic_cond_read can\nbe switched to use relaxed semantics.\n\n[peterz: use try_cmpxchg()]",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46921"
},
{
"id": "CVE-2021-46922",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Fix TPM reservation for seal/unseal\n\nThe original patch 8c657a0590de (\"KEYS: trusted: Reserve TPM for seal\nand unseal operations\") was correct on the mailing list:\n\nhttps://lore.kernel.org/linux-integrity/20210128235621.127925-4-jarkko@kernel.org/\n\nBut somehow got rebased so that the tpm_try_get_ops() in\ntpm2_seal_trusted() got lost. This causes an imbalanced put of the\nTPM ops and causes oopses on TIS based hardware.\n\nThis fix puts back the lost tpm_try_get_ops()",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46922"
},
{
"id": "CVE-2021-46923",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/mount_setattr: always cleanup mount_kattr\n\nMake sure that finish_mount_kattr() is called after mount_kattr was\nsuccesfully built in both the success and failure case to prevent\nleaking any references we took when we built it. We returned early if\npath lookup failed thereby risking to leak an additional reference we\ntook when building mount_kattr when an idmapped mount was requested.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46923"
},
{
"id": "CVE-2021-46924",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: st21nfca: Fix memory leak in device probe and remove\n\n'phy->pending_skb' is alloced when device probe, but forgot to free\nin the error handling path and remove path, this cause memory leak\nas follows:\n\nunreferenced object 0xffff88800bc06800 (size 512):\n comm \"8\", pid 11775, jiffies 4295159829 (age 9.032s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<00000000d66c09ce>] __kmalloc_node_track_caller+0x1ed/0x450\n [<00000000c93382b3>] kmalloc_reserve+0x37/0xd0\n [<000000005fea522c>] __alloc_skb+0x124/0x380\n [<0000000019f29f9a>] st21nfca_hci_i2c_probe+0x170/0x8f2\n\nFix it by freeing 'pending_skb' in error and remove.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46924"
},
{
"id": "CVE-2021-46925",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix kernel panic caused by race of smc_sock\n\nA crash occurs when smc_cdc_tx_handler() tries to access smc_sock\nbut smc_release() has already freed it.\n\n[ 4570.695099] BUG: unable to handle page fault for address: 000000002eae9e88\n[ 4570.696048] #PF: supervisor write access in kernel mode\n[ 4570.696728] #PF: error_code(0x0002) - not-present page\n[ 4570.697401] PGD 0 P4D 0\n[ 4570.697716] Oops: 0002 [#1] PREEMPT SMP NOPTI\n[ 4570.698228] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc4+ #111\n[ 4570.699013] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8c24b4c 04/0\n[ 4570.699933] RIP: 0010:_raw_spin_lock+0x1a/0x30\n<...>\n[ 4570.711446] Call Trace:\n[ 4570.711746] \n[ 4570.711992] smc_cdc_tx_handler+0x41/0xc0\n[ 4570.712470] smc_wr_tx_tasklet_fn+0x213/0x560\n[ 4570.712981] ? smc_cdc_tx_dismisser+0x10/0x10\n[ 4570.713489] tasklet_action_common.isra.17+0x66/0x140\n[ 4570.714083] __do_softirq+0x123/0x2f4\n[ 4570.714521] irq_exit_rcu+0xc4/0xf0\n[ 4570.714934] common_interrupt+0xba/0xe0\n\nThough smc_cdc_tx_handler() checked the existence of smc connection,\nsmc_release() may have already dismissed and released the smc socket\nbefore smc_cdc_tx_handler() further visits it.\n\nsmc_cdc_tx_handler() |smc_release()\nif (!conn) |\n |\n |smc_cdc_tx_dismiss_slots()\n | smc_cdc_tx_dismisser()\n |\n |sock_put(&smc->sk) <- last sock_put,\n | smc_sock freed\nbh_lock_sock(&smc->sk) (panic) |\n\nTo make sure we won't receive any CDC messages after we free the\nsmc_sock, add a refcount on the smc_connection for inflight CDC\nmessage(posted to the QP but haven't received related CQE), and\ndon't release the smc_connection until all the inflight CDC messages\nhaven been done, for both success or failed ones.\n\nUsing refcount on CDC messages brings another problem: when the link\nis going to be destroyed, smcr_link_clear() will reset the QP, which\nthen remove all the pending CQEs related to the QP in the CQ. To make\nsure all the CQEs will always come back so the refcount on the\nsmc_connection can always reach 0, smc_ib_modify_qp_reset() was replaced\nby smc_ib_modify_qp_error().\nAnd remove the timeout in smc_wr_tx_wait_no_pending_sends() since we\nneed to wait for all pending WQEs done, or we may encounter use-after-\nfree when handling CQEs.\n\nFor IB device removal routine, we need to wait for all the QPs on that\ndevice been destroyed before we can destroy CQs on the device, or\nthe refcount on smc_connection won't reach 0 and smc_sock cannot be\nreleased.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46925"
},
{
"id": "CVE-2021-46926",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: intel-sdw-acpi: harden detection of controller\n\nThe existing code currently sets a pointer to an ACPI handle before\nchecking that it's actually a SoundWire controller. This can lead to\nissues where the graph walk continues and eventually fails, but the\npointer was set already.\n\nThis patch changes the logic so that the information provided to\nthe caller is set when a controller is found.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46926"
},
{
"id": "CVE-2021-46927",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert\n\nAfter commit 5b78ed24e8ec (\"mm/pagemap: add mmap_assert_locked()\nannotations to find_vma*()\"), the call to get_user_pages() will trigger\nthe mmap assert.\n\nstatic inline void mmap_assert_locked(struct mm_struct *mm)\n{\n\tlockdep_assert_held(&mm->mmap_lock);\n\tVM_BUG_ON_MM(!rwsem_is_locked(&mm->mmap_lock), mm);\n}\n\n[ 62.521410] kernel BUG at include/linux/mmap_lock.h:156!\n...........................................................\n[ 62.538938] RIP: 0010:find_vma+0x32/0x80\n...........................................................\n[ 62.605889] Call Trace:\n[ 62.608502] \n[ 62.610956] ? lock_timer_base+0x61/0x80\n[ 62.614106] find_extend_vma+0x19/0x80\n[ 62.617195] __get_user_pages+0x9b/0x6a0\n[ 62.620356] __gup_longterm_locked+0x42d/0x450\n[ 62.623721] ? finish_wait+0x41/0x80\n[ 62.626748] ? __kmalloc+0x178/0x2f0\n[ 62.629768] ne_set_user_memory_region_ioctl.isra.0+0x225/0x6a0 [nitro_enclaves]\n[ 62.635776] ne_enclave_ioctl+0x1cf/0x6d7 [nitro_enclaves]\n[ 62.639541] __x64_sys_ioctl+0x82/0xb0\n[ 62.642620] do_syscall_64+0x3b/0x90\n[ 62.645642] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nUse get_user_pages_unlocked() when setting the enclave memory regions.\nThat's a similar pattern as mmap_read_lock() used together with\nget_user_pages().",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46927"
},
{
"id": "CVE-2021-46928",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Clear stale IIR value on instruction access rights trap\n\nWhen a trap 7 (Instruction access rights) occurs, this means the CPU\ncouldn't execute an instruction due to missing execute permissions on\nthe memory region. In this case it seems the CPU didn't even fetched\nthe instruction from memory and thus did not store it in the cr19 (IIR)\nregister before calling the trap handler. So, the trap handler will find\nsome random old stale value in cr19.\n\nThis patch simply overwrites the stale IIR value with a constant magic\n\"bad food\" value (0xbaadf00d), in the hope people don't start to try to\nunderstand the various random IIR values in trap 7 dumps.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46928"
},
{
"id": "CVE-2021-46929",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: use call_rcu to free endpoint\n\nThis patch is to delay the endpoint free by calling call_rcu() to fix\nanother use-after-free issue in sctp_sock_dump():\n\n BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20\n Call Trace:\n __lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218\n lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]\n _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168\n spin_lock_bh include/linux/spinlock.h:334 [inline]\n __lock_sock+0x203/0x350 net/core/sock.c:2253\n lock_sock_nested+0xfe/0x120 net/core/sock.c:2774\n lock_sock include/net/sock.h:1492 [inline]\n sctp_sock_dump+0x122/0xb20 net/sctp/diag.c:324\n sctp_for_each_transport+0x2b5/0x370 net/sctp/socket.c:5091\n sctp_diag_dump+0x3ac/0x660 net/sctp/diag.c:527\n __inet_diag_dump+0xa8/0x140 net/ipv4/inet_diag.c:1049\n inet_diag_dump+0x9b/0x110 net/ipv4/inet_diag.c:1065\n netlink_dump+0x606/0x1080 net/netlink/af_netlink.c:2244\n __netlink_dump_start+0x59a/0x7c0 net/netlink/af_netlink.c:2352\n netlink_dump_start include/linux/netlink.h:216 [inline]\n inet_diag_handler_cmd+0x2ce/0x3f0 net/ipv4/inet_diag.c:1170\n __sock_diag_cmd net/core/sock_diag.c:232 [inline]\n sock_diag_rcv_msg+0x31d/0x410 net/core/sock_diag.c:263\n netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2477\n sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:274\n\nThis issue occurs when asoc is peeled off and the old sk is freed after\ngetting it by asoc->base.sk and before calling lock_sock(sk).\n\nTo prevent the sk free, as a holder of the sk, ep should be alive when\ncalling lock_sock(). This patch uses call_rcu() and moves sock_put and\nep free into sctp_endpoint_destroy_rcu(), so that it's safe to try to\nhold the ep under rcu_read_lock in sctp_transport_traverse_process().\n\nIf sctp_endpoint_hold() returns true, it means this ep is still alive\nand we have held it and can continue to dump it; If it returns false,\nit means this ep is dead and can be freed after rcu_read_unlock, and\nwe should skip it.\n\nIn sctp_sock_dump(), after locking the sk, if this ep is different from\ntsp->asoc->ep, it means during this dumping, this asoc was peeled off\nbefore calling lock_sock(), and the sk should be skipped; If this ep is\nthe same with tsp->asoc->ep, it means no peeloff happens on this asoc,\nand due to lock_sock, no peeloff will happen either until release_sock.\n\nNote that delaying endpoint free won't delay the port release, as the\nport release happens in sctp_endpoint_destroy() before calling call_rcu().\nAlso, freeing endpoint by call_rcu() makes it safe to access the sk by\nasoc->base.sk in sctp_assocs_seq_show() and sctp_rcv().\n\nThanks Jones to bring this issue up.\n\nv1->v2:\n - improve the changelog.\n - add kfree(ep) into sctp_endpoint_destroy_rcu(), as Jakub noticed.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46929"
},
{
"id": "CVE-2021-46930",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: mtu3: fix list_head check warning\n\nThis is caused by uninitialization of list_head.\n\nBUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4\n\nCall trace:\ndump_backtrace+0x0/0x298\nshow_stack+0x24/0x34\ndump_stack+0x130/0x1a8\nprint_address_description+0x88/0x56c\n__kasan_report+0x1b8/0x2a0\nkasan_report+0x14/0x20\n__asan_load8+0x9c/0xa0\n__list_del_entry_valid+0x34/0xe4\nmtu3_req_complete+0x4c/0x300 [mtu3]\nmtu3_gadget_stop+0x168/0x448 [mtu3]\nusb_gadget_unregister_driver+0x204/0x3a0\nunregister_gadget_item+0x44/0xa4",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46930"
},
{
"id": "CVE-2021-46931",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Wrap the tx reporter dump callback to extract the sq\n\nFunction mlx5e_tx_reporter_dump_sq() casts its void * argument to struct\nmlx5e_txqsq *, but in TX-timeout-recovery flow the argument is actually\nof type struct mlx5e_tx_timeout_ctx *.\n\n mlx5_core 0000:08:00.1 enp8s0f1: TX timeout detected\n mlx5_core 0000:08:00.1 enp8s0f1: TX timeout on queue: 1, SQ: 0x11ec, CQ: 0x146d, SQ Cons: 0x0 SQ Prod: 0x1, usecs since last trans: 21565000\n BUG: stack guard page was hit at 0000000093f1a2de (stack is 00000000b66ea0dc..000000004d932dae)\n kernel stack overflow (page fault): 0000 [#1] SMP NOPTI\n CPU: 5 PID: 95 Comm: kworker/u20:1 Tainted: G W OE 5.13.0_mlnx #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Workqueue: mlx5e mlx5e_tx_timeout_work [mlx5_core]\n RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180\n [mlx5_core]\n Call Trace:\n mlx5e_tx_reporter_dump+0x43/0x1c0 [mlx5_core]\n devlink_health_do_dump.part.91+0x71/0xd0\n devlink_health_report+0x157/0x1b0\n mlx5e_reporter_tx_timeout+0xb9/0xf0 [mlx5_core]\n ? mlx5e_tx_reporter_err_cqe_recover+0x1d0/0x1d0\n [mlx5_core]\n ? mlx5e_health_queue_dump+0xd0/0xd0 [mlx5_core]\n ? update_load_avg+0x19b/0x550\n ? set_next_entity+0x72/0x80\n ? pick_next_task_fair+0x227/0x340\n ? finish_task_switch+0xa2/0x280\n mlx5e_tx_timeout_work+0x83/0xb0 [mlx5_core]\n process_one_work+0x1de/0x3a0\n worker_thread+0x2d/0x3c0\n ? process_one_work+0x3a0/0x3a0\n kthread+0x115/0x130\n ? kthread_park+0x90/0x90\n ret_from_fork+0x1f/0x30\n --[ end trace 51ccabea504edaff ]---\n RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180\n PKRU: 55555554\n Kernel panic - not syncing: Fatal exception\n Kernel Offset: disabled\n end Kernel panic - not syncing: Fatal exception\n\nTo fix this bug add a wrapper for mlx5e_tx_reporter_dump_sq() which\nextracts the sq from struct mlx5e_tx_timeout_ctx and set it as the\nTX-timeout-recovery flow dump callback.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46931"
},
{
"id": "CVE-2021-46932",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: appletouch - initialize work before device registration\n\nSyzbot has reported warning in __flush_work(). This warning is caused by\nwork->func == NULL, which means missing work initialization.\n\nThis may happen, since input_dev->close() calls\ncancel_work_sync(&dev->work), but dev->work initalization happens _after_\ninput_register_device() call.\n\nSo this patch moves dev->work initialization before registering input\ndevice",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46932"
},
{
"id": "CVE-2021-46933",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.\n\nffs_data_clear is indirectly called from both ffs_fs_kill_sb and\nffs_ep0_release, so it ends up being called twice when userland closes ep0\nand then unmounts f_fs.\nIf userland provided an eventfd along with function's USB descriptors, it\nends up calling eventfd_ctx_put as many times, causing a refcount\nunderflow.\nNULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.\n\nAlso, set epfiles to NULL right after de-allocating it, for readability.\n\nFor completeness, ffs_data_clear actually ends up being called thrice, the\nlast call being before the whole ffs structure gets freed, so when this\nspecific sequence happens there is a second underflow happening (but not\nbeing reported):\n\n/sys/kernel/debug/tracing# modprobe usb_f_fs\n/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter\n/sys/kernel/debug/tracing# echo function > current_tracer\n/sys/kernel/debug/tracing# echo 1 > tracing_on\n(setup gadget, run and kill function userland process, teardown gadget)\n/sys/kernel/debug/tracing# echo 0 > tracing_on\n/sys/kernel/debug/tracing# cat trace\n smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed\n smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed\n smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put\n\nWarning output corresponding to above trace:\n[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c\n[ 1946.293094] refcount_t: underflow; use-after-free.\n[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)\n[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1\n[ 1946.417950] Hardware name: BCM2835\n[ 1946.425442] Backtrace:\n[ 1946.432048] [] (dump_backtrace) from [] (show_stack+0x20/0x24)\n[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c\n[ 1946.458412] [] (show_stack) from [] (dump_stack+0x28/0x30)\n[ 1946.470380] [] (dump_stack) from [] (__warn+0xe8/0x154)\n[ 1946.482067] r5:c04a948c r4:c0a71dc8\n[ 1946.490184] [] (__warn) from [] (warn_slowpath_fmt+0xa0/0xe4)\n[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04\n[ 1946.517070] [] (warn_slowpath_fmt) from [] (refcount_warn_saturate+0x110/0x15c)\n[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0\n[ 1946.546708] [] (refcount_warn_saturate) from [] (eventfd_ctx_put+0x48/0x74)\n[ 1946.564476] [] (eventfd_ctx_put) from [] (ffs_data_clear+0xd0/0x118 [usb_f_fs])\n[ 1946.582664] r5:c3b84c00 r4:c2695b00\n[ 1946.590668] [] (ffs_data_clear [usb_f_fs]) from [] (ffs_data_closed+0x9c/0x150 [usb_f_fs])\n[ 1946.609608] r5:bf54d014 r4:c2695b00\n[ 1946.617522] [] (ffs_data_closed [usb_f_fs]) from [] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])\n[ 1946.636217] r7:c0dfcb\n---truncated---",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46933"
},
{
"id": "CVE-2021-46934",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: validate user data in compat ioctl\n\nWrong user data may cause warning in i2c_transfer(), ex: zero msgs.\nUserspace should not be able to trigger warnings, so this patch adds\nvalidation checks for user data in compact ioctl to prevent reported\nwarnings",
"scorev2": "0.0",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46934"
},
{
"id": "CVE-2021-46935",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix async_free_space accounting for empty parcels\n\nIn 4.13, commit 74310e06be4d (\"android: binder: Move buffer out of area shared with user space\")\nfixed a kernel structure visibility issue. As part of that patch,\nsizeof(void *) was used as the buffer size for 0-length data payloads so\nthe driver could detect abusive clients sending 0-length asynchronous\ntransactions to a server by enforcing limits on async_free_size.\n\nUnfortunately, on the \"free\" side, the accounting of async_free_space\ndid not add the sizeof(void *) back. The result was that up to 8-bytes of\nasync_free_space were leaked on every async transaction of 8-bytes or\nless. These small transactions are uncommon, so this accounting issue\nhas gone undetected for several years.\n\nThe fix is to use \"buffer_size\" (the allocated buffer size) instead of\n\"size\" (the logical buffer size) when updating the async_free_space\nduring the free operation. These are the same except for this\ncorner case of asynchronous transactions with payloads < 8 bytes.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46935"
},
{
"id": "CVE-2021-46936",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix use-after-free in tw_timer_handler\n\nA real world panic issue was found as follow in Linux 5.4.\n\n BUG: unable to handle page fault for address: ffffde49a863de28\n PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0\n RIP: 0010:tw_timer_handler+0x20/0x40\n Call Trace:\n \n call_timer_fn+0x2b/0x120\n run_timer_softirq+0x1ef/0x450\n __do_softirq+0x10d/0x2b8\n irq_exit+0xc7/0xd0\n smp_apic_timer_interrupt+0x68/0x120\n apic_timer_interrupt+0xf/0x20\n\nThis issue was also reported since 2017 in the thread [1],\nunfortunately, the issue was still can be reproduced after fixing\nDCCP.\n\nThe ipv4_mib_exit_net is called before tcp_sk_exit_batch when a net\nnamespace is destroyed since tcp_sk_ops is registered befrore\nipv4_mib_ops, which means tcp_sk_ops is in the front of ipv4_mib_ops\nin the list of pernet_list. There will be a use-after-free on\nnet->mib.net_statistics in tw_timer_handler after ipv4_mib_exit_net\nif there are some inflight time-wait timers.\n\nThis bug is not introduced by commit f2bf415cfed7 (\"mib: add net to\nNET_ADD_STATS_BH\") since the net_statistics is a global variable\ninstead of dynamic allocation and freeing. Actually, commit\n61a7e26028b9 (\"mib: put net statistics on struct net\") introduces\nthe bug since it put net statistics on struct net and free it when\nnet namespace is destroyed.\n\nMoving init_ipv4_mibs() to the front of tcp_init() to fix this bug\nand replace pr_crit() with panic() since continuing is meaningless\nwhen init_ipv4_mibs() fails.\n\n[1] https://groups.google.com/g/syzkaller/c/p1tn-_Kc6l4/m/smuL_FMAAgAJ?pli=1",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46936"
},
{
"id": "CVE-2021-46937",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/dbgfs: fix 'struct pid' leaks in 'dbgfs_target_ids_write()'\n\nDAMON debugfs interface increases the reference counts of 'struct pid's\nfor targets from the 'target_ids' file write callback\n('dbgfs_target_ids_write()'), but decreases the counts only in DAMON\nmonitoring termination callback ('dbgfs_before_terminate()').\n\nTherefore, when 'target_ids' file is repeatedly written without DAMON\nmonitoring start/termination, the reference count is not decreased and\ntherefore memory for the 'struct pid' cannot be freed. This commit\nfixes this issue by decreasing the reference counts when 'target_ids' is\nwritten.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46937"
},
{
"id": "CVE-2021-46938",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm rq: fix double free of blk_mq_tag_set in dev remove after table load fails\n\nWhen loading a device-mapper table for a request-based mapped device,\nand the allocation/initialization of the blk_mq_tag_set for the device\nfails, a following device remove will cause a double free.\n\nE.g. (dmesg):\n device-mapper: core: Cannot initialize queue for request-based dm-mq mapped device\n device-mapper: ioctl: unable to set up device queue for new table.\n Unable to handle kernel pointer dereference in virtual kernel address space\n Failing address: 0305e098835de000 TEID: 0305e098835de803\n Fault in home space mode while using kernel ASCE.\n AS:000000025efe0007 R3:0000000000000024\n Oops: 0038 ilc:3 [#1] SMP\n Modules linked in: ... lots of modules ...\n Supported: Yes, External\n CPU: 0 PID: 7348 Comm: multipathd Kdump: loaded Tainted: G W X 5.3.18-53-default #1 SLE15-SP3\n Hardware name: IBM 8561 T01 7I2 (LPAR)\n Krnl PSW : 0704e00180000000 000000025e368eca (kfree+0x42/0x330)\n R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\n Krnl GPRS: 000000000000004a 000000025efe5230 c1773200d779968d 0000000000000000\n 000000025e520270 000000025e8d1b40 0000000000000003 00000007aae10000\n 000000025e5202a2 0000000000000001 c1773200d779968d 0305e098835de640\n 00000007a8170000 000003ff80138650 000000025e5202a2 000003e00396faa8\n Krnl Code: 000000025e368eb8: c4180041e100 lgrl %r1,25eba50b8\n 000000025e368ebe: ecba06b93a55 risbg %r11,%r10,6,185,58\n #000000025e368ec4: e3b010000008 ag %r11,0(%r1)\n >000000025e368eca: e310b0080004 lg %r1,8(%r11)\n 000000025e368ed0: a7110001 tmll %r1,1\n 000000025e368ed4: a7740129 brc 7,25e369126\n 000000025e368ed8: e320b0080004 lg %r2,8(%r11)\n 000000025e368ede: b904001b lgr %r1,%r11\n Call Trace:\n [<000000025e368eca>] kfree+0x42/0x330\n [<000000025e5202a2>] blk_mq_free_tag_set+0x72/0xb8\n [<000003ff801316a8>] dm_mq_cleanup_mapped_device+0x38/0x50 [dm_mod]\n [<000003ff80120082>] free_dev+0x52/0xd0 [dm_mod]\n [<000003ff801233f0>] __dm_destroy+0x150/0x1d0 [dm_mod]\n [<000003ff8012bb9a>] dev_remove+0x162/0x1c0 [dm_mod]\n [<000003ff8012a988>] ctl_ioctl+0x198/0x478 [dm_mod]\n [<000003ff8012ac8a>] dm_ctl_ioctl+0x22/0x38 [dm_mod]\n [<000000025e3b11ee>] ksys_ioctl+0xbe/0xe0\n [<000000025e3b127a>] __s390x_sys_ioctl+0x2a/0x40\n [<000000025e8c15ac>] system_call+0xd8/0x2c8\n Last Breaking-Event-Address:\n [<000000025e52029c>] blk_mq_free_tag_set+0x6c/0xb8\n Kernel panic - not syncing: Fatal exception: panic_on_oops\n\nWhen allocation/initialization of the blk_mq_tag_set fails in\ndm_mq_init_request_queue(), it is uninitialized/freed, but the pointer\nis not reset to NULL; so when dev_remove() later gets into\ndm_mq_cleanup_mapped_device() it sees the pointer and tries to\nuninitialize and free it again.\n\nFix this by setting the pointer to NULL in dm_mq_init_request_queue()\nerror-handling. Also set it to NULL in dm_mq_cleanup_mapped_device().",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46938"
},
{
"id": "CVE-2021-46939",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Restructure trace_clock_global() to never block\n\nIt was reported that a fix to the ring buffer recursion detection would\ncause a hung machine when performing suspend / resume testing. The\nfollowing backtrace was extracted from debugging that case:\n\nCall Trace:\n trace_clock_global+0x91/0xa0\n __rb_reserve_next+0x237/0x460\n ring_buffer_lock_reserve+0x12a/0x3f0\n trace_buffer_lock_reserve+0x10/0x50\n __trace_graph_return+0x1f/0x80\n trace_graph_return+0xb7/0xf0\n ? trace_clock_global+0x91/0xa0\n ftrace_return_to_handler+0x8b/0xf0\n ? pv_hash+0xa0/0xa0\n return_to_handler+0x15/0x30\n ? ftrace_graph_caller+0xa0/0xa0\n ? trace_clock_global+0x91/0xa0\n ? __rb_reserve_next+0x237/0x460\n ? ring_buffer_lock_reserve+0x12a/0x3f0\n ? trace_event_buffer_lock_reserve+0x3c/0x120\n ? trace_event_buffer_reserve+0x6b/0xc0\n ? trace_event_raw_event_device_pm_callback_start+0x125/0x2d0\n ? dpm_run_callback+0x3b/0xc0\n ? pm_ops_is_empty+0x50/0x50\n ? platform_get_irq_byname_optional+0x90/0x90\n ? trace_device_pm_callback_start+0x82/0xd0\n ? dpm_run_callback+0x49/0xc0\n\nWith the following RIP:\n\nRIP: 0010:native_queued_spin_lock_slowpath+0x69/0x200\n\nSince the fix to the recursion detection would allow a single recursion to\nhappen while tracing, this lead to the trace_clock_global() taking a spin\nlock and then trying to take it again:\n\nring_buffer_lock_reserve() {\n trace_clock_global() {\n arch_spin_lock() {\n queued_spin_lock_slowpath() {\n /* lock taken */\n (something else gets traced by function graph tracer)\n ring_buffer_lock_reserve() {\n trace_clock_global() {\n arch_spin_lock() {\n queued_spin_lock_slowpath() {\n /* DEAD LOCK! */\n\nTracing should *never* block, as it can lead to strange lockups like the\nabove.\n\nRestructure the trace_clock_global() code to instead of simply taking a\nlock to update the recorded \"prev_time\" simply use it, as two events\nhappening on two different CPUs that calls this at the same time, really\ndoesn't matter which one goes first. Use a trylock to grab the lock for\nupdating the prev_time, and if it fails, simply try again the next time.\nIf it failed to be taken, that means something else is already updating\nit.\n\n\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=212761",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46939"
},
{
"id": "CVE-2021-46940",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntools/power turbostat: Fix offset overflow issue in index converting\n\nThe idx_to_offset() function returns type int (32-bit signed), but\nMSR_PKG_ENERGY_STAT is u32 and would be interpreted as a negative number.\nThe end result is that it hits the if (offset < 0) check in update_msr_sum()\nwhich prevents the timer callback from updating the stat in the background when\nlong durations are used. The similar issue exists in offset_to_idx() and\nupdate_msr_sum(). Fix this issue by converting the 'int' to 'off_t' accordingly.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46940"
},
{
"id": "CVE-2021-46941",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: core: Do core softreset when switch mode\n\n\nAccording to the programming guide, to switch mode for DRD controller,\nthe driver needs to do the following.\n\nTo switch from device to host:\n1. Reset controller with GCTL.CoreSoftReset\n2. Set GCTL.PrtCapDir(host mode)\n3. Reset the host with USBCMD.HCRESET\n4. Then follow up with the initializing host registers sequence\n\nTo switch from host to device:\n1. Reset controller with GCTL.CoreSoftReset\n2. Set GCTL.PrtCapDir(device mode)\n3. Reset the device with DCTL.CSftRst\n4. Then follow up with the initializing registers sequence\n\nCurrently we're missing step 1) to do GCTL.CoreSoftReset and step 3) of\nswitching from host to device. John Stult reported a lockup issue seen\nwith HiKey960 platform without these steps[1]. Similar issue is observed\nwith Ferry's testing platform[2].\n\nSo, apply the required steps along with some fixes to Yu Chen's and John\nStultz's version. The main fixes to their versions are the missing wait\nfor clocks synchronization before clearing GCTL.CoreSoftReset and only\napply DCTL.CSftRst when switching from host to device.\n\n[1] https://lore.kernel.org/linux-usb/20210108015115.27920-1-john.stultz@linaro.org/\n[2] https://lore.kernel.org/linux-usb/0ba7a6ba-e6a7-9cd4-0695-64fc927e01f1@gmail.com/",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46941"
},
{
"id": "CVE-2021-46942",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix shared sqpoll cancellation hangs\n\n[ 736.982891] INFO: task iou-sqp-4294:4295 blocked for more than 122 seconds.\n[ 736.982897] Call Trace:\n[ 736.982901] schedule+0x68/0xe0\n[ 736.982903] io_uring_cancel_sqpoll+0xdb/0x110\n[ 736.982908] io_sqpoll_cancel_cb+0x24/0x30\n[ 736.982911] io_run_task_work_head+0x28/0x50\n[ 736.982913] io_sq_thread+0x4e3/0x720\n\nWe call io_uring_cancel_sqpoll() one by one for each ctx either in\nsq_thread() itself or via task works, and it's intended to cancel all\nrequests of a specified context. However the function uses per-task\ncounters to track the number of inflight requests, so it counts more\nrequests than available via currect io_uring ctx and goes to sleep for\nthem to appear (e.g. from IRQ), that will never happen.\n\nCancel a bit more than before, i.e. all ctxs that share sqpoll\nand continue to use shared counters. Don't forget that we should not\nremove ctx from the list before running that task_work sqpoll-cancel,\notherwise the function wouldn't be able to find the context and will\nhang.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46942"
},
{
"id": "CVE-2021-46943",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: staging/intel-ipu3: Fix set_fmt error handling\n\nIf there in an error during a set_fmt, do not overwrite the previous\nsizes with the invalid config.\n\nWithout this patch, v4l2-compliance ends up allocating 4GiB of RAM and\ncausing the following OOPs\n\n[ 38.662975] ipu3-imgu 0000:00:05.0: swiotlb buffer is full (sz: 4096 bytes)\n[ 38.662980] DMA: Out of SW-IOMMU space for 4096 bytes at device 0000:00:05.0\n[ 38.663010] general protection fault: 0000 [#1] PREEMPT SMP",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46943"
},
{
"id": "CVE-2021-46944",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: staging/intel-ipu3: Fix memory leak in imu_fmt\n\nWe are losing the reference to an allocated memory if try. Change the\norder of the check to avoid that.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46944"
},
{
"id": "CVE-2021-46945",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: always panic when errors=panic is specified\n\nBefore commit 014c9caa29d3 (\"ext4: make ext4_abort() use\n__ext4_error()\"), the following series of commands would trigger a\npanic:\n\n1. mount /dev/sda -o ro,errors=panic test\n2. mount /dev/sda -o remount,abort test\n\nAfter commit 014c9caa29d3, remounting a file system using the test\nmount option \"abort\" will no longer trigger a panic. This commit will\nrestore the behaviour immediately before commit 014c9caa29d3.\n(However, note that the Linux kernel's behavior has not been\nconsistent; some previous kernel versions, including 5.4 and 4.19\nsimilarly did not panic after using the mount option \"abort\".)\n\nThis also makes a change to long-standing behaviour; namely, the\nfollowing series commands will now cause a panic, when previously it\ndid not:\n\n1. mount /dev/sda -o ro,errors=panic test\n2. echo test > /sys/fs/ext4/sda/trigger_fs_error\n\nHowever, this makes ext4's behaviour much more consistent, so this is\na good thing.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46945"
},
{
"id": "CVE-2021-46947",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: adjust efx->xdp_tx_queue_count with the real number of initialized queues\n\nefx->xdp_tx_queue_count is initially initialized to num_possible_cpus() and is\nlater used to allocate and traverse efx->xdp_tx_queues lookup array. However,\nwe may end up not initializing all the array slots with real queues during\nprobing. This results, for example, in a NULL pointer dereference, when running\n\"# ethtool -S \", similar to below\n\n[2570283.664955][T4126959] BUG: kernel NULL pointer dereference, address: 00000000000000f8\n[2570283.681283][T4126959] #PF: supervisor read access in kernel mode\n[2570283.695678][T4126959] #PF: error_code(0x0000) - not-present page\n[2570283.710013][T4126959] PGD 0 P4D 0\n[2570283.721649][T4126959] Oops: 0000 [#1] SMP PTI\n[2570283.734108][T4126959] CPU: 23 PID: 4126959 Comm: ethtool Tainted: G O 5.10.20-cloudflare-2021.3.1 #1\n[2570283.752641][T4126959] Hardware name: \n[2570283.781408][T4126959] RIP: 0010:efx_ethtool_get_stats+0x2ca/0x330 [sfc]\n[2570283.796073][T4126959] Code: 00 85 c0 74 39 48 8b 95 a8 0f 00 00 48 85 d2 74 2d 31 c0 eb 07 48 8b 95 a8 0f 00 00 48 63 c8 49 83 c4 08 83 c0 01 48 8b 14 ca <48> 8b 92 f8 00 00 00 49 89 54 24 f8 39 85 a0 0f 00 00 77 d7 48 8b\n[2570283.831259][T4126959] RSP: 0018:ffffb79a77657ce8 EFLAGS: 00010202\n[2570283.845121][T4126959] RAX: 0000000000000019 RBX: ffffb799cd0c9280 RCX: 0000000000000018\n[2570283.860872][T4126959] RDX: 0000000000000000 RSI: ffff96dd970ce000 RDI: 0000000000000005\n[2570283.876525][T4126959] RBP: ffff96dd86f0a000 R08: ffff96dd970ce480 R09: 000000000000005f\n[2570283.892014][T4126959] R10: ffffb799cd0c9fff R11: ffffb799cd0c9000 R12: ffffb799cd0c94f8\n[2570283.907406][T4126959] R13: ffffffffc11b1090 R14: ffff96dd970ce000 R15: ffffffffc11cd66c\n[2570283.922705][T4126959] FS: 00007fa7723f8740(0000) GS:ffff96f51fac0000(0000) knlGS:0000000000000000\n[2570283.938848][T4126959] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[2570283.952524][T4126959] CR2: 00000000000000f8 CR3: 0000001a73e6e006 CR4: 00000000007706e0\n[2570283.967529][T4126959] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[2570283.982400][T4126959] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[2570283.997308][T4126959] PKRU: 55555554\n[2570284.007649][T4126959] Call Trace:\n[2570284.017598][T4126959] dev_ethtool+0x1832/0x2830\n\nFix this by adjusting efx->xdp_tx_queue_count after probing to reflect the true\nvalue of initialized slots in efx->xdp_tx_queues.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46947"
},
{
"id": "CVE-2021-46948",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: farch: fix TX queue lookup in TX event handling\n\nWe're starting from a TXQ label, not a TXQ type, so\n efx_channel_get_tx_queue() is inappropriate (and could return NULL,\n leading to panics).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46948"
},
{
"id": "CVE-2021-46949",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: farch: fix TX queue lookup in TX flush done handling\n\nWe're starting from a TXQ instance number ('qid'), not a TXQ type, so\n efx_get_tx_queue() is inappropriate (and could return NULL, leading\n to panics).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46949"
},
{
"id": "CVE-2021-46950",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid1: properly indicate failure when ending a failed write request\n\nThis patch addresses a data corruption bug in raid1 arrays using bitmaps.\nWithout this fix, the bitmap bits for the failed I/O end up being cleared.\n\nSince we are in the failure leg of raid1_end_write_request, the request\neither needs to be retried (R1BIO_WriteError) or failed (R1BIO_Degraded).",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46950"
},
{
"id": "CVE-2021-46951",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: efi: Use local variable for calculating final log size\n\nWhen tpm_read_log_efi is called multiple times, which happens when\none loads and unloads a TPM2 driver multiple times, then the global\nvariable efi_tpm_final_log_size will at some point become a negative\nnumber due to the subtraction of final_events_preboot_size occurring\neach time. Use a local variable to avoid this integer underflow.\n\nThe following issue is now resolved:\n\nMar 8 15:35:12 hibinst kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\nMar 8 15:35:12 hibinst kernel: Workqueue: tpm-vtpm vtpm_proxy_work [tpm_vtpm_proxy]\nMar 8 15:35:12 hibinst kernel: RIP: 0010:__memcpy+0x12/0x20\nMar 8 15:35:12 hibinst kernel: Code: 00 b8 01 00 00 00 85 d2 74 0a c7 05 44 7b ef 00 0f 00 00 00 c3 cc cc cc 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4\nMar 8 15:35:12 hibinst kernel: RSP: 0018:ffff9ac4c0fcfde0 EFLAGS: 00010206\nMar 8 15:35:12 hibinst kernel: RAX: ffff88f878cefed5 RBX: ffff88f878ce9000 RCX: 1ffffffffffffe0f\nMar 8 15:35:12 hibinst kernel: RDX: 0000000000000003 RSI: ffff9ac4c003bff9 RDI: ffff88f878cf0e4d\nMar 8 15:35:12 hibinst kernel: RBP: ffff9ac4c003b000 R08: 0000000000001000 R09: 000000007e9d6073\nMar 8 15:35:12 hibinst kernel: R10: ffff9ac4c003b000 R11: ffff88f879ad3500 R12: 0000000000000ed5\nMar 8 15:35:12 hibinst kernel: R13: ffff88f878ce9760 R14: 0000000000000002 R15: ffff88f77de7f018\nMar 8 15:35:12 hibinst kernel: FS: 0000000000000000(0000) GS:ffff88f87bd00000(0000) knlGS:0000000000000000\nMar 8 15:35:12 hibinst kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nMar 8 15:35:12 hibinst kernel: CR2: ffff9ac4c003c000 CR3: 00000001785a6004 CR4: 0000000000060ee0\nMar 8 15:35:12 hibinst kernel: Call Trace:\nMar 8 15:35:12 hibinst kernel: tpm_read_log_efi+0x152/0x1a7\nMar 8 15:35:12 hibinst kernel: tpm_bios_log_setup+0xc8/0x1c0\nMar 8 15:35:12 hibinst kernel: tpm_chip_register+0x8f/0x260\nMar 8 15:35:12 hibinst kernel: vtpm_proxy_work+0x16/0x60 [tpm_vtpm_proxy]\nMar 8 15:35:12 hibinst kernel: process_one_work+0x1b4/0x370\nMar 8 15:35:12 hibinst kernel: worker_thread+0x53/0x3e0\nMar 8 15:35:12 hibinst kernel: ? process_one_work+0x370/0x370",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46951"
},
{
"id": "CVE-2021-46952",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: fs_context: validate UDP retrans to prevent shift out-of-bounds\n\nFix shift out-of-bounds in xprt_calc_majortimeo(). This is caused\nby a garbage timeout (retrans) mount option being passed to nfs mount,\nin this case from syzkaller.\n\nIf the protocol is XPRT_TRANSPORT_UDP, then 'retrans' is a shift\nvalue for a 64-bit long integer, so 'retrans' cannot be >= 64.\nIf it is >= 64, fail the mount and return an error.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46952"
},
{
"id": "CVE-2021-46953",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure\n\nWhen failing the driver probe because of invalid firmware properties,\nthe GTDT driver unmaps the interrupt that it mapped earlier.\n\nHowever, it never checks whether the mapping of the interrupt actially\nsucceeded. Even more, should the firmware report an illegal interrupt\nnumber that overlaps with the GIC SGI range, this can result in an\nIPI being unmapped, and subsequent fireworks (as reported by Dann\nFrazier).\n\nRework the driver to have a slightly saner behaviour and actually\ncheck whether the interrupt has been mapped before unmapping things.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46953"
},
{
"id": "CVE-2021-46954",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_frag: fix stack OOB read while fragmenting IPv4 packets\n\nwhen 'act_mirred' tries to fragment IPv4 packets that had been previously\nre-assembled using 'act_ct', splats like the following can be observed on\nkernels built with KASAN:\n\n BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60\n Read of size 1 at addr ffff888147009574 by task ping/947\n\n CPU: 0 PID: 947 Comm: ping Not tainted 5.12.0-rc6+ #418\n Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014\n Call Trace:\n \n dump_stack+0x92/0xc1\n print_address_description.constprop.7+0x1a/0x150\n kasan_report.cold.13+0x7f/0x111\n ip_do_fragment+0x1b03/0x1f60\n sch_fragment+0x4bf/0xe40\n tcf_mirred_act+0xc3d/0x11a0 [act_mirred]\n tcf_action_exec+0x104/0x3e0\n fl_classify+0x49a/0x5e0 [cls_flower]\n tcf_classify_ingress+0x18a/0x820\n __netif_receive_skb_core+0xae7/0x3340\n __netif_receive_skb_one_core+0xb6/0x1b0\n process_backlog+0x1ef/0x6c0\n __napi_poll+0xaa/0x500\n net_rx_action+0x702/0xac0\n __do_softirq+0x1e4/0x97f\n do_softirq+0x71/0x90\n \n __local_bh_enable_ip+0xdb/0xf0\n ip_finish_output2+0x760/0x2120\n ip_do_fragment+0x15a5/0x1f60\n __ip_finish_output+0x4c2/0xea0\n ip_output+0x1ca/0x4d0\n ip_send_skb+0x37/0xa0\n raw_sendmsg+0x1c4b/0x2d00\n sock_sendmsg+0xdb/0x110\n __sys_sendto+0x1d7/0x2b0\n __x64_sys_sendto+0xdd/0x1b0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f82e13853eb\n Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 75 42 2c 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89\n RSP: 002b:00007ffe01fad888 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\n RAX: ffffffffffffffda RBX: 00005571aac13700 RCX: 00007f82e13853eb\n RDX: 0000000000002330 RSI: 00005571aac13700 RDI: 0000000000000003\n RBP: 0000000000002330 R08: 00005571aac10500 R09: 0000000000000010\n R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe01faefb0\n R13: 00007ffe01fad890 R14: 00007ffe01fad980 R15: 00005571aac0f0a0\n\n The buggy address belongs to the page:\n page:000000001dff2e03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x147009\n flags: 0x17ffffc0001000(reserved)\n raw: 0017ffffc0001000 ffffea00051c0248 ffffea00051c0248 0000000000000000\n raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888147009400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888147009480: f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 00 00 00\n >ffff888147009500: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2\n ^\n ffff888147009580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888147009600: 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2\n\nfor IPv4 packets, sch_fragment() uses a temporary struct dst_entry. Then,\nin the following call graph:\n\n ip_do_fragment()\n ip_skb_dst_mtu()\n ip_dst_mtu_maybe_forward()\n ip_mtu_locked()\n\nthe pointer to struct dst_entry is used as pointer to struct rtable: this\nturns the access to struct members like rt_mtu_locked into an OOB read in\nthe stack. Fix this changing the temporary variable used for IPv4 packets\nin sch_fragment(), similarly to what is done for IPv6 few lines below.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46954"
},
{
"id": "CVE-2021-47164",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix null deref accessing lag dev\n\nIt could be the lag dev is null so stop processing the event.\nIn bond_enslave() the active/backup slave being set before setting the\nupper dev so first event is without an upper dev.\nAfter setting the upper dev with bond_master_upper_dev_link() there is\na second event and in that event we have an upper dev.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47164"
},
{
"id": "CVE-2021-47171",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: fix memory leak in smsc75xx_bind\n\nSyzbot reported memory leak in smsc75xx_bind().\nThe problem was is non-freed memory in case of\nerrors after memory allocation.\n\nbacktrace:\n [] kmalloc include/linux/slab.h:556 [inline]\n [] kzalloc include/linux/slab.h:686 [inline]\n [] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460\n [] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47171"
},
{
"id": "CVE-2021-47173",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc/uss720: fix memory leak in uss720_probe\n\nuss720_probe forgets to decrease the refcount of usbdev in uss720_probe.\nFix this by decreasing the refcount of usbdev by usb_put_dev.\n\nBUG: memory leak\nunreferenced object 0xffff888101113800 (size 2048):\n comm \"kworker/0:1\", pid 7, jiffies 4294956777 (age 28.870s)\n hex dump (first 32 bytes):\n ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00 ....1...........\n 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ................\n backtrace:\n [] kmalloc include/linux/slab.h:554 [inline]\n [] kzalloc include/linux/slab.h:684 [inline]\n [] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582\n [] hub_port_connect drivers/usb/core/hub.c:5129 [inline]\n [] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]\n [] port_event drivers/usb/core/hub.c:5509 [inline]\n [] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591\n [] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275\n [] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421\n [] kthread+0x178/0x1b0 kernel/kthread.c:292\n [] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47173"
},
{
"id": "CVE-2021-47179",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return()\n\nCommit de144ff4234f changes _pnfs_return_layout() to call\npnfs_mark_matching_lsegs_return() passing NULL as the struct\npnfs_layout_range argument. Unfortunately,\npnfs_mark_matching_lsegs_return() doesn't check if we have a value here\nbefore dereferencing it, causing an oops.\n\nI'm able to hit this crash consistently when running connectathon basic\ntests on NFS v4.1/v4.2 against Ontap.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47179"
},
{
"id": "CVE-2021-47193",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Fix memory leak during rmmod\n\nDriver failed to release all memory allocated. This would lead to memory\nleak during driver removal.\n\nProperly free memory when the module is removed.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47193"
},
{
"id": "CVE-2021-47194",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncfg80211: call cfg80211_stop_ap when switch from P2P_GO type\n\nIf the userspace tools switch from NL80211_IFTYPE_P2P_GO to\nNL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it\ndoes not call the cleanup cfg80211_stop_ap(), this leads to the\ninitialization of in-use data. For example, this path re-init the\nsdata->assigned_chanctx_list while it is still an element of\nassigned_vifs list, and makes that linked list corrupt.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47194"
},
{
"id": "CVE-2021-47195",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix use-after-free of the add_lock mutex\n\nCommit 6098475d4cb4 (\"spi: Fix deadlock when adding SPI controllers on\nSPI buses\") introduced a per-controller mutex. But mutex_unlock() of\nsaid lock is called after the controller is already freed:\n\n spi_unregister_controller(ctlr)\n -> put_device(&ctlr->dev)\n -> spi_controller_release(dev)\n -> mutex_unlock(&ctrl->add_lock)\n\nMove the put_device() after the mutex_unlock().",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47195"
},
{
"id": "CVE-2021-47198",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine\n\nAn error is detected with the following report when unloading the driver:\n \"KASAN: use-after-free in lpfc_unreg_rpi+0x1b1b\"\n\nThe NLP_REG_LOGIN_SEND nlp_flag is set in lpfc_reg_fab_ctrl_node(), but the\nflag is not cleared upon completion of the login.\n\nThis allows a second call to lpfc_unreg_rpi() to proceed with nlp_rpi set\nto LPFC_RPI_ALLOW_ERROR. This results in a use after free access when used\nas an rpi_ids array index.\n\nFix by clearing the NLP_REG_LOGIN_SEND nlp_flag in\nlpfc_mbx_cmpl_fc_reg_login().",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47198"
},
{
"id": "CVE-2021-47513",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: felix: Fix memory leak in felix_setup_mmio_filtering\n\nAvoid a memory leak if there is not a CPU port defined.\n\nAddresses-Coverity-ID: 1492897 (\"Resource leak\")\nAddresses-Coverity-ID: 1492899 (\"Resource leak\")",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47513"
},
{
"id": "CVE-2021-47516",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfp: Fix memory leak in nfp_cpp_area_cache_add()\n\nIn line 800 (#1), nfp_cpp_area_alloc() allocates and initializes a\nCPP area structure. But in line 807 (#2), when the cache is allocated\nfailed, this CPP area structure is not freed, which will result in\nmemory leak.\n\nWe can fix it by freeing the CPP area when the cache is allocated\nfailed (#2).\n\n792 int nfp_cpp_area_cache_add(struct nfp_cpp *cpp, size_t size)\n793 {\n794 \tstruct nfp_cpp_area_cache *cache;\n795 \tstruct nfp_cpp_area *area;\n\n800\tarea = nfp_cpp_area_alloc(cpp, NFP_CPP_ID(7, NFP_CPP_ACTION_RW, 0),\n801 \t\t\t\t 0, size);\n\t// #1: allocates and initializes\n\n802 \tif (!area)\n803 \t\treturn -ENOMEM;\n\n805 \tcache = kzalloc(sizeof(*cache), GFP_KERNEL);\n806 \tif (!cache)\n807 \t\treturn -ENOMEM; // #2: missing free\n\n817\treturn 0;\n818 }",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47516"
},
{
"id": "CVE-2021-47518",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done\n\nThe done() netlink callback nfc_genl_dump_ses_done() should check if\nreceived argument is non-NULL, because its allocation could fail earlier\nin dumpit() (nfc_genl_dump_ses()).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47518"
},
{
"id": "CVE-2021-47519",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: m_can: m_can_read_fifo: fix memory leak in error branch\n\nIn m_can_read_fifo(), if the second call to m_can_fifo_read() fails,\nthe function jump to the out_fail label and returns without calling\nm_can_receive_skb(). This means that the skb previously allocated by\nalloc_can_skb() is not freed. In other terms, this is a memory leak.\n\nThis patch adds a goto label to destroy the skb if an error occurs.\n\nIssue was found with GCC -fanalyzer, please follow the link below for\ndetails.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47519"
},
{
"id": "CVE-2021-47520",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: pch_can: pch_can_rx_normal: fix use after free\n\nAfter calling netif_receive_skb(skb), dereferencing skb is unsafe.\nEspecially, the can_frame cf which aliases skb memory is dereferenced\njust after the call netif_receive_skb(skb).\n\nReordering the lines solves the issue.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47520"
},
{
"id": "CVE-2021-47521",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: sja1000: fix use after free in ems_pcmcia_add_card()\n\nIf the last channel is not available then \"dev\" is freed. Fortunately,\nwe can just use \"pdev->irq\" instead.\n\nAlso we should check if at least one channel was set up.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47521"
},
{
"id": "CVE-2021-47522",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: bigbenff: prevent null pointer dereference\n\nWhen emulating the device through uhid, there is a chance we don't have\noutput reports and so report_field is null.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47522"
},
{
"id": "CVE-2021-47525",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: liteuart: fix use-after-free and memleak on unbind\n\nDeregister the port when unbinding the driver to prevent it from being\nused after releasing the driver data and leaking memory allocated by\nserial core.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47525"
},
{
"id": "CVE-2021-47526",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: liteuart: Fix NULL pointer dereference in ->remove()\n\ndrvdata has to be set in _probe() - otherwise platform_get_drvdata()\ncauses null pointer dereference BUG in _remove().",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47526"
},
{
"id": "CVE-2021-47528",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()\n\nIn cdnsp_endpoint_init(), cdnsp_ring_alloc() is assigned to pep->ring\nand there is a dereference of it in cdnsp_endpoint_init(), which could\nlead to a NULL pointer dereference on failure of cdnsp_ring_alloc().\n\nFix this bug by adding a check of pep->ring.\n\nThis bug was found by a static analyzer. The analysis employs\ndifferential checking to identify inconsistent security operations\n(e.g., checks or kfrees) between two code paths and confirms that the\ninconsistent operations are not recovered in the current function or\nthe callers, so they constitute bugs.\n\nNote that, as a bug found by static analysis, it can be a false\npositive or hard to trigger. Multiple researchers have cross-reviewed\nthe bug.\n\nBuilds with CONFIG_USB_CDNSP_GADGET=y show no new warnings,\nand our static analyzer no longer warns about this code.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47528"
},
{
"id": "CVE-2021-47529",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niwlwifi: Fix memory leaks in error handling path\n\nShould an error occur (invalid TLV len or memory allocation failure), the\nmemory already allocated in 'reduce_power_data' should be freed before\nreturning, otherwise it is leaking.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47529"
},
{
"id": "CVE-2021-47537",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: Fix a memleak bug in rvu_mbox_init()\n\nIn rvu_mbox_init(), mbox_regions is not freed or passed out\nunder the switch-default region, which could lead to a memory leak.\n\nFix this bug by changing 'return err' to 'goto free_regions'.\n\nThis bug was found by a static analyzer. The analysis employs\ndifferential checking to identify inconsistent security operations\n(e.g., checks or kfrees) between two code paths and confirms that the\ninconsistent operations are not recovered in the current function or\nthe callers, so they constitute bugs.\n\nNote that, as a bug found by static analysis, it can be a false\npositive or hard to trigger. Multiple researchers have cross-reviewed\nthe bug.\n\nBuilds with CONFIG_OCTEONTX2_AF=y show no new warnings,\nand our static analyzer no longer warns about this code.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47537"
},
{
"id": "CVE-2021-47540",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7915: fix NULL pointer dereference in mt7915_get_phy_mode\n\nFix the following NULL pointer dereference in mt7915_get_phy_mode\nroutine adding an ibss interface to the mt7915 driver.\n\n[ 101.137097] wlan0: Trigger new scan to find an IBSS to join\n[ 102.827039] wlan0: Creating new IBSS network, BSSID 26:a4:50:1a:6e:69\n[ 103.064756] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 103.073670] Mem abort info:\n[ 103.076520] ESR = 0x96000005\n[ 103.079614] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 103.084934] SET = 0, FnV = 0\n[ 103.088042] EA = 0, S1PTW = 0\n[ 103.091215] Data abort info:\n[ 103.094104] ISV = 0, ISS = 0x00000005\n[ 103.098041] CM = 0, WnR = 0\n[ 103.101044] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000460b1000\n[ 103.107565] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n[ 103.116590] Internal error: Oops: 96000005 [#1] SMP\n[ 103.189066] CPU: 1 PID: 333 Comm: kworker/u4:3 Not tainted 5.10.75 #0\n[ 103.195498] Hardware name: MediaTek MT7622 RFB1 board (DT)\n[ 103.201124] Workqueue: phy0 ieee80211_iface_work [mac80211]\n[ 103.206695] pstate: 20000005 (nzCv daif -PAN -UAO -TCO BTYPE=--)\n[ 103.212705] pc : mt7915_get_phy_mode+0x68/0x120 [mt7915e]\n[ 103.218103] lr : mt7915_mcu_add_bss_info+0x11c/0x760 [mt7915e]\n[ 103.223927] sp : ffffffc011cdb9e0\n[ 103.227235] x29: ffffffc011cdb9e0 x28: ffffff8006563098\n[ 103.232545] x27: ffffff8005f4da22 x26: ffffff800685ac40\n[ 103.237855] x25: 0000000000000001 x24: 000000000000011f\n[ 103.243165] x23: ffffff8005f4e260 x22: ffffff8006567918\n[ 103.248475] x21: ffffff8005f4df80 x20: ffffff800685ac58\n[ 103.253785] x19: ffffff8006744400 x18: 0000000000000000\n[ 103.259094] x17: 0000000000000000 x16: 0000000000000001\n[ 103.264403] x15: 000899c3a2d9d2e4 x14: 000899bdc3c3a1c8\n[ 103.269713] x13: 0000000000000000 x12: 0000000000000000\n[ 103.275024] x11: ffffffc010e30c20 x10: 0000000000000000\n[ 103.280333] x9 : 0000000000000050 x8 : ffffff8006567d88\n[ 103.285642] x7 : ffffff8006563b5c x6 : ffffff8006563b44\n[ 103.290952] x5 : 0000000000000002 x4 : 0000000000000001\n[ 103.296262] x3 : 0000000000000001 x2 : 0000000000000001\n[ 103.301572] x1 : 0000000000000000 x0 : 0000000000000011\n[ 103.306882] Call trace:\n[ 103.309328] mt7915_get_phy_mode+0x68/0x120 [mt7915e]\n[ 103.314378] mt7915_bss_info_changed+0x198/0x200 [mt7915e]\n[ 103.319941] ieee80211_bss_info_change_notify+0x128/0x290 [mac80211]\n[ 103.326360] __ieee80211_sta_join_ibss+0x308/0x6c4 [mac80211]\n[ 103.332171] ieee80211_sta_create_ibss+0x8c/0x10c [mac80211]\n[ 103.337895] ieee80211_ibss_work+0x3dc/0x614 [mac80211]\n[ 103.343185] ieee80211_iface_work+0x388/0x3f0 [mac80211]\n[ 103.348495] process_one_work+0x288/0x690\n[ 103.352499] worker_thread+0x70/0x464\n[ 103.356157] kthread+0x144/0x150\n[ 103.359380] ret_from_fork+0x10/0x18\n[ 103.362952] Code: 394008c3 52800220 394000e4 7100007f (39400023)",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47540"
},
{
"id": "CVE-2021-47541",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()\n\nIn mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and\ntmp->tx_cq will be freed on the error path of mlx4_en_copy_priv().\nAfter that mlx4_en_alloc_resources() is called and there is a dereference\nof &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to\na use after free problem on failure of mlx4_en_copy_priv().\n\nFix this bug by adding a check of mlx4_en_copy_priv()\n\nThis bug was found by a static analyzer. The analysis employs\ndifferential checking to identify inconsistent security operations\n(e.g., checks or kfrees) between two code paths and confirms that the\ninconsistent operations are not recovered in the current function or\nthe callers, so they constitute bugs.\n\nNote that, as a bug found by static analysis, it can be a false\npositive or hard to trigger. Multiple researchers have cross-reviewed\nthe bug.\n\nBuilds with CONFIG_MLX4_EN=m show no new warnings,\nand our static analyzer no longer warns about this code.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47541"
},
{
"id": "CVE-2021-47542",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()\n\nIn qlcnic_83xx_add_rings(), the indirect function of\nahw->hw_ops->alloc_mbx_args will be called to allocate memory for\ncmd.req.arg, and there is a dereference of it in qlcnic_83xx_add_rings(),\nwhich could lead to a NULL pointer dereference on failure of the\nindirect function like qlcnic_83xx_alloc_mbx_args().\n\nFix this bug by adding a check of alloc_mbx_args(), this patch\nimitates the logic of mbx_cmd()'s failure handling.\n\nThis bug was found by a static analyzer. The analysis employs\ndifferential checking to identify inconsistent security operations\n(e.g., checks or kfrees) between two code paths and confirms that the\ninconsistent operations are not recovered in the current function or\nthe callers, so they constitute bugs.\n\nNote that, as a bug found by static analysis, it can be a false\npositive or hard to trigger. Multiple researchers have cross-reviewed\nthe bug.\n\nBuilds with CONFIG_QLCNIC=m show no new warnings, and our\nstatic analyzer no longer warns about this code.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47542"
},
{
"id": "CVE-2021-47546",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix memory leak in fib6_rule_suppress\n\nThe kernel leaks memory when a `fib` rule is present in IPv6 nftables\nfirewall rules and a suppress_prefix rule is present in the IPv6 routing\nrules (used by certain tools such as wg-quick). In such scenarios, every\nincoming packet will leak an allocation in `ip6_dst_cache` slab cache.\n\nAfter some hours of `bpftrace`-ing and source code reading, I tracked\ndown the issue to ca7a03c41753 (\"ipv6: do not free rt if\nFIB_LOOKUP_NOREF is set on suppress rule\").\n\nThe problem with that change is that the generic `args->flags` always have\n`FIB_LOOKUP_NOREF` set[1][2] but the IPv6-specific flag\n`RT6_LOOKUP_F_DST_NOREF` might not be, leading to `fib6_rule_suppress` not\ndecreasing the refcount when needed.\n\nHow to reproduce:\n - Add the following nftables rule to a prerouting chain:\n meta nfproto ipv6 fib saddr . mark . iif oif missing drop\n This can be done with:\n sudo nft create table inet test\n sudo nft create chain inet test test_chain '{ type filter hook prerouting priority filter + 10; policy accept; }'\n sudo nft add rule inet test test_chain meta nfproto ipv6 fib saddr . mark . iif oif missing drop\n - Run:\n sudo ip -6 rule add table main suppress_prefixlength 0\n - Watch `sudo slabtop -o | grep ip6_dst_cache` to see memory usage increase\n with every incoming ipv6 packet.\n\nThis patch exposes the protocol-specific flags to the protocol\nspecific `suppress` function, and check the protocol-specific `flags`\nargument for RT6_LOOKUP_F_DST_NOREF instead of the generic\nFIB_LOOKUP_NOREF when decreasing the refcount, like this.\n\n[1]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L71\n[2]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L99",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47546"
},
{
"id": "CVE-2021-47550",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/amdgpu: fix potential memleak\n\nIn function amdgpu_get_xgmi_hive, when kobject_init_and_add failed\nThere is a potential memleak if not call kobject_put.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47550"
},
{
"id": "CVE-2021-47556",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: ioctl: fix potential NULL deref in ethtool_set_coalesce()\n\nethtool_set_coalesce() now uses both the .get_coalesce() and\n.set_coalesce() callbacks. But the check for their availability is\nbuggy, so changing the coalesce settings on a device where the driver\nprovides only _one_ of the callbacks results in a NULL pointer\ndereference instead of an -EOPNOTSUPP.\n\nFix the condition so that the availability of both callbacks is\nensured. This also matches the netlink code.\n\nNote that reproducing this requires some effort - it only affects the\nlegacy ioctl path, and needs a specific combination of driver options:\n- have .get_coalesce() and .coalesce_supported but no\n .set_coalesce(), or\n- have .set_coalesce() but no .get_coalesce(). Here eg. ethtool doesn't\n cause the crash as it first attempts to call ethtool_get_coalesce()\n and bails out on error.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47556"
},
{
"id": "CVE-2021-47559",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Fix NULL pointer dereferencing in smc_vlan_by_tcpsk()\n\nCoverity reports a possible NULL dereferencing problem:\n\nin smc_vlan_by_tcpsk():\n6. returned_null: netdev_lower_get_next returns NULL (checked 29 out of 30 times).\n7. var_assigned: Assigning: ndev = NULL return value from netdev_lower_get_next.\n1623 ndev = (struct net_device *)netdev_lower_get_next(ndev, &lower);\nCID 1468509 (#1 of 1): Dereference null return value (NULL_RETURNS)\n8. dereference: Dereferencing a pointer that might be NULL ndev when calling is_vlan_dev.\n1624 if (is_vlan_dev(ndev)) {\n\nRemove the manual implementation and use netdev_walk_all_lower_dev() to\niterate over the lower devices. While on it remove an obsolete function\nparameter comment.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47559"
},
{
"id": "CVE-2021-47570",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: r8188eu: fix a memory leak in rtw_wx_read32()\n\nFree \"ptmp\" before returning -EINVAL.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47570"
},
{
"id": "CVE-2021-47571",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()\n\nThe free_rtllib() function frees the \"dev\" pointer so there is use\nafter free on the next line. Re-arrange things to avoid that.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47571"
},
{
"id": "CVE-2021-47572",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nexthop: fix null pointer dereference when IPv6 is not enabled\n\nWhen we try to add an IPv6 nexthop and IPv6 is not enabled\n(!CONFIG_IPV6) we'll hit a NULL pointer dereference[1] in the error path\nof nh_create_ipv6() due to calling ipv6_stub->fib6_nh_release. The bug\nhas been present since the beginning of IPv6 nexthop gateway support.\nCommit 1aefd3de7bc6 (\"ipv6: Add fib6_nh_init and release to stubs\") tells\nus that only fib6_nh_init has a dummy stub because fib6_nh_release should\nnot be called if fib6_nh_init returns an error, but the commit below added\na call to ipv6_stub->fib6_nh_release in its error path. To fix it return\nthe dummy stub's -EAFNOSUPPORT error directly without calling\nipv6_stub->fib6_nh_release in nh_create_ipv6()'s error path.\n\n[1]\n Output is a bit truncated, but it clearly shows the error.\n BUG: kernel NULL pointer dereference, address: 000000000000000000\n #PF: supervisor instruction fetch in kernel modede\n #PF: error_code(0x0010) - not-present pagege\n PGD 0 P4D 0\n Oops: 0010 [#1] PREEMPT SMP NOPTI\n CPU: 4 PID: 638 Comm: ip Kdump: loaded Not tainted 5.16.0-rc1+ #446\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014\n RIP: 0010:0x0\n Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.\n RSP: 0018:ffff888109f5b8f0 EFLAGS: 00010286^Ac\n RAX: 0000000000000000 RBX: ffff888109f5ba28 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881008a2860\n RBP: ffff888109f5b9d8 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff888109f5b978 R11: ffff888109f5b948 R12: 00000000ffffff9f\n R13: ffff8881008a2a80 R14: ffff8881008a2860 R15: ffff8881008a2840\n FS: 00007f98de70f100(0000) GS:ffff88822bf00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffffffffffffd6 CR3: 0000000100efc000 CR4: 00000000000006e0\n Call Trace:\n \n nh_create_ipv6+0xed/0x10c\n rtm_new_nexthop+0x6d7/0x13f3\n ? check_preemption_disabled+0x3d/0xf2\n ? lock_is_held_type+0xbe/0xfd\n rtnetlink_rcv_msg+0x23f/0x26a\n ? check_preemption_disabled+0x3d/0xf2\n ? rtnl_calcit.isra.0+0x147/0x147\n netlink_rcv_skb+0x61/0xb2\n netlink_unicast+0x100/0x187\n netlink_sendmsg+0x37f/0x3a0\n ? netlink_unicast+0x187/0x187\n sock_sendmsg_nosec+0x67/0x9b\n ____sys_sendmsg+0x19d/0x1f9\n ? copy_msghdr_from_user+0x4c/0x5e\n ? rcu_read_lock_any_held+0x2a/0x78\n ___sys_sendmsg+0x6c/0x8c\n ? asm_sysvec_apic_timer_interrupt+0x12/0x20\n ? lockdep_hardirqs_on+0xd9/0x102\n ? sockfd_lookup_light+0x69/0x99\n __sys_sendmsg+0x50/0x6e\n do_syscall_64+0xcb/0xf2\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f98dea28914\n Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 48 8d 05 e9 5d 0c 00 8b 00 85 c0 75 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 41 89 d4 55 48 89 f5 53\n RSP: 002b:00007fff859f5e68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e2e\n RAX: ffffffffffffffda RBX: 00000000619cb810 RCX: 00007f98dea28914\n RDX: 0000000000000000 RSI: 00007fff859f5ed0 RDI: 0000000000000003\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000008\n R10: fffffffffffffce6 R11: 0000000000000246 R12: 0000000000000001\n R13: 000055c0097ae520 R14: 000055c0097957fd R15: 00007fff859f63a0\n \n Modules linked in: bridge stp llc bonding virtio_net",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47572"
},
{
"id": "CVE-2022-0001",
"summary": "Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0001",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc8"
},
{
"id": "CVE-2022-0002",
"summary": "Non-transparent sharing of branch predictor within a context in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0002",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc8"
},
{
"id": "CVE-2022-0168",
"summary": "A denial of service (DOS) issue was found in the Linux kernel\u2019s smb2_ioctl_query_info function in the fs/cifs/smb2ops.c Common Internet File System (CIFS) due to an incorrect return from the memdup_user function. This flaw allows a local, privileged (CAP_SYS_ADMIN) attacker to crash the system.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0168",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-0171",
"summary": "A flaw was found in the Linux kernel. The existing KVM SEV API has a vulnerability that allows a non-root (host) user-level application to crash the host kernel by creating a confidential guest VM instance in AMD CPU that supports Secure Encrypted Virtualization (SEV).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0171",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc4"
},
{
"id": "CVE-2022-0185",
"summary": "A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.",
"scorev2": "7.2",
"scorev3": "8.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0185",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc1"
},
{
"id": "CVE-2022-0264",
"summary": "A vulnerability was found in the Linux kernel's eBPF verifier when handling internal data structures. Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel. This flaws affects kernel versions < v5.16-rc6",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0264",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc6"
},
{
"id": "CVE-2022-0286",
"summary": "A flaw was found in the Linux kernel. A null pointer dereference in bond_ipsec_add_sa() may lead to local denial of service.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0286",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc2"
},
{
"id": "CVE-2022-0322",
"summary": "A flaw was found in the sctp_make_strreset_req function in net/sctp/sm_make_chunk.c in the SCTP network protocol in the Linux kernel with a local user privilege access. In this flaw, an attempt to use more buffer than is allocated triggers a BUG_ON issue, leading to a denial of service (DOS).",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0322",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc6"
},
{
"id": "CVE-2022-0330",
"summary": "A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0330",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc2"
},
{
"id": "CVE-2022-0382",
"summary": "An information leak flaw was found due to uninitialized memory in the Linux kernel's TIPC protocol subsystem, in the way a user sends a TIPC datagram to one or more destinations. This flaw allows a local user to read some kernel memory. This issue is limited to no more than 7 bytes, and the user cannot control what is read. This flaw affects the Linux kernel versions prior to 5.17-rc1.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0382",
"detail": "fixed-version",
"description": "Fixed from version 5.16"
},
{
"id": "CVE-2022-0400",
"summary": "An out-of-bounds read vulnerability was discovered in linux kernel in the smc protocol stack, causing remote dos.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0400"
},
{
"id": "CVE-2022-0433",
"summary": "A NULL pointer dereference flaw was found in the Linux kernel's BPF subsystem in the way a user triggers the map_get_next_key function of the BPF bloom filter. This flaw allows a local user to crash the system. This flaw affects Linux kernel versions prior to 5.17-rc1.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0433",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc1"
},
{
"id": "CVE-2022-0435",
"summary": "A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 allowed. This flaw allows a remote user to crash the system or possibly escalate their privileges if they have access to the TIPC network.",
"scorev2": "9.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0435",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc4"
},
{
"id": "CVE-2022-0480",
"summary": "A flaw was found in the filelock_init in fs/locks.c function in the Linux kernel. This issue can lead to host memory exhaustion due to memcg not limiting the number of Portable Operating System Interface (POSIX) file locks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0480",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc1"
},
{
"id": "CVE-2022-0487",
"summary": "A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove in drivers/memstick/host/rtsx_usb_ms.c in memstick in the Linux kernel. In this flaw, a local attacker with a user privilege may impact system Confidentiality. This flaw affects kernel versions prior to 5.14 rc1.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0487",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc4"
},
{
"id": "CVE-2022-0492",
"summary": "A vulnerability was found in the Linux kernel\u2019s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0492",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc3"
},
{
"id": "CVE-2022-0494",
"summary": "A kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or CAP_SYS_RAWIO) to create issues with confidentiality.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0494",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc5"
},
{
"id": "CVE-2022-0500",
"summary": "A flaw was found in unrestricted eBPF usage by the BPF_BTF_LOAD, leading to a possible out-of-bounds memory write in the Linux kernel\u2019s BPF subsystem due to the way a user loads BTF. This flaw allows a local user to crash or escalate their privileges on the system.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0500",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc1"
},
{
"id": "CVE-2022-0516",
"summary": "A vulnerability was found in kvm_s390_guest_sida_op in the arch/s390/kvm/kvm-s390.c function in KVM for s390 in the Linux kernel. This flaw allows a local attacker with a normal user privilege to obtain unauthorized memory write access. This flaw affects Linux kernel versions prior to 5.17-rc4.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0516",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc4"
},
{
"id": "CVE-2022-0617",
"summary": "A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0617",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc2"
},
{
"id": "CVE-2022-0646",
"summary": "A flaw use after free in the Linux kernel Management Component Transport Protocol (MCTP) subsystem was found in the way user triggers cancel_work_sync after the unregister_netdev during removing device. A local user could use this flaw to crash the system or escalate their privileges on the system. It is actual from Linux Kernel 5.17-rc1 (when mctp-serial.c introduced) till 5.17-rc5.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0646",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc5"
},
{
"id": "CVE-2022-0742",
"summary": "Memory leak in icmp6 implementation in Linux Kernel 5.13+ allows a remote attacker to DoS a host by making it go out-of-memory via icmp6 packets of type 130 or 131. We recommend upgrading past commit 2d3916f3189172d5c69d33065c3c21119fe539fc.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0742",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc7"
},
{
"id": "CVE-2022-0812",
"summary": "An information leak flaw was found in NFS over RDMA in the net/sunrpc/xprtrdma/rpc_rdma.c in the Linux Kernel. This flaw allows an attacker with normal user privileges to leak kernel information.",
"scorev2": "0.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0812",
"detail": "fixed-version",
"description": "Fixed from version 5.8rc6"
},
{
"id": "CVE-2022-0847",
"summary": "A flaw was found in the way the \"flags\" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0847",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc6"
},
{
"id": "CVE-2022-0850",
"summary": "A vulnerability was found in linux kernel, where an information leak occurs via ext4_extent_header to userspace.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0850",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc1"
},
{
"id": "CVE-2022-0854",
"summary": "A memory leak flaw was found in the Linux kernel\u2019s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0854",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc8"
},
{
"id": "CVE-2022-0995",
"summary": "An out-of-bounds (OOB) memory write flaw was found in the Linux kernel\u2019s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0995",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc8"
},
{
"id": "CVE-2022-0998",
"summary": "An integer overflow flaw was found in the Linux kernel\u2019s virtio device driver code in the way a user triggers the vhost_vdpa_config_validate function. This flaw allows a local user to crash or potentially escalate their privileges on the system.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0998",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc1"
},
{
"id": "CVE-2022-1011",
"summary": "A use-after-free flaw was found in the Linux kernel\u2019s FUSE filesystem in the way a user triggers write(). This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1011",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc8"
},
{
"id": "CVE-2022-1012",
"summary": "A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow an attacker to information leak and may cause a denial of service problem.",
"scorev2": "0.0",
"scorev3": "8.2",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1012",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc6"
},
{
"id": "CVE-2022-1015",
"summary": "A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue.",
"scorev2": "4.6",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1015",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-1016",
"summary": "A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle 'return' with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1016",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-1043",
"summary": "A flaw was found in the Linux kernel\u2019s io_uring implementation. This flaw allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1043",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc7"
},
{
"id": "CVE-2022-1048",
"summary": "A use-after-free flaw was found in the Linux kernel\u2019s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1048",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-1055",
"summary": "A use-after-free exists in the Linux Kernel in tc_new_tfilter that could allow a local attacker to gain privilege escalation. The exploit requires unprivileged user namespaces. We recommend upgrading past commit 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1055",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc3"
},
{
"id": "CVE-2022-1116",
"summary": "Integer Overflow or Wraparound vulnerability in io_uring of Linux Kernel allows local attacker to cause memory corruption and escalate privileges to root. This issue affects: Linux Kernel versions prior to 5.4.189; version 5.4.24 and later versions.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1116"
},
{
"id": "CVE-2022-1158",
"summary": "A flaw was found in KVM. When updating a guest's page table entry, vm_pgoff was improperly used as the offset to get the page's pfn. As vaddr and vm_pgoff are controllable by user-mode processes, this flaw allows unprivileged local users on the host to write outside the userspace region and potentially corrupt the kernel, resulting in a denial of service condition.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1158",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-1184",
"summary": "A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel\u2019s filesystem sub-component. This flaw allows a local attacker with a user privilege to cause a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1184",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-1195",
"summary": "A use-after-free vulnerability was found in the Linux kernel in drivers/net/hamradio. This flaw allows a local attacker with a user privilege to cause a denial of service (DOS) when the mkiss or sixpack device is detached and reclaim resources early.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1195",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc7"
},
{
"id": "CVE-2022-1198",
"summary": "A use-after-free vulnerabilitity was discovered in drivers/net/hamradio/6pack.c of linux that allows an attacker to crash linux kernel by simulating ax25 device using 6pack driver from user space.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1198",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc6"
},
{
"id": "CVE-2022-1199",
"summary": "A flaw was found in the Linux kernel. This flaw allows an attacker to crash the Linux kernel by simulating amateur radio from the user space, resulting in a null-ptr-deref vulnerability and a use-after-free vulnerability.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1199",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc8"
},
{
"id": "CVE-2022-1204",
"summary": "A use-after-free flaw was found in the Linux kernel\u2019s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1204",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-1205",
"summary": "A NULL pointer dereference flaw was found in the Linux kernel\u2019s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1205",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-1247",
"summary": "An issue found in linux-kernel that leads to a race condition in rose_connect(). The rose driver uses rose_neigh->use to represent how many objects are using the rose_neigh. When a user wants to delete a rose_route via rose_ioctl(), the rose driver calls rose_del_node() and removes neighbours only if their \u201ccount\u201d and \u201cuse\u201d are zero.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1247"
},
{
"id": "CVE-2022-1263",
"summary": "A NULL pointer dereference issue was found in KVM when releasing a vCPU with dirty ring support enabled. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1263",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc3"
},
{
"id": "CVE-2022-1280",
"summary": "A use-after-free vulnerability was found in drm_lease_held in drivers/gpu/drm/drm_lease.c in the Linux kernel due to a race problem. This flaw allows a local user privilege attacker to cause a denial of service (DoS) or a kernel information leak.",
"scorev2": "3.3",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1280",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc1"
},
{
"id": "CVE-2022-1353",
"summary": "A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1353",
"detail": "fixed-version",
"description": "Fixed from version 5.17"
},
{
"id": "CVE-2022-1419",
"summary": "The root cause of this vulnerability is that the ioctl$DRM_IOCTL_MODE_DESTROY_DUMB can decrease refcount of *drm_vgem_gem_object *(created in *vgem_gem_dumb_create*) concurrently, and *vgem_gem_dumb_create *will access the freed drm_vgem_gem_object.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1419",
"detail": "fixed-version",
"description": "Fixed from version 5.6rc2"
},
{
"id": "CVE-2022-1462",
"summary": "An out-of-bounds read flaw was found in the Linux kernel\u2019s TeleTYpe subsystem. The issue occurs in how a user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read unauthorized random data from memory.",
"scorev2": "3.3",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1462",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc7"
},
{
"id": "CVE-2022-1508",
"summary": "An out-of-bounds read flaw was found in the Linux kernel\u2019s io_uring module in the way a user triggers the io_read() function with some special parameters. This flaw allows a local user to read some memory out of bounds.",
"scorev2": "0.0",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1508",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc1"
},
{
"id": "CVE-2022-1516",
"summary": "A NULL pointer dereference flaw was found in the Linux kernel\u2019s X.25 set of standardized network protocols functionality in the way a user terminates their session using a simulated Ethernet card and continued usage of this connection. This flaw allows a local user to crash the system.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1516",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-1651",
"summary": "A memory leak flaw was found in the Linux kernel in acrn_dev_ioctl in the drivers/virt/acrn/hsm.c function in how the ACRN Device Model emulates virtual NICs in VM. This flaw allows a local privileged attacker to leak unauthorized kernel information, causing a denial of service.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1651",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-1652",
"summary": "Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a concurrency use-after-free flaw in the bad_flp_intr function. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1652",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc6"
},
{
"id": "CVE-2022-1671",
"summary": "A NULL pointer dereference flaw was found in rxrpc_preparse_s in net/rxrpc/server_key.c in the Linux kernel. This flaw allows a local attacker to crash the system or leak internal kernel information.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1671",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-1678",
"summary": "An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP pacing can lead to memory/netns leak, which can be used by remote clients.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1678",
"detail": "fixed-version",
"description": "Fixed from version 4.20rc1"
},
{
"id": "CVE-2022-1679",
"summary": "A use-after-free flaw was found in the Linux kernel\u2019s Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1679",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2022-1729",
"summary": "A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged user to gain root privileges. The bug allows to build several exploit primitives such as kernel address information leak, arbitrary execution, etc.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1729",
"detail": "fixed-version",
"description": "Fixed from version 5.18"
},
{
"id": "CVE-2022-1734",
"summary": "A flaw in Linux Kernel found in nfcmrvl_nci_unregister_dev() in drivers/nfc/nfcmrvl/main.c can lead to use after free both read or write when non synchronized between cleanup routine and firmware download routine.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1734",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc6"
},
{
"id": "CVE-2022-1786",
"summary": "A use-after-free flaw was found in the Linux kernel\u2019s io_uring subsystem in the way a user sets up a ring with IORING_SETUP_IOPOLL with more than one task completing submissions on this ring. This flaw allows a local user to crash or escalate their privileges on the system.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1786",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2022-1789",
"summary": "With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.",
"scorev2": "6.9",
"scorev3": "6.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1789",
"detail": "fixed-version",
"description": "Fixed from version 5.18"
},
{
"id": "CVE-2022-1852",
"summary": "A NULL pointer dereference flaw was found in the Linux kernel\u2019s KVM module, which can lead to a denial of service in the x86_emulate_insn in arch/x86/kvm/emulate.c. This flaw occurs while executing an illegal instruction in guest in the Intel CPU.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1852",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-1882",
"summary": "A use-after-free flaw was found in the Linux kernel\u2019s pipes functionality in how a user performs manipulations with the pipe post_one_notification() after free_pipe_info() that is already called. This flaw allows a local user to crash or potentially escalate their privileges on the system.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1882",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc8"
},
{
"id": "CVE-2022-1943",
"summary": "A flaw out of bounds memory write in the Linux kernel UDF file system functionality was found in the way user triggers some file operation which triggers udf_write_fi(). A local user could use this flaw to crash the system or potentially",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1943",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc7"
},
{
"id": "CVE-2022-1973",
"summary": "A use-after-free flaw was found in the Linux kernel in log_replay in fs/ntfs3/fslog.c in the NTFS journal. This flaw allows a local attacker to crash the system and leads to a kernel information leak problem.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1973",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-1974",
"summary": "A use-after-free flaw was found in the Linux kernel's NFC core functionality due to a race condition between kobject creation and delete. This vulnerability allows a local attacker with CAP_NET_ADMIN privilege to leak kernel information.",
"scorev2": "0.0",
"scorev3": "4.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1974",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc6"
},
{
"id": "CVE-2022-1975",
"summary": "There is a sleep-in-atomic bug in /net/nfc/netlink.c that allows an attacker to crash the Linux kernel by simulating a nfc device from user-space.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1975",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc6"
},
{
"id": "CVE-2022-1976",
"summary": "A flaw was found in the Linux kernel\u2019s implementation of IO-URING. This flaw allows an attacker with local executable permission to create a string of requests that can cause a use-after-free flaw within the kernel. This issue leads to memory corruption and possible privilege escalation.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1976",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-1998",
"summary": "A use after free in the Linux kernel File System notify functionality was found in the way user triggers copy_info_records_to_user() call to fail in copy_event_to_user(). A local user could use this flaw to crash the system or potentially escalate their privileges on the system.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1998",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc3"
},
{
"id": "CVE-2022-20008",
"summary": "In mmc_blk_read_single of block.c, there is a possible way to read kernel heap memory due to uninitialized data. This could lead to local information disclosure if reading from an SD card that triggers errors, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-216481035References: Upstream kernel",
"scorev2": "2.1",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20008",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc5"
},
{
"id": "CVE-2022-20105",
"summary": "In MM service, there is a possible out of bounds write due to a stack-based buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03330460; Issue ID: DTV03330460.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20105"
},
{
"id": "CVE-2022-20106",
"summary": "In MM service, there is a possible out of bounds write due to a heap-based buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03330460; Issue ID: DTV03330460.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20106"
},
{
"id": "CVE-2022-20107",
"summary": "In subtitle service, there is a possible application crash due to an integer overflow. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03330673; Issue ID: DTV03330673.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20107"
},
{
"id": "CVE-2022-20108",
"summary": "In voice service, there is a possible out of bounds write due to a stack-based buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03330702; Issue ID: DTV03330702.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20108"
},
{
"id": "CVE-2022-20132",
"summary": "In lg_probe and related functions of hid-lg.c and other USB HID files, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure if a malicious USB HID device were plugged in, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-188677105References: Upstream kernel",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20132",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc5"
},
{
"id": "CVE-2022-20141",
"summary": "In ip_check_mc_rcu of igmp.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege when opening and closing inet sockets with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-112551163References: Upstream kernel",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20141",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc1"
},
{
"id": "CVE-2022-20148",
"summary": "In TBD of TBD, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-219513976References: Upstream kernel",
"scorev2": "6.9",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20148",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc1"
},
{
"id": "CVE-2022-20153",
"summary": "In rcu_cblist_dequeue of rcu_segcblist.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-222091980References: Upstream kernel",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20153",
"detail": "fixed-version",
"description": "Fixed from version 5.13rc1"
},
{
"id": "CVE-2022-20154",
"summary": "In lock_sock_nested of sock.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-174846563References: Upstream kernel",
"scorev2": "4.4",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20154",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc8"
},
{
"id": "CVE-2022-20158",
"summary": "In bdi_put and bdi_unregister of backing-dev.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-182815710References: Upstream kernel",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20158",
"detail": "fixed-version",
"description": "Fixed from version 5.17"
},
{
"id": "CVE-2022-20166",
"summary": "In various methods of kernel base drivers, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-182388481References: Upstream kernel",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20166",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc1"
},
{
"id": "CVE-2022-20368",
"summary": "Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20368",
"detail": "fixed-version",
"description": "Fixed from version 5.17"
},
{
"id": "CVE-2022-20369",
"summary": "In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-223375145References: Upstream kernel",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20369",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-20409",
"summary": "In io_identity_cow of io_uring.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-238177383References: Upstream kernel",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20409",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2022-20421",
"summary": "In binder_inc_ref_for_node of binder.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-239630375References: Upstream kernel",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20421",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc4"
},
{
"id": "CVE-2022-20422",
"summary": "In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-237540956References: Upstream kernel",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20422",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2022-20423",
"summary": "In rndis_set_response of rndis.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious USB device is attached with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-239842288References: Upstream kernel",
"scorev2": "0.0",
"scorev3": "4.6",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20423",
"detail": "fixed-version",
"description": "Fixed from version 5.17"
},
{
"id": "CVE-2022-20566",
"summary": "In l2cap_chan_put of l2cap_core, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-165329981References: Upstream kernel",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20566",
"detail": "fixed-version",
"description": "Fixed from version 5.19"
},
{
"id": "CVE-2022-20567",
"summary": "In pppol2tp_create of l2tp_ppp.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-186777253References: Upstream kernel",
"scorev2": "0.0",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20567",
"detail": "fixed-version",
"description": "Fixed from version 4.16rc5"
},
{
"id": "CVE-2022-20568",
"summary": "In (TBD) of (TBD), there is a possible way to corrupt kernel memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-220738351References: Upstream kernel",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20568",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2022-20572",
"summary": "In verity_target of dm-verity-target.c, there is a possible way to modify read-only files due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-234475629References: Upstream kernel",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20572",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-2078",
"summary": "A vulnerability was found in the Linux kernel's nft_set_desc_concat_parse() function .This flaw allows an attacker to trigger a buffer overflow via nft_set_desc_concat_parse() , causing a denial of service and possibly to run code.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2078",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-21123",
"summary": "Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-21123",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc3"
},
{
"id": "CVE-2022-21125",
"summary": "Incomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-21125",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc3"
},
{
"id": "CVE-2022-21166",
"summary": "Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-21166",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc3"
},
{
"id": "CVE-2022-21385",
"summary": "A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)",
"scorev2": "0.0",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-21385",
"detail": "fixed-version",
"description": "Fixed from version 4.20"
},
{
"id": "CVE-2022-21499",
"summary": "KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown. An attacker with access to a serial port could trigger the debugger so it is important that the debugger respect the lockdown mode when/if it is triggered. CVSS 3.1 Base Score 6.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-21499",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-2153",
"summary": "A flaw was found in the Linux kernel\u2019s KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2153",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-2196",
"summary": "A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\u00a0L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB\u00a0after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit\u00a02e7eab81425a\n",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2196",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc1"
},
{
"id": "CVE-2022-22942",
"summary": "The vmwgfx driver contains a local privilege escalation vulnerability that allows unprivileged users to gain access to files opened by other processes on the system through a dangling 'file' pointer.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22942",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc2"
},
{
"id": "CVE-2022-23036",
"summary": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23036",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc8"
},
{
"id": "CVE-2022-23037",
"summary": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23037",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc8"
},
{
"id": "CVE-2022-23038",
"summary": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23038",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc8"
},
{
"id": "CVE-2022-23039",
"summary": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23039",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc8"
},
{
"id": "CVE-2022-23040",
"summary": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23040",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc8"
},
{
"id": "CVE-2022-23041",
"summary": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23041",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc8"
},
{
"id": "CVE-2022-23042",
"summary": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23042",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc8"
},
{
"id": "CVE-2022-2308",
"summary": "A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2308",
"detail": "fixed-version",
"description": "Fixed from version 6.0"
},
{
"id": "CVE-2022-2318",
"summary": "There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2318",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc5"
},
{
"id": "CVE-2022-23222",
"summary": "kernel/bpf/verifier.c in the Linux kernel through 5.15.14 allows local users to gain privileges because of the availability of pointer arithmetic via certain *_OR_NULL pointer types.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23222",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc1"
},
{
"id": "CVE-2022-2327",
"summary": "io_uring use work_flags to determine which identity need to grab from the calling process to make sure it is consistent with the calling process when executing IORING_OP. Some operations are missing some types, which can lead to incorrect reference counts which can then lead to a double free. We recommend upgrading the kernel past commit df3f3bb5059d20ef094d6b2f0256c4bf4127a859",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2327",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2022-2380",
"summary": "The Linux kernel was found vulnerable out of bounds memory access in the drivers/video/fbdev/sm712fb.c:smtcfb_read() function. The vulnerability could result in local attackers being able to crash the kernel.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2380",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-23960",
"summary": "Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information.",
"scorev2": "1.9",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23960",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc8"
},
{
"id": "CVE-2022-24122",
"summary": "kernel/ucount.c in the Linux kernel 5.14 through 5.16.4, when unprivileged user namespaces are enabled, allows a use-after-free and privilege escalation because a ucounts object can outlive its namespace.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-24122",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc2"
},
{
"id": "CVE-2022-24448",
"summary": "An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor.",
"scorev2": "1.9",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-24448",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc2"
},
{
"id": "CVE-2022-24958",
"summary": "drivers/usb/gadget/legacy/inode.c in the Linux kernel through 5.16.8 mishandles dev->buf release.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-24958",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc1"
},
{
"id": "CVE-2022-24959",
"summary": "An issue was discovered in the Linux kernel before 5.16.5. There is a memory leak in yam_siocdevprivate in drivers/net/hamradio/yam.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-24959",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc2"
},
{
"id": "CVE-2022-2503",
"summary": "Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2503",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-25258",
"summary": "An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25258",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc4"
},
{
"id": "CVE-2022-25265",
"summary": "In the Linux kernel through 5.16.10, certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g., with GCC 3.2.2 and Linux kernel 2.4.20). This can cause execution of bytes located in supposedly non-executable regions of a file.",
"scorev2": "4.4",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25265"
},
{
"id": "CVE-2022-25375",
"summary": "An issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25375",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc4"
},
{
"id": "CVE-2022-25636",
"summary": "net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25636",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc6"
},
{
"id": "CVE-2022-2585",
"summary": "It was discovered that when exec'ing from a non-leader thread, armed POSIX CPU timers would be left on a list but freed, leading to a use-after-free.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2585",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2022-2586",
"summary": "It was discovered that a nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2586",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2022-2588",
"summary": "It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2588",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2022-2590",
"summary": "A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only shared memory mappings. This flaw allows an unprivileged, local user to gain write access to read-only memory mappings, increasing their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2590",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc3"
},
{
"id": "CVE-2022-2602",
"summary": "io_uring UAF, Unix SCM garbage collection",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2602",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-26365",
"summary": "Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26365",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc6"
},
{
"id": "CVE-2022-26373",
"summary": "Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26373",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2022-2639",
"summary": "An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2639",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc4"
},
{
"id": "CVE-2022-26490",
"summary": "st21nfca_connectivity_event_received in drivers/nfc/st21nfca/se.c in the Linux kernel through 5.16.12 has EVT_TRANSACTION buffer overflows because of untrusted length parameters.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26490",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc1"
},
{
"id": "CVE-2022-2663",
"summary": "An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2663",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc5"
},
{
"id": "CVE-2022-26878",
"summary": "drivers/bluetooth/virtio_bt.c in the Linux kernel before 5.16.3 has a memory leak (socket buffers have memory allocated but not freed).",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26878"
},
{
"id": "CVE-2022-26966",
"summary": "An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26966",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc6"
},
{
"id": "CVE-2022-27223",
"summary": "In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12, the endpoint index is not validated and might be manipulated by the host for out-of-array access.",
"scorev2": "6.5",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27223",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc6"
},
{
"id": "CVE-2022-27666",
"summary": "A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27666",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc8"
},
{
"id": "CVE-2022-27672",
"summary": "\nWhen SMT is enabled, certain AMD processors may speculatively execute instructions using a target\nfrom the sibling thread after an SMT mode switch potentially resulting in information disclosure.\n\n\n",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27672",
"detail": "fixed-version",
"description": "Fixed from version 6.2"
},
{
"id": "CVE-2022-2785",
"summary": "There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory from anywhere on the system. We recommend upgrading past commit 86f44fcec22c",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2785",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2022-27950",
"summary": "In drivers/hid/hid-elo.c in the Linux kernel before 5.16.11, a memory leak exists for a certain hid_parse error condition.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27950",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc5"
},
{
"id": "CVE-2022-28356",
"summary": "In the Linux kernel before 5.17.1, a refcount leak bug was found in net/llc/af_llc.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-28356",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-28388",
"summary": "usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double free.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-28388",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-28389",
"summary": "mcba_usb_start_xmit in drivers/net/can/usb/mcba_usb.c in the Linux kernel through 5.17.1 has a double free.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-28389",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-28390",
"summary": "ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-28390",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-2873",
"summary": "An out-of-bounds memory access flaw was found in the Linux kernel Intel\u2019s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2873",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-28796",
"summary": "jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-28796",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-28893",
"summary": "The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-28893",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc2"
},
{
"id": "CVE-2022-2905",
"summary": "An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to gain unauthorized access to data.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2905",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc4"
},
{
"id": "CVE-2022-29156",
"summary": "drivers/infiniband/ulp/rtrs/rtrs-clt.c in the Linux kernel before 5.16.12 has a double free related to rtrs_clt_dev_release.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29156",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc6"
},
{
"id": "CVE-2022-2938",
"summary": "A flaw was found in the Linux kernel's implementation of Pressure Stall Information. While the feature is disabled by default, it could allow an attacker to crash the system or have other memory-corruption side effects.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2938",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc2"
},
{
"id": "CVE-2022-29581",
"summary": "Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29581",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc4"
},
{
"id": "CVE-2022-29582",
"summary": "In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29582",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc2"
},
{
"id": "CVE-2022-2959",
"summary": "A race condition was found in the Linux kernel's watch queue due to a missing lock in pipe_resize_ring(). The specific flaw exists within the handling of pipe buffers. The issue results from the lack of proper locking when performing operations on an object. This flaw allows a local user to crash the system or escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2959",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-2961",
"summary": "A use-after-free flaw was found in the Linux kernel\u2019s PLP Rose functionality in the way a user triggers a race condition by calling bind while simultaneously triggering the rose_bind() function. This flaw allows a local user to crash or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2961"
},
{
"id": "CVE-2022-2964",
"summary": "A flaw was found in the Linux kernel\u2019s driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2964",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc4"
},
{
"id": "CVE-2022-2977",
"summary": "A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-free and create a situation where it may be possible to escalate privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2977",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-2978",
"summary": "A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2978",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-29900",
"summary": "Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29900",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc7"
},
{
"id": "CVE-2022-29901",
"summary": "Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.",
"scorev2": "1.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29901",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc7"
},
{
"id": "CVE-2022-2991",
"summary": "A heap-based buffer overflow was found in the Linux kernel's LightNVM subsystem. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. This vulnerability allows a local attacker to escalate privileges and execute arbitrary code in the context of the kernel. The attacker must first obtain the ability to execute high-privileged code on the target system to exploit this vulnerability.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2991",
"detail": "fixed-version",
"description": "Fixed from version 5.15rc1"
},
{
"id": "CVE-2022-29968",
"summary": "An issue was discovered in the Linux kernel through 5.17.5. io_rw_init_file in fs/io_uring.c lacks initialization of kiocb->private.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29968",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc5"
},
{
"id": "CVE-2022-3028",
"summary": "A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3028",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc3"
},
{
"id": "CVE-2022-30594",
"summary": "The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag.",
"scorev2": "4.4",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-30594",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-3061",
"summary": "Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn't check the value of 'pixclock', so it may cause a divide by zero error.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3061",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc5"
},
{
"id": "CVE-2022-3077",
"summary": "A buffer overflow vulnerability was found in the Linux kernel Intel\u2019s iSMT SMBus host controller driver in the way it handled the I2C_SMBUS_BLOCK_PROC_CALL case (via the ioctl I2C_SMBUS) with malicious input data. This flaw could allow a local user to crash the system.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3077",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-3078",
"summary": "An issue was discovered in the Linux kernel through 5.16-rc6. There is a lack of check after calling vzalloc() and lack of free after allocation in drivers/media/test-drivers/vidtv/vidtv_s302m.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3078",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-3103",
"summary": "off-by-one in io_uring module.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3103",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc3"
},
{
"id": "CVE-2022-3104",
"summary": "An issue was discovered in the Linux kernel through 5.16-rc6. lkdtm_ARRAY_BOUNDS in drivers/misc/lkdtm/bugs.c lacks check of the return value of kmalloc() and will cause the null pointer dereference.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3104",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-3105",
"summary": "An issue was discovered in the Linux kernel through 5.16-rc6. uapi_finalize in drivers/infiniband/core/uverbs_uapi.c lacks check of kmalloc_array().",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3105",
"detail": "fixed-version",
"description": "Fixed from version 5.16"
},
{
"id": "CVE-2022-3106",
"summary": "An issue was discovered in the Linux kernel through 5.16-rc6. ef100_update_stats in drivers/net/ethernet/sfc/ef100_nic.c lacks check of the return value of kmalloc().",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3106",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc6"
},
{
"id": "CVE-2022-3107",
"summary": "An issue was discovered in the Linux kernel through 5.16-rc6. netvsc_get_ethtool_stats in drivers/net/hyperv/netvsc_drv.c lacks check of the return value of kvmalloc_array() and will cause the null pointer dereference.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3107",
"detail": "fixed-version",
"description": "Fixed from version 5.17"
},
{
"id": "CVE-2022-3108",
"summary": "An issue was discovered in the Linux kernel through 5.16-rc6. kfd_parse_subtype_iolink in drivers/gpu/drm/amd/amdkfd/kfd_crat.c lacks check of the return value of kmemdup().",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3108",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc1"
},
{
"id": "CVE-2022-3110",
"summary": "An issue was discovered in the Linux kernel through 5.16-rc6. _rtw_init_xmit_priv in drivers/staging/r8188eu/core/rtw_xmit.c lacks check of the return value of rtw_alloc_hwxmits() and will cause the null pointer dereference.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3110",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-3111",
"summary": "An issue was discovered in the Linux kernel through 5.16-rc6. free_charger_irq() in drivers/power/supply/wm8350_power.c lacks free of WM8350_IRQ_CHG_FAST_RDY, which is registered in wm8350_init_charger().",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3111",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-3112",
"summary": "An issue was discovered in the Linux kernel through 5.16-rc6. amvdec_set_canvases in drivers/staging/media/meson/vdec/vdec_helpers.c lacks check of the return value of kzalloc() and will cause the null pointer dereference.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3112",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-3113",
"summary": "An issue was discovered in the Linux kernel through 5.16-rc6. mtk_vcodec_fw_vpu_init in drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c lacks check of the return value of devm_kzalloc() and will cause the null pointer dereference.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3113",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-3114",
"summary": "An issue was discovered in the Linux kernel through 5.16-rc6. imx_register_uart_clocks in drivers/clk/imx/clk.c lacks check of the return value of kcalloc() and will cause the null pointer dereference.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3114",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-3115",
"summary": "An issue was discovered in the Linux kernel through 5.16-rc6. malidp_crtc_reset in drivers/gpu/drm/arm/malidp_crtc.c lacks check of the return value of kzalloc() and will cause the null pointer dereference.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3115",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-3169",
"summary": "A flaw was found in the Linux kernel. A denial of service flaw may occur if there is a consecutive request of the NVME_IOCTL_RESET and the NVME_IOCTL_SUBSYS_RESET through the device file of the driver, resulting in a PCIe link disconnect.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3169",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-3170",
"summary": "An out-of-bounds access issue was found in the Linux kernel sound subsystem. It could occur when the 'id->name' provided by the user did not end with '\\0'. A privileged local user could pass a specially crafted name through ioctl() interface and crash the system or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3170",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc4"
},
{
"id": "CVE-2022-3176",
"summary": "There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3176",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc1"
},
{
"id": "CVE-2022-3202",
"summary": "A NULL pointer dereference flaw in diFree in fs/jfs/inode.c in Journaled File System (JFS)in the Linux kernel. This could allow a local attacker to crash the system or leak kernel internal information.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3202",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-32250",
"summary": "net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32250",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-32296",
"summary": "The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used. This occurs because of use of Algorithm 4 (\"Double-Hash Port Selection Algorithm\") of RFC 6056.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32296",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc6"
},
{
"id": "CVE-2022-3238",
"summary": "A double-free flaw was found in the Linux kernel\u2019s NTFS3 subsystem in how a user triggers remount and umount simultaneously. This flaw allows a local user to crash or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3238"
},
{
"id": "CVE-2022-3239",
"summary": "A flaw use after free in the Linux kernel video4linux driver was found in the way user triggers em28xx_usb_probe() for the Empia 28xx based TV cards. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3239",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-32981",
"summary": "An issue was discovered in the Linux kernel through 5.18.3 on powerpc 32-bit platforms. There is a buffer overflow in ptrace PEEKUSER and POKEUSER (aka PEEKUSR and POKEUSR) when accessing floating point registers.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32981",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc2"
},
{
"id": "CVE-2022-3303",
"summary": "A race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio group) could use this flaw to crash the system, resulting in a denial of service condition",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3303",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc5"
},
{
"id": "CVE-2022-3344",
"summary": "A flaw was found in the KVM's AMD nested virtualization (SVM). A malicious L1 guest could purposely fail to intercept the shutdown of a cooperative nested guest (L2), possibly leading to a page fault and kernel panic in the host (L0).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3344",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc7"
},
{
"id": "CVE-2022-33740",
"summary": "Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33740",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc6"
},
{
"id": "CVE-2022-33741",
"summary": "Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33741",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc6"
},
{
"id": "CVE-2022-33742",
"summary": "Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33742",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc6"
},
{
"id": "CVE-2022-33743",
"summary": "network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33743",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc6"
},
{
"id": "CVE-2022-33744",
"summary": "Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33744",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc6"
},
{
"id": "CVE-2022-33981",
"summary": "drivers/block/floppy.c in the Linux kernel before 5.17.6 is vulnerable to a denial of service, because of a concurrency use-after-free flaw after deallocating raw_cmd in the raw_cmd_ioctl function.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33981",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc5"
},
{
"id": "CVE-2022-3424",
"summary": "A use-after-free flaw was found in the Linux kernel\u2019s SGI GRU driver in the way the first gru_file_unlocked_ioctl function is called by the user, where a fail pass occurs in the gru_check_chiplet_assignment function. This flaw allows a local user to crash or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3424",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc1"
},
{
"id": "CVE-2022-3435",
"summary": "A vulnerability classified as problematic has been found in Linux Kernel. This affects the function fib_nh_match of the file net/ipv4/fib_semantics.c of the component IPv4 Handler. The manipulation leads to out-of-bounds read. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-210357 was assigned to this vulnerability.",
"scorev2": "0.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3435",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-34494",
"summary": "rpmsg_virtio_add_ctrl_dev in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-34494",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-34495",
"summary": "rpmsg_probe in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-34495",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-34918",
"summary": "An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-34918",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc6"
},
{
"id": "CVE-2022-3521",
"summary": "A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function kcm_tx_work of the file net/kcm/kcmsock.c of the component kcm. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211018 is the identifier assigned to this vulnerability.",
"scorev2": "0.0",
"scorev3": "2.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3521",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-3523",
"summary": "A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is an unknown function of the file mm/memory.c of the component Driver Handler. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211020.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3523",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-3524",
"summary": "A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function ipv6_renew_options of the component IPv6 Handler. The manipulation leads to memory leak. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211021 was assigned to this vulnerability.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3524",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-3526",
"summary": "A vulnerability classified as problematic was found in Linux Kernel. This vulnerability affects the function macvlan_handle_frame of the file drivers/net/macvlan.c of the component skb. The manipulation leads to memory leak. The attack can be initiated remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211024.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3526",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc3"
},
{
"id": "CVE-2022-3533",
"summary": "A vulnerability was found in Linux Kernel. It has been rated as problematic. This issue affects the function parse_usdt_arg of the file tools/lib/bpf/usdt.c of the component BPF. The manipulation of the argument reg_name leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211031.",
"scorev2": "0.0",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3533"
},
{
"id": "CVE-2022-3534",
"summary": "A vulnerability classified as critical has been found in Linux Kernel. Affected is the function btf_dump_name_dups of the file tools/lib/bpf/btf_dump.c of the component libbpf. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211032.",
"scorev2": "0.0",
"scorev3": "8.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3534",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc1"
},
{
"id": "CVE-2022-3541",
"summary": "A vulnerability classified as critical has been found in Linux Kernel. This affects the function spl2sw_nvmem_get_mac_address of the file drivers/net/ethernet/sunplus/spl2sw_driver.c of the component BPF. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211041 was assigned to this vulnerability.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3541",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-3543",
"summary": "A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function unix_sock_destructor/unix_release_sock of the file net/unix/af_unix.c of the component BPF. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211043.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3543",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-3544",
"summary": "A vulnerability, which was classified as problematic, was found in Linux Kernel. Affected is the function damon_sysfs_add_target of the file mm/damon/sysfs.c of the component Netfilter. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211044.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3544"
},
{
"id": "CVE-2022-3545",
"summary": "A vulnerability has been found in Linux Kernel and classified as critical. Affected by this vulnerability is the function area_cache_get of the file drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211045 was assigned to this vulnerability.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3545",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2022-3564",
"summary": "A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3564",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc4"
},
{
"id": "CVE-2022-3565",
"summary": "A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3565",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-3566",
"summary": "A vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt of the component TCP Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. The identifier VDB-211089 was assigned to this vulnerability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3566",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-3567",
"summary": "A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211090 is the identifier assigned to this vulnerability.",
"scorev2": "0.0",
"scorev3": "6.4",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3567",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-3577",
"summary": "An out-of-bounds memory write flaw was found in the Linux kernel\u2019s Kid-friendly Wired Controller driver. This flaw allows a local user to crash or potentially escalate their privileges on the system. It is in bigben_probe of drivers/hid/hid-bigbenff.c. The reason is incorrect assumption - bigben devices all have inputs. However, malicious devices can break this assumption, leaking to out-of-bound write.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3577",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-3586",
"summary": "A flaw was found in the Linux kernel\u2019s networking code. A use-after-free was found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed) into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3586",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc5"
},
{
"id": "CVE-2022-3594",
"summary": "A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3594",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-3595",
"summary": "A vulnerability was found in Linux Kernel. It has been rated as problematic. Affected by this issue is the function sess_free_buffer of the file fs/cifs/sess.c of the component CIFS Handler. The manipulation leads to double free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211364.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3595",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-3606",
"summary": "A vulnerability was found in Linux Kernel. It has been classified as problematic. This affects the function find_prog_by_sec_insn of the file tools/lib/bpf/libbpf.c of the component BPF. The manipulation leads to null pointer dereference. It is recommended to apply a patch to fix this issue. The identifier VDB-211749 was assigned to this vulnerability.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3606"
},
{
"id": "CVE-2022-36123",
"summary": "The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-36123",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc6"
},
{
"id": "CVE-2022-3619",
"summary": "A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211918 is the identifier assigned to this vulnerability.",
"scorev2": "0.0",
"scorev3": "4.3",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3619",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc4"
},
{
"id": "CVE-2022-3621",
"summary": "A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_bmap_lookup_at_level of the file fs/nilfs2/inode.c of the component nilfs2. The manipulation leads to null pointer dereference. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211920.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3621",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-3623",
"summary": "A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function follow_page_pte of the file mm/gup.c of the component BPF. The manipulation leads to race condition. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211921 was assigned to this vulnerability.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3623",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-3624",
"summary": "A vulnerability was found in Linux Kernel and classified as problematic. Affected by this issue is the function rlb_arp_xmit of the file drivers/net/bonding/bond_alb.c of the component IPsec. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211928.",
"scorev2": "0.0",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3624",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2022-3625",
"summary": "A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211929 was assigned to this vulnerability.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3625",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2022-3628",
"summary": "A buffer overflow flaw was found in the Linux kernel Broadcom Full MAC Wi-Fi driver. This issue occurs when a user connects to a malicious USB device. This can allow a local user to crash the system or escalate their privileges.",
"scorev2": "0.0",
"scorev3": "6.6",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3628",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc5"
},
{
"id": "CVE-2022-36280",
"summary": "An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-36280",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc1"
},
{
"id": "CVE-2022-3629",
"summary": "A vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects the function vsock_connect of the file net/vmw_vsock/af_vsock.c. The manipulation leads to memory leak. The complexity of an attack is rather high. The exploitation appears to be difficult. It is recommended to apply a patch to fix this issue. VDB-211930 is the identifier assigned to this vulnerability.",
"scorev2": "1.4",
"scorev3": "3.3",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3629",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2022-3630",
"summary": "A vulnerability was found in Linux Kernel. It has been rated as problematic. This issue affects some unknown processing of the file fs/fscache/cookie.c of the component IPsec. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211931.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3630",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2022-3633",
"summary": "A vulnerability classified as problematic has been found in Linux Kernel. Affected is the function j1939_session_destroy of the file net/can/j1939/transport.c. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211932.",
"scorev2": "2.7",
"scorev3": "3.3",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3633",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2022-3635",
"summary": "A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the identifier assigned to this vulnerability.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3635",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2022-3636",
"summary": "A vulnerability, which was classified as critical, was found in Linux Kernel. This affects the function __mtk_ppe_check_skb of the file drivers/net/ethernet/mediatek/mtk_ppe.c of the component Ethernet Handler. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211935.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3636",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-3640",
"summary": "A vulnerability, which was classified as critical, was found in Linux Kernel. Affected is the function l2cap_conn_del of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211944.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3640",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc4"
},
{
"id": "CVE-2022-36402",
"summary": "An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-36402",
"detail": "fixed-version",
"description": "Fixed from version 6.5"
},
{
"id": "CVE-2022-3643",
"summary": "Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3643",
"detail": "fixed-version",
"description": "Fixed from version 6.1"
},
{
"id": "CVE-2022-3646",
"summary": "A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function nilfs_attach_log_writer of the file fs/nilfs2/segment.c of the component BPF. The manipulation leads to memory leak. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211961 was assigned to this vulnerability.",
"scorev2": "0.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3646",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-3649",
"summary": "A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211992.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3649",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-36879",
"summary": "An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-36879",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc8"
},
{
"id": "CVE-2022-36946",
"summary": "nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-36946",
"detail": "fixed-version",
"description": "Fixed from version 5.19"
},
{
"id": "CVE-2022-3707",
"summary": "A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3707",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc3"
},
{
"id": "CVE-2022-38096",
"summary": "A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-38096"
},
{
"id": "CVE-2022-38457",
"summary": "A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-38457",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc4"
},
{
"id": "CVE-2022-3903",
"summary": "An incorrect read request flaw was found in the Infrared Transceiver USB driver in the Linux kernel. This issue occurs when a user attaches a malicious USB device. A local user could use this flaw to starve the resources, causing denial of service or potentially crashing the system.",
"scorev2": "0.0",
"scorev3": "4.6",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3903",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc2"
},
{
"id": "CVE-2022-3910",
"summary": "Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads to Use-After-Free and Local Privilege Escalation.\nWhen io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation). Fixed files are permanently registered to the ring, and should not be put separately.\n\nWe recommend upgrading past commit https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 \n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3910",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc6"
},
{
"id": "CVE-2022-39188",
"summary": "An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-39188",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc8"
},
{
"id": "CVE-2022-39189",
"summary": "An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-39189",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc2"
},
{
"id": "CVE-2022-39190",
"summary": "An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of service can occur upon binding to an already bound chain.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-39190",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc3"
},
{
"id": "CVE-2022-3977",
"summary": "A use-after-free flaw was found in the Linux kernel MCTP (Management Component Transport Protocol) functionality. This issue occurs when a user simultaneously calls DROPTAG ioctl and socket close happens, which could allow a local user to crash the system or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3977",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-39842",
"summary": "An issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in drivers/video/fbdev/pxa3xx-gcu.c, the count parameter has a type conflict of size_t versus int, causing an integer overflow and bypassing the size check. After that, because it is used as the third argument to copy_from_user(), a heap overflow may occur. NOTE: the original discoverer disputes that the overflow can actually happen.",
"scorev2": "0.0",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-39842",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc4"
},
{
"id": "CVE-2022-40133",
"summary": "A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40133",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc4"
},
{
"id": "CVE-2022-40307",
"summary": "An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a race condition with a resultant use-after-free.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40307",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc5"
},
{
"id": "CVE-2022-40476",
"summary": "A null pointer dereference issue was discovered in fs/io_uring.c in the Linux kernel before 5.15.62. A local user could use this flaw to crash the system or potentially cause a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40476",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc4"
},
{
"id": "CVE-2022-40768",
"summary": "drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40768",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-4095",
"summary": "A use-after-free flaw was found in Linux kernel before 5.19.2. This issue occurs in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c, allowing an attacker to launch a local denial of service attack and gain escalation of privileges.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4095",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc4"
},
{
"id": "CVE-2022-40982",
"summary": "Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40982",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc6"
},
{
"id": "CVE-2022-41218",
"summary": "In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41218",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc1"
},
{
"id": "CVE-2022-41222",
"summary": "mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is not held during a PUD move.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41222",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc1"
},
{
"id": "CVE-2022-4127",
"summary": "A NULL pointer dereference issue was discovered in the Linux kernel in io_files_update_with_index_alloc. A local user could use this flaw to potentially crash the system causing a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4127",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc6"
},
{
"id": "CVE-2022-4128",
"summary": "A NULL pointer dereference issue was discovered in the Linux kernel in the MPTCP protocol when traversing the subflow list at disconnect time. A local user could use this flaw to potentially crash the system causing a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4128",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc7"
},
{
"id": "CVE-2022-4129",
"summary": "A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4129",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc6"
},
{
"id": "CVE-2022-4139",
"summary": "An incorrect TLB flush issue was found in the Linux kernel\u2019s GPU i915 kernel driver, potentially leading to random memory corruption or data leaks. This flaw could allow a local user to crash the system or escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4139",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc8"
},
{
"id": "CVE-2022-41674",
"summary": "An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41674",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-41848",
"summary": "drivers/char/pcmcia/synclink_cs.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling ioctl, aka a race condition between mgslpc_ioctl and mgslpc_detach.",
"scorev2": "0.0",
"scorev3": "4.2",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41848"
},
{
"id": "CVE-2022-41849",
"summary": "drivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a USB device while calling open(), aka a race condition between ufx_ops_open and ufx_usb_disconnect.",
"scorev2": "0.0",
"scorev3": "4.2",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41849",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-41850",
"summary": "roccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free in certain situations where a report is received while copying a report->value is in progress.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41850",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-41858",
"summary": "A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41858",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc2"
},
{
"id": "CVE-2022-42328",
"summary": "Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42328",
"detail": "fixed-version",
"description": "Fixed from version 6.1"
},
{
"id": "CVE-2022-42329",
"summary": "Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42329",
"detail": "fixed-version",
"description": "Fixed from version 6.1"
},
{
"id": "CVE-2022-42432",
"summary": "This vulnerability allows local attackers to disclose sensitive information on affected installations of the Linux Kernel 6.0-rc2. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the nft_osf_eval function. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel. Was ZDI-CAN-18540.",
"scorev2": "0.0",
"scorev3": "5.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42432",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc7"
},
{
"id": "CVE-2022-4269",
"summary": "A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action \"mirred\") a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4269",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc1"
},
{
"id": "CVE-2022-42703",
"summary": "mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42703",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc4"
},
{
"id": "CVE-2022-42719",
"summary": "A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42719",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-42720",
"summary": "Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after-free conditions to potentially execute code.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42720",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-42721",
"summary": "A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in turn, potentially execute code.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42721",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-42722",
"summary": "In the Linux kernel 5.8 through 5.19.x before 5.19.16, local attackers able to inject WLAN frames into the mac80211 stack could cause a NULL pointer dereference denial-of-service attack against the beacon protection of P2P devices.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42722",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-42895",
"summary": "There is an infoleak vulnerability in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_parse_conf_req function which can be used to leak kernel pointers remotely.\nWe recommend upgrading past commit\u00a0 https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e https://www.google.com/url \n\n",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42895",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc4"
},
{
"id": "CVE-2022-42896",
"summary": "There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth.\u00a0A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim.\n\nWe recommend upgrading past commit\u00a0 https://www.google.com/url https://github.com/torvalds/linux/commit/711f8c3fb3db61897080468586b970c87c61d9e4 https://www.google.com/url \n\n",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42896",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc4"
},
{
"id": "CVE-2022-43750",
"summary": "drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-space client to corrupt the monitor's internal memory.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43750",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-4378",
"summary": "A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4378",
"detail": "fixed-version",
"description": "Fixed from version 6.1"
},
{
"id": "CVE-2022-4379",
"summary": "A use-after-free vulnerability was found in __nfs42_ssc_open() in fs/nfs/nfs4file.c in the Linux kernel. This flaw allows an attacker to conduct a remote denial",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4379",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc1"
},
{
"id": "CVE-2022-4382",
"summary": "A use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side.",
"scorev2": "0.0",
"scorev3": "6.4",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4382",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc5"
},
{
"id": "CVE-2022-43945",
"summary": "The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43945",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2022-44032",
"summary": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4000_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm4000_detach().",
"scorev2": "0.0",
"scorev3": "6.4",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-44032",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2022-44033",
"summary": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().",
"scorev2": "0.0",
"scorev3": "6.4",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-44033",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2022-44034",
"summary": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove().",
"scorev2": "0.0",
"scorev3": "6.4",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-44034",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2022-4543",
"summary": "A flaw named \"EntryBleed\" was found in the Linux Kernel Page Table Isolation (KPTI). This issue could allow a local attacker to leak KASLR base via prefetch side-channels based on TLB timing for Intel systems.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4543"
},
{
"id": "CVE-2022-45869",
"summary": "A race condition in the x86 KVM subsystem in the Linux kernel through 6.1-rc6 allows guest OS users to cause a denial of service (host OS crash or host OS memory corruption) when nested virtualisation and the TDP MMU are enabled.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45869",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc7"
},
{
"id": "CVE-2022-45884",
"summary": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45884"
},
{
"id": "CVE-2022-45885",
"summary": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_frontend.c has a race condition that can cause a use-after-free when a device is disconnected.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45885"
},
{
"id": "CVE-2022-45886",
"summary": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a .disconnect versus dvb_device_open race condition that leads to a use-after-free.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45886",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc3"
},
{
"id": "CVE-2022-45887",
"summary": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45887",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc3"
},
{
"id": "CVE-2022-45888",
"summary": "An issue was discovered in the Linux kernel through 6.0.9. drivers/char/xillybus/xillyusb.c has a race condition and use-after-free during physical removal of a USB device.",
"scorev2": "0.0",
"scorev3": "6.4",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45888",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc1"
},
{
"id": "CVE-2022-45919",
"summary": "An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45919",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc3"
},
{
"id": "CVE-2022-45934",
"summary": "An issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c has an integer wraparound via L2CAP_CONF_REQ packets.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45934",
"detail": "fixed-version",
"description": "Fixed from version 6.1"
},
{
"id": "CVE-2022-4662",
"summary": "A flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4662",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc4"
},
{
"id": "CVE-2022-4696",
"summary": "There exists a use-after-free vulnerability in the Linux kernel through io_uring and the\u00a0IORING_OP_SPLICE operation. If\u00a0IORING_OP_SPLICE is\u00a0missing the IO_WQ_WORK_FILES flag, which signals that the operation won't use current->nsproxy, so its reference counter is not increased. This assumption is not always true as calling io_splice on specific files will call the get_uts function which will use current->nsproxy leading to invalidly decreasing its reference counter later causing the use-after-free vulnerability. We recommend upgrading to version 5.10.160 or above\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4696",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2022-4744",
"summary": "A double-free flaw was found in the Linux kernel\u2019s TUN/TAP device driver functionality in how a user registers the device when the register_netdevice function fails (NETDEV_REGISTER notifier). This flaw allows a local user to crash or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4744",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc7"
},
{
"id": "CVE-2022-47518",
"summary": "An issue was discovered in the Linux kernel before 6.0.11. Missing validation of the number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when copying the list of operating channels from Wi-Fi management frames.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47518",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc8"
},
{
"id": "CVE-2022-47519",
"summary": "An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_OPER_CHANNEL in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger an out-of-bounds write when parsing the channel list attribute from Wi-Fi management frames.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47519",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc8"
},
{
"id": "CVE-2022-47520",
"summary": "An issue was discovered in the Linux kernel before 6.0.11. Missing offset validation in drivers/net/wireless/microchip/wilc1000/hif.c in the WILC1000 wireless driver can trigger an out-of-bounds read when parsing a Robust Security Network (RSN) information element from a Netlink packet.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47520",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc8"
},
{
"id": "CVE-2022-47521",
"summary": "An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_CHANNEL_LIST in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when parsing the operating channel attribute from Wi-Fi management frames.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47521",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc8"
},
{
"id": "CVE-2022-47929",
"summary": "In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with \"tc qdisc\" and \"tc class\" commands. This affects qdisc_graft in net/sched/sch_api.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47929",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc4"
},
{
"id": "CVE-2022-47938",
"summary": "An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2misc.c has an out-of-bounds read and OOPS for SMB2_TREE_CONNECT.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47938",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2022-47939",
"summary": "An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47939",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2022-47940",
"summary": "An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.18 before 5.18.18. fs/ksmbd/smb2pdu.c lacks length validation in the non-padding case in smb2_write.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47940",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2022-47941",
"summary": "An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c omits a kfree call in certain smb2_handle_negotiate error conditions, aka a memory leak.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47941",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2022-47942",
"summary": "An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is a heap-based buffer overflow in set_ntacl_dacl, related to use of SMB2_QUERY_INFO_HE after a malformed SMB2_SET_INFO_HE command.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47942",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2022-47943",
"summary": "An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is an out-of-bounds read and OOPS for SMB2_WRITE, when there is a large length in the zero DataOffset case.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47943",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2022-47946",
"summary": "An issue was discovered in the Linux kernel 5.10.x before 5.10.155. A use-after-free in io_sqpoll_wait_sq in fs/io_uring.c allows an attacker to crash the kernel, resulting in denial of service. finish_wait can be skipped. An attack can occur in some situations by forking a process and then quickly terminating it. NOTE: later kernel versions, such as the 5.15 longterm series, substantially changed the implementation of io_sqpoll_wait_sq.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47946",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc2"
},
{
"id": "CVE-2022-4842",
"summary": "A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A local user could use this flaw to crash the system.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4842",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc1"
},
{
"id": "CVE-2022-48423",
"summary": "In the Linux kernel before 6.1.3, fs/ntfs3/record.c does not validate resident attribute names. An out-of-bounds write may occur.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48423",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc1"
},
{
"id": "CVE-2022-48424",
"summary": "In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48424",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc1"
},
{
"id": "CVE-2022-48425",
"summary": "In the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48425",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2022-48502",
"summary": "An issue was discovered in the Linux kernel before 6.2. The ntfs3 subsystem does not properly check for correctness during disk reads, leading to an out-of-bounds read in ntfs_set_ea in fs/ntfs3/xattr.c.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48502",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc1"
},
{
"id": "CVE-2022-48619",
"summary": "An issue was discovered in drivers/input/input.c in the Linux kernel before 5.17.10. An attacker can cause a denial of service (panic) because input_set_capability mishandles the situation in which an event code falls outside of a bitmap.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48619",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2022-48626",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmoxart: fix potential use-after-free on remove path\n\nIt was reported that the mmc host structure could be accessed after it\nwas freed in moxart_remove(), so fix this by saving the base register of\nthe device and using it instead of the pointer dereference.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48626"
},
{
"id": "CVE-2022-48654",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find()\n\nnf_osf_find() incorrectly returns true on mismatch, this leads to\ncopying uninitialized memory area in nft_osf which can be used to leak\nstale kernel stack data to userspace.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48654"
},
{
"id": "CVE-2022-48655",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Harden accesses to the reset domains\n\nAccessing reset domains descriptors by the index upon the SCMI drivers\nrequests through the SCMI reset operations interface can potentially\nlead to out-of-bound violations if the SCMI driver misbehave.\n\nAdd an internal consistency check before any such domains descriptors\naccesses.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48655"
},
{
"id": "CVE-2022-48656",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: k3-udma-private: Fix refcount leak bug in of_xudma_dev_get()\n\nWe should call of_node_put() for the reference returned by\nof_parse_phandle() in fail path or when it is not used anymore.\nHere we only need to move the of_node_put() before the check.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48656"
},
{
"id": "CVE-2022-48657",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: topology: fix possible overflow in amu_fie_setup()\n\ncpufreq_get_hw_max_freq() returns max frequency in kHz as *unsigned int*,\nwhile freq_inv_set_max_ratio() gets passed this frequency in Hz as 'u64'.\nMultiplying max frequency by 1000 can potentially result in overflow --\nmultiplying by 1000ULL instead should avoid that...\n\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48657"
},
{
"id": "CVE-2022-48658",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: slub: fix flush_cpu_slab()/__free_slab() invocations in task context.\n\nCommit 5a836bf6b09f (\"mm: slub: move flush_cpu_slab() invocations\n__free_slab() invocations out of IRQ context\") moved all flush_cpu_slab()\ninvocations to the global workqueue to avoid a problem related\nwith deactivate_slab()/__free_slab() being called from an IRQ context\non PREEMPT_RT kernels.\n\nWhen the flush_all_cpu_locked() function is called from a task context\nit may happen that a workqueue with WQ_MEM_RECLAIM bit set ends up\nflushing the global workqueue, this will cause a dependency issue.\n\n workqueue: WQ_MEM_RECLAIM nvme-delete-wq:nvme_delete_ctrl_work [nvme_core]\n is flushing !WQ_MEM_RECLAIM events:flush_cpu_slab\n WARNING: CPU: 37 PID: 410 at kernel/workqueue.c:2637\n check_flush_dependency+0x10a/0x120\n Workqueue: nvme-delete-wq nvme_delete_ctrl_work [nvme_core]\n RIP: 0010:check_flush_dependency+0x10a/0x120[ 453.262125] Call Trace:\n __flush_work.isra.0+0xbf/0x220\n ? __queue_work+0x1dc/0x420\n flush_all_cpus_locked+0xfb/0x120\n __kmem_cache_shutdown+0x2b/0x320\n kmem_cache_destroy+0x49/0x100\n bioset_exit+0x143/0x190\n blk_release_queue+0xb9/0x100\n kobject_cleanup+0x37/0x130\n nvme_fc_ctrl_free+0xc6/0x150 [nvme_fc]\n nvme_free_ctrl+0x1ac/0x2b0 [nvme_core]\n\nFix this bug by creating a workqueue for the flush operation with\nthe WQ_MEM_RECLAIM bit set.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48658"
},
{
"id": "CVE-2022-48659",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: fix to return errno if kmalloc() fails\n\nIn create_unique_id(), kmalloc(, GFP_KERNEL) can fail due to\nout-of-memory, if it fails, return errno correctly rather than\ntriggering panic via BUG_ON();\n\nkernel BUG at mm/slub.c:5893!\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\n\nCall trace:\n sysfs_slab_add+0x258/0x260 mm/slub.c:5973\n __kmem_cache_create+0x60/0x118 mm/slub.c:4899\n create_cache mm/slab_common.c:229 [inline]\n kmem_cache_create_usercopy+0x19c/0x31c mm/slab_common.c:335\n kmem_cache_create+0x1c/0x28 mm/slab_common.c:390\n f2fs_kmem_cache_create fs/f2fs/f2fs.h:2766 [inline]\n f2fs_init_xattr_caches+0x78/0xb4 fs/f2fs/xattr.c:808\n f2fs_fill_super+0x1050/0x1e0c fs/f2fs/super.c:4149\n mount_bdev+0x1b8/0x210 fs/super.c:1400\n f2fs_mount+0x44/0x58 fs/f2fs/super.c:4512\n legacy_get_tree+0x30/0x74 fs/fs_context.c:610\n vfs_get_tree+0x40/0x140 fs/super.c:1530\n do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040\n path_mount+0x358/0x914 fs/namespace.c:3370\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline]\n __se_sys_mount fs/namespace.c:3568 [inline]\n __arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48659"
},
{
"id": "CVE-2022-48660",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: Set lineevent_state::irq after IRQ register successfully\n\nWhen running gpio test on nxp-ls1028 platform with below command\ngpiomon --num-events=3 --rising-edge gpiochip1 25\nThere will be a warning trace as below:\nCall trace:\nfree_irq+0x204/0x360\nlineevent_free+0x64/0x70\ngpio_ioctl+0x598/0x6a0\n__arm64_sys_ioctl+0xb4/0x100\ninvoke_syscall+0x5c/0x130\n......\nel0t_64_sync+0x1a0/0x1a4\nThe reason of this issue is that calling request_threaded_irq()\nfunction failed, and then lineevent_free() is invoked to release\nthe resource. Since the lineevent_state::irq was already set, so\nthe subsequent invocation of free_irq() would trigger the above\nwarning call trace. To fix this issue, set the lineevent_state::irq\nafter the IRQ register successfully.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48660"
},
{
"id": "CVE-2022-48661",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: mockup: Fix potential resource leakage when register a chip\n\nIf creation of software node fails, the locally allocated string\narray is left unfreed. Free it on error path.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48661"
},
{
"id": "CVE-2022-48662",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: Really move i915_gem_context.link under ref protection\n\ni915_perf assumes that it can use the i915_gem_context reference to\nprotect its i915->gem.contexts.list iteration. However, this requires\nthat we do not remove the context from the list until after we drop the\nfinal reference and release the struct. If, as currently, we remove the\ncontext from the list during context_close(), the link.next pointer may\nbe poisoned while we are holding the context reference and cause a GPF:\n\n[ 4070.573157] i915 0000:00:02.0: [drm:i915_perf_open_ioctl [i915]] filtering on ctx_id=0x1fffff ctx_id_mask=0x1fffff\n[ 4070.574881] general protection fault, probably for non-canonical address 0xdead000000000100: 0000 [#1] PREEMPT SMP\n[ 4070.574897] CPU: 1 PID: 284392 Comm: amd_performance Tainted: G E 5.17.9 #180\n[ 4070.574903] Hardware name: Intel Corporation NUC7i5BNK/NUC7i5BNB, BIOS BNKBL357.86A.0052.2017.0918.1346 09/18/2017\n[ 4070.574907] RIP: 0010:oa_configure_all_contexts.isra.0+0x222/0x350 [i915]\n[ 4070.574982] Code: 08 e8 32 6e 10 e1 4d 8b 6d 50 b8 ff ff ff ff 49 83 ed 50 f0 41 0f c1 04 24 83 f8 01 0f 84 e3 00 00 00 85 c0 0f 8e fa 00 00 00 <49> 8b 45 50 48 8d 70 b0 49 8d 45 50 48 39 44 24 10 0f 85 34 fe ff\n[ 4070.574990] RSP: 0018:ffffc90002077b78 EFLAGS: 00010202\n[ 4070.574995] RAX: 0000000000000002 RBX: 0000000000000002 RCX: 0000000000000000\n[ 4070.575000] RDX: 0000000000000001 RSI: ffffc90002077b20 RDI: ffff88810ddc7c68\n[ 4070.575004] RBP: 0000000000000001 R08: ffff888103242648 R09: fffffffffffffffc\n[ 4070.575008] R10: ffffffff82c50bc0 R11: 0000000000025c80 R12: ffff888101bf1860\n[ 4070.575012] R13: dead0000000000b0 R14: ffffc90002077c04 R15: ffff88810be5cabc\n[ 4070.575016] FS: 00007f1ed50c0780(0000) GS:ffff88885ec80000(0000) knlGS:0000000000000000\n[ 4070.575021] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4070.575025] CR2: 00007f1ed5590280 CR3: 000000010ef6f005 CR4: 00000000003706e0\n[ 4070.575029] Call Trace:\n[ 4070.575033] \n[ 4070.575037] lrc_configure_all_contexts+0x13e/0x150 [i915]\n[ 4070.575103] gen8_enable_metric_set+0x4d/0x90 [i915]\n[ 4070.575164] i915_perf_open_ioctl+0xbc0/0x1500 [i915]\n[ 4070.575224] ? asm_common_interrupt+0x1e/0x40\n[ 4070.575232] ? i915_oa_init_reg_state+0x110/0x110 [i915]\n[ 4070.575290] drm_ioctl_kernel+0x85/0x110\n[ 4070.575296] ? update_load_avg+0x5f/0x5e0\n[ 4070.575302] drm_ioctl+0x1d3/0x370\n[ 4070.575307] ? i915_oa_init_reg_state+0x110/0x110 [i915]\n[ 4070.575382] ? gen8_gt_irq_handler+0x46/0x130 [i915]\n[ 4070.575445] __x64_sys_ioctl+0x3c4/0x8d0\n[ 4070.575451] ? __do_softirq+0xaa/0x1d2\n[ 4070.575456] do_syscall_64+0x35/0x80\n[ 4070.575461] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 4070.575467] RIP: 0033:0x7f1ed5c10397\n[ 4070.575471] Code: 3c 1c e8 1c ff ff ff 85 c0 79 87 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a9 da 0d 00 f7 d8 64 89 01 48\n[ 4070.575478] RSP: 002b:00007ffd65c8d7a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n[ 4070.575484] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f1ed5c10397\n[ 4070.575488] RDX: 00007ffd65c8d7c0 RSI: 0000000040106476 RDI: 0000000000000006\n[ 4070.575492] RBP: 00005620972f9c60 R08: 000000000000000a R09: 0000000000000005\n[ 4070.575496] R10: 000000000000000d R11: 0000000000000246 R12: 000000000000000a\n[ 4070.575500] R13: 000000000000000d R14: 0000000000000000 R15: 00007ffd65c8d7c0\n[ 4070.575505] \n[ 4070.575507] Modules linked in: nls_ascii(E) nls_cp437(E) vfat(E) fat(E) i915(E) x86_pkg_temp_thermal(E) intel_powerclamp(E) crct10dif_pclmul(E) crc32_pclmul(E) crc32c_intel(E) aesni_intel(E) crypto_simd(E) intel_gtt(E) cryptd(E) ttm(E) rapl(E) intel_cstate(E) drm_kms_helper(E) cfbfillrect(E) syscopyarea(E) cfbimgblt(E) intel_uncore(E) sysfillrect(E) mei_me(E) sysimgblt(E) i2c_i801(E) fb_sys_fops(E) mei(E) intel_pch_thermal(E) i2c_smbus\n---truncated---",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48662"
},
{
"id": "CVE-2022-48670",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npeci: cpu: Fix use-after-free in adev_release()\n\nWhen auxiliary_device_add() returns an error, auxiliary_device_uninit()\nis called, which causes refcount for device to be decremented and\n.release callback will be triggered.\n\nBecause adev_release() re-calls auxiliary_device_uninit(), it will cause\nuse-after-free:\n[ 1269.455172] WARNING: CPU: 0 PID: 14267 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15\n[ 1269.464007] refcount_t: underflow; use-after-free.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48670"
},
{
"id": "CVE-2022-48671",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: Add missing cpus_read_lock() to cgroup_attach_task_all()\n\nsyzbot is hitting percpu_rwsem_assert_held(&cpu_hotplug_lock) warning at\ncpuset_attach() [1], for commit 4f7e7236435ca0ab (\"cgroup: Fix\nthreadgroup_rwsem <-> cpus_read_lock() deadlock\") missed that\ncpuset_attach() is also called from cgroup_attach_task_all().\nAdd cpus_read_lock() like what cgroup_procs_write_start() does.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48671"
},
{
"id": "CVE-2022-48672",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: fdt: fix off-by-one error in unflatten_dt_nodes()\n\nCommit 78c44d910d3e (\"drivers/of: Fix depth when unflattening devicetree\")\nforgot to fix up the depth check in the loop body in unflatten_dt_nodes()\nwhich makes it possible to overflow the nps[] buffer...\n\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48672"
},
{
"id": "CVE-2022-48673",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Fix possible access to freed memory in link clear\n\nAfter modifying the QP to the Error state, all RX WR would be completed\nwith WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not\nwait for it is done, but destroy the QP and free the link group directly.\nSo there is a risk that accessing the freed memory in tasklet context.\n\nHere is a crash example:\n\n BUG: unable to handle page fault for address: ffffffff8f220860\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060\n Oops: 0002 [#1] SMP PTI\n CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23\n Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018\n RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0\n Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32\n RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086\n RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000\n RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00\n RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b\n R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010\n R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040\n FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n _raw_spin_lock_irqsave+0x30/0x40\n mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib]\n smc_wr_rx_tasklet_fn+0x56/0xa0 [smc]\n tasklet_action_common.isra.21+0x66/0x100\n __do_softirq+0xd5/0x29c\n asm_call_irq_on_stack+0x12/0x20\n \n do_softirq_own_stack+0x37/0x40\n irq_exit_rcu+0x9d/0xa0\n sysvec_call_function_single+0x34/0x80\n asm_sysvec_call_function_single+0x12/0x20",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48673"
},
{
"id": "CVE-2022-48674",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix pcluster use-after-free on UP platforms\n\nDuring stress testing with CONFIG_SMP disabled, KASAN reports as below:\n\n==================================================================\nBUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30\nRead of size 8 at addr ffff8881094223f8 by task stress/7789\n\nCPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3\nHardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\nCall Trace:\n \n..\n __mutex_lock+0xe5/0xc30\n..\n z_erofs_do_read_page+0x8ce/0x1560\n..\n z_erofs_readahead+0x31c/0x580\n..\nFreed by task 7787\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x20/0x30\n kasan_set_free_info+0x20/0x40\n __kasan_slab_free+0x10c/0x190\n kmem_cache_free+0xed/0x380\n rcu_core+0x3d5/0xc90\n __do_softirq+0x12d/0x389\n\nLast potentially related work creation:\n kasan_save_stack+0x1e/0x40\n __kasan_record_aux_stack+0x97/0xb0\n call_rcu+0x3d/0x3f0\n erofs_shrink_workstation+0x11f/0x210\n erofs_shrink_scan+0xdc/0x170\n shrink_slab.constprop.0+0x296/0x530\n drop_slab+0x1c/0x70\n drop_caches_sysctl_handler+0x70/0x80\n proc_sys_call_handler+0x20a/0x2f0\n vfs_write+0x555/0x6c0\n ksys_write+0xbe/0x160\n do_syscall_64+0x3b/0x90\n\nThe root cause is that erofs_workgroup_unfreeze() doesn't reset to\norig_val thus it causes a race that the pcluster reuses unexpectedly\nbefore freeing.\n\nSince UP platforms are quite rare now, such path becomes unnecessary.\nLet's drop such specific-designed path directly instead.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48674"
},
{
"id": "CVE-2022-48675",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/core: Fix a nested dead lock as part of ODP flow\n\nFix a nested dead lock as part of ODP flow by using mmput_async().\n\nFrom the below call trace [1] can see that calling mmput() once we have\nthe umem_odp->umem_mutex locked as required by\nib_umem_odp_map_dma_and_lock() might trigger in the same task the\nexit_mmap()->__mmu_notifier_release()->mlx5_ib_invalidate_range() which\nmay dead lock when trying to lock the same mutex.\n\nMoving to use mmput_async() will solve the problem as the above\nexit_mmap() flow will be called in other task and will be executed once\nthe lock will be available.\n\n[1]\n[64843.077665] task:kworker/u133:2 state:D stack: 0 pid:80906 ppid:\n2 flags:0x00004000\n[64843.077672] Workqueue: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib]\n[64843.077719] Call Trace:\n[64843.077722] \n[64843.077724] __schedule+0x23d/0x590\n[64843.077729] schedule+0x4e/0xb0\n[64843.077735] schedule_preempt_disabled+0xe/0x10\n[64843.077740] __mutex_lock.constprop.0+0x263/0x490\n[64843.077747] __mutex_lock_slowpath+0x13/0x20\n[64843.077752] mutex_lock+0x34/0x40\n[64843.077758] mlx5_ib_invalidate_range+0x48/0x270 [mlx5_ib]\n[64843.077808] __mmu_notifier_release+0x1a4/0x200\n[64843.077816] exit_mmap+0x1bc/0x200\n[64843.077822] ? walk_page_range+0x9c/0x120\n[64843.077828] ? __cond_resched+0x1a/0x50\n[64843.077833] ? mutex_lock+0x13/0x40\n[64843.077839] ? uprobe_clear_state+0xac/0x120\n[64843.077860] mmput+0x5f/0x140\n[64843.077867] ib_umem_odp_map_dma_and_lock+0x21b/0x580 [ib_core]\n[64843.077931] pagefault_real_mr+0x9a/0x140 [mlx5_ib]\n[64843.077962] pagefault_mr+0xb4/0x550 [mlx5_ib]\n[64843.077992] pagefault_single_data_segment.constprop.0+0x2ac/0x560\n[mlx5_ib]\n[64843.078022] mlx5_ib_eqe_pf_action+0x528/0x780 [mlx5_ib]\n[64843.078051] process_one_work+0x22b/0x3d0\n[64843.078059] worker_thread+0x53/0x410\n[64843.078065] ? process_one_work+0x3d0/0x3d0\n[64843.078073] kthread+0x12a/0x150\n[64843.078079] ? set_kthread_struct+0x50/0x50\n[64843.078085] ret_from_fork+0x22/0x30\n[64843.078093] ",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48675"
},
{
"id": "CVE-2022-48686",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix UAF when detecting digest errors\n\nWe should also bail from the io_work loop when we set rd_enabled to true,\nso we don't attempt to read data from the socket when the TCP stream is\nalready out-of-sync or corrupted.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48686"
},
{
"id": "CVE-2022-48687",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix out-of-bounds read when setting HMAC data.\n\nThe SRv6 layer allows defining HMAC data that can later be used to sign IPv6\nSegment Routing Headers. This configuration is realised via netlink through\nfour attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and\nSEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual\nlength of the SECRET attribute, it is possible to provide invalid combinations\n(e.g., secret = \"\", secretlen = 64). This case is not checked in the code and\nwith an appropriately crafted netlink message, an out-of-bounds read of up\nto 64 bytes (max secret length) can occur past the skb end pointer and into\nskb_shared_info:\n\nBreakpoint 1, seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208\n208\t\tmemcpy(hinfo->secret, secret, slen);\n(gdb) bt\n #0 seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208\n #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,\n extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 , family=,\n family=) at net/netlink/genetlink.c:731\n #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00,\n family=0xffffffff82fef6c0 ) at net/netlink/genetlink.c:775\n #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792\n #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 )\n at net/netlink/af_netlink.c:2501\n #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803\n #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000)\n at net/netlink/af_netlink.c:1319\n #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=)\n at net/netlink/af_netlink.c:1345\n #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=, msg=0xffffc90000ba7e48, len=) at net/netlink/af_netlink.c:1921\n...\n(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end\n$1 = 0xffff88800b1b76c0\n(gdb) p/x secret\n$2 = 0xffff88800b1b76c0\n(gdb) p slen\n$3 = 64 '@'\n\nThe OOB data can then be read back from userspace by dumping HMAC state. This\ncommit fixes this by ensuring SECRETLEN cannot exceed the actual length of\nSECRET.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48687"
},
{
"id": "CVE-2022-48688",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix kernel crash during module removal\n\nThe driver incorrectly frees client instance and subsequent\ni40e module removal leads to kernel crash.\n\nReproducer:\n1. Do ethtool offline test followed immediately by another one\nhost# ethtool -t eth0 offline; ethtool -t eth0 offline\n2. Remove recursively irdma module that also removes i40e module\nhost# modprobe -r irdma\n\nResult:\n[ 8675.035651] i40e 0000:3d:00.0 eno1: offline testing starting\n[ 8675.193774] i40e 0000:3d:00.0 eno1: testing finished\n[ 8675.201316] i40e 0000:3d:00.0 eno1: offline testing starting\n[ 8675.358921] i40e 0000:3d:00.0 eno1: testing finished\n[ 8675.496921] i40e 0000:3d:00.0: IRDMA hardware initialization FAILED init_state=2 status=-110\n[ 8686.188955] i40e 0000:3d:00.1: i40e_ptp_stop: removed PHC on eno2\n[ 8686.943890] i40e 0000:3d:00.1: Deleted LAN device PF1 bus=0x3d dev=0x00 func=0x01\n[ 8686.952669] i40e 0000:3d:00.0: i40e_ptp_stop: removed PHC on eno1\n[ 8687.761787] BUG: kernel NULL pointer dereference, address: 0000000000000030\n[ 8687.768755] #PF: supervisor read access in kernel mode\n[ 8687.773895] #PF: error_code(0x0000) - not-present page\n[ 8687.779034] PGD 0 P4D 0\n[ 8687.781575] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 8687.785935] CPU: 51 PID: 172891 Comm: rmmod Kdump: loaded Tainted: G W I 5.19.0+ #2\n[ 8687.794800] Hardware name: Intel Corporation S2600WFD/S2600WFD, BIOS SE5C620.86B.0X.02.0001.051420190324 05/14/2019\n[ 8687.805222] RIP: 0010:i40e_lan_del_device+0x13/0xb0 [i40e]\n[ 8687.810719] Code: d4 84 c0 0f 84 b8 25 01 00 e9 9c 25 01 00 41 bc f4 ff ff ff eb 91 90 0f 1f 44 00 00 41 54 55 53 48 8b 87 58 08 00 00 48 89 fb <48> 8b 68 30 48 89 ef e8 21 8a 0f d5 48 89 ef e8 a9 78 0f d5 48 8b\n[ 8687.829462] RSP: 0018:ffffa604072efce0 EFLAGS: 00010202\n[ 8687.834689] RAX: 0000000000000000 RBX: ffff8f43833b2000 RCX: 0000000000000000\n[ 8687.841821] RDX: 0000000000000000 RSI: ffff8f4b0545b298 RDI: ffff8f43833b2000\n[ 8687.848955] RBP: ffff8f43833b2000 R08: 0000000000000001 R09: 0000000000000000\n[ 8687.856086] R10: 0000000000000000 R11: 000ffffffffff000 R12: ffff8f43833b2ef0\n[ 8687.863218] R13: ffff8f43833b2ef0 R14: ffff915103966000 R15: ffff8f43833b2008\n[ 8687.870342] FS: 00007f79501c3740(0000) GS:ffff8f4adffc0000(0000) knlGS:0000000000000000\n[ 8687.878427] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8687.884174] CR2: 0000000000000030 CR3: 000000014276e004 CR4: 00000000007706e0\n[ 8687.891306] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 8687.898441] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 8687.905572] PKRU: 55555554\n[ 8687.908286] Call Trace:\n[ 8687.910737] \n[ 8687.912843] i40e_remove+0x2c0/0x330 [i40e]\n[ 8687.917040] pci_device_remove+0x33/0xa0\n[ 8687.920962] device_release_driver_internal+0x1aa/0x230\n[ 8687.926188] driver_detach+0x44/0x90\n[ 8687.929770] bus_remove_driver+0x55/0xe0\n[ 8687.933693] pci_unregister_driver+0x2a/0xb0\n[ 8687.937967] i40e_exit_module+0xc/0xf48 [i40e]\n\nTwo offline tests cause IRDMA driver failure (ETIMEDOUT) and this\nfailure is indicated back to i40e_client_subtask() that calls\ni40e_client_del_instance() to free client instance referenced\nby pf->cinst and sets this pointer to NULL. During the module\nremoval i40e_remove() calls i40e_lan_del_device() that dereferences\npf->cinst that is NULL -> crash.\nDo not remove client instance when client open callbacks fails and\njust clear __I40E_CLIENT_INSTANCE_OPENED bit. The driver also needs\nto take care about this situation (when netdev is up and client\nis NOT opened) in i40e_notify_client_of_netdev_close() and\ncalls client close callback only when __I40E_CLIENT_INSTANCE_OPENED\nis set.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48688"
},
{
"id": "CVE-2022-48689",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: TX zerocopy should not sense pfmemalloc status\n\nWe got a recent syzbot report [1] showing a possible misuse\nof pfmemalloc page status in TCP zerocopy paths.\n\nIndeed, for pages coming from user space or other layers,\nusing page_is_pfmemalloc() is moot, and possibly could give\nfalse positives.\n\nThere has been attempts to make page_is_pfmemalloc() more robust,\nbut not using it in the first place in this context is probably better,\nremoving cpu cycles.\n\nNote to stable teams :\n\nYou need to backport 84ce071e38a6 (\"net: introduce\n__skb_fill_page_desc_noacc\") as a prereq.\n\nRace is more probable after commit c07aea3ef4d4\n(\"mm: add a signature in struct page\") because page_is_pfmemalloc()\nis now using low order bit from page->lru.next, which can change\nmore often than page->index.\n\nLow order bit should never be set for lru.next (when used as an anchor\nin LRU list), so KCSAN report is mostly a false positive.\n\nBackporting to older kernel versions seems not necessary.\n\n[1]\nBUG: KCSAN: data-race in lru_add_fn / tcp_build_frag\n\nwrite to 0xffffea0004a1d2c8 of 8 bytes by task 18600 on cpu 0:\n__list_add include/linux/list.h:73 [inline]\nlist_add include/linux/list.h:88 [inline]\nlruvec_add_folio include/linux/mm_inline.h:105 [inline]\nlru_add_fn+0x440/0x520 mm/swap.c:228\nfolio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246\nfolio_batch_add_and_move mm/swap.c:263 [inline]\nfolio_add_lru+0xf1/0x140 mm/swap.c:490\nfilemap_add_folio+0xf8/0x150 mm/filemap.c:948\n__filemap_get_folio+0x510/0x6d0 mm/filemap.c:1981\npagecache_get_page+0x26/0x190 mm/folio-compat.c:104\ngrab_cache_page_write_begin+0x2a/0x30 mm/folio-compat.c:116\next4_da_write_begin+0x2dd/0x5f0 fs/ext4/inode.c:2988\ngeneric_perform_write+0x1d4/0x3f0 mm/filemap.c:3738\next4_buffered_write_iter+0x235/0x3e0 fs/ext4/file.c:270\next4_file_write_iter+0x2e3/0x1210\ncall_write_iter include/linux/fs.h:2187 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x468/0x760 fs/read_write.c:578\nksys_write+0xe8/0x1a0 fs/read_write.c:631\n__do_sys_write fs/read_write.c:643 [inline]\n__se_sys_write fs/read_write.c:640 [inline]\n__x64_sys_write+0x3e/0x50 fs/read_write.c:640\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nread to 0xffffea0004a1d2c8 of 8 bytes by task 18611 on cpu 1:\npage_is_pfmemalloc include/linux/mm.h:1740 [inline]\n__skb_fill_page_desc include/linux/skbuff.h:2422 [inline]\nskb_fill_page_desc include/linux/skbuff.h:2443 [inline]\ntcp_build_frag+0x613/0xb20 net/ipv4/tcp.c:1018\ndo_tcp_sendpages+0x3e8/0xaf0 net/ipv4/tcp.c:1075\ntcp_sendpage_locked net/ipv4/tcp.c:1140 [inline]\ntcp_sendpage+0x89/0xb0 net/ipv4/tcp.c:1150\ninet_sendpage+0x7f/0xc0 net/ipv4/af_inet.c:833\nkernel_sendpage+0x184/0x300 net/socket.c:3561\nsock_sendpage+0x5a/0x70 net/socket.c:1054\npipe_to_sendpage+0x128/0x160 fs/splice.c:361\nsplice_from_pipe_feed fs/splice.c:415 [inline]\n__splice_from_pipe+0x222/0x4d0 fs/splice.c:559\nsplice_from_pipe fs/splice.c:594 [inline]\ngeneric_splice_sendpage+0x89/0xc0 fs/splice.c:743\ndo_splice_from fs/splice.c:764 [inline]\ndirect_splice_actor+0x80/0xa0 fs/splice.c:931\nsplice_direct_to_actor+0x305/0x620 fs/splice.c:886\ndo_splice_direct+0xfb/0x180 fs/splice.c:974\ndo_sendfile+0x3bf/0x910 fs/read_write.c:1249\n__do_sys_sendfile64 fs/read_write.c:1317 [inline]\n__se_sys_sendfile64 fs/read_write.c:1303 [inline]\n__x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1303\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0x0000000000000000 -> 0xffffea0004a1d288\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 18611 Comm: syz-executor.4 Not tainted 6.0.0-rc2-syzkaller-00248-ge022620b5d05-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48689"
},
{
"id": "CVE-2022-48691",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: clean up hook list when offload flags check fails\n\nsplice back the hook list so nft_chain_release_hook() has a chance to\nrelease the hooks.\n\nBUG: memory leak\nunreferenced object 0xffff88810180b100 (size 96):\n comm \"syz-executor133\", pid 3619, jiffies 4294945714 (age 12.690s)\n hex dump (first 32 bytes):\n 28 64 23 02 81 88 ff ff 28 64 23 02 81 88 ff ff (d#.....(d#.....\n 90 a8 aa 83 ff ff ff ff 00 00 b5 0f 81 88 ff ff ................\n backtrace:\n [] kmalloc include/linux/slab.h:600 [inline]\n [] nft_netdev_hook_alloc+0x3b/0xc0 net/netfilter/nf_tables_api.c:1901\n [] nft_chain_parse_netdev net/netfilter/nf_tables_api.c:1998 [inline]\n [] nft_chain_parse_hook+0x33a/0x530 net/netfilter/nf_tables_api.c:2073\n [] nf_tables_addchain.constprop.0+0x10b/0x950 net/netfilter/nf_tables_api.c:2218\n [] nf_tables_newchain+0xa8b/0xc60 net/netfilter/nf_tables_api.c:2593\n [] nfnetlink_rcv_batch+0xa46/0xd20 net/netfilter/nfnetlink.c:517\n [] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:638 [inline]\n [] nfnetlink_rcv+0x1f9/0x220 net/netfilter/nfnetlink.c:656\n [] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n [] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345\n [] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921\n [] sock_sendmsg_nosec net/socket.c:714 [inline]\n [] sock_sendmsg+0x56/0x80 net/socket.c:734\n [] ____sys_sendmsg+0x36c/0x390 net/socket.c:2482\n [] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536\n [] __sys_sendmsg+0x88/0x100 net/socket.c:2565\n [] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n [] entry_SYSCALL_64_after_hwframe+0x63/0xcd",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48691"
},
{
"id": "CVE-2022-48692",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srp: Set scmnd->result only when scmnd is not NULL\n\nThis change fixes the following kernel NULL pointer dereference\nwhich is reproduced by blktests srp/007 occasionally.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000170\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 9 Comm: kworker/0:1H Kdump: loaded Not tainted 6.0.0-rc1+ #37\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qemu.org 04/01/2014\nWorkqueue: 0x0 (kblockd)\nRIP: 0010:srp_recv_done+0x176/0x500 [ib_srp]\nCode: 00 4d 85 ff 0f 84 52 02 00 00 48 c7 82 80 02 00 00 00 00 00 00 4c 89 df 4c 89 14 24 e8 53 d3 4a f6 4c 8b 14 24 41 0f b6 42 13 <41> 89 87 70 01 00 00 41 0f b6 52 12 f6 c2 02 74 44 41 8b 42 1c b9\nRSP: 0018:ffffaef7c0003e28 EFLAGS: 00000282\nRAX: 0000000000000000 RBX: ffff9bc9486dea60 RCX: 0000000000000000\nRDX: 0000000000000102 RSI: ffffffffb76bbd0e RDI: 00000000ffffffff\nRBP: ffff9bc980099a00 R08: 0000000000000001 R09: 0000000000000001\nR10: ffff9bca53ef0000 R11: ffff9bc980099a10 R12: ffff9bc956e14000\nR13: ffff9bc9836b9cb0 R14: ffff9bc9557b4480 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff9bc97ec00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000170 CR3: 0000000007e04000 CR4: 00000000000006f0\nCall Trace:\n \n __ib_process_cq+0xb7/0x280 [ib_core]\n ib_poll_handler+0x2b/0x130 [ib_core]\n irq_poll_softirq+0x93/0x150\n __do_softirq+0xee/0x4b8\n irq_exit_rcu+0xf7/0x130\n sysvec_apic_timer_interrupt+0x8e/0xc0\n ",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48692"
},
{
"id": "CVE-2022-48693",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs\n\nIn brcmstb_pm_probe(), there are two kinds of leak bugs:\n\n(1) we need to add of_node_put() when for_each__matching_node() breaks\n(2) we need to add iounmap() for each iomap in fail path",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48693"
},
{
"id": "CVE-2022-48694",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix drain SQ hang with no completion\n\nSW generated completions for outstanding WRs posted on SQ\nafter QP is in error target the wrong CQ. This causes the\nib_drain_sq to hang with no completion.\n\nFix this to generate completions on the right CQ.\n\n[ 863.969340] INFO: task kworker/u52:2:671 blocked for more than 122 seconds.\n[ 863.979224] Not tainted 5.14.0-130.el9.x86_64 #1\n[ 863.986588] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 863.996997] task:kworker/u52:2 state:D stack: 0 pid: 671 ppid: 2 flags:0x00004000\n[ 864.007272] Workqueue: xprtiod xprt_autoclose [sunrpc]\n[ 864.014056] Call Trace:\n[ 864.017575] __schedule+0x206/0x580\n[ 864.022296] schedule+0x43/0xa0\n[ 864.026736] schedule_timeout+0x115/0x150\n[ 864.032185] __wait_for_common+0x93/0x1d0\n[ 864.037717] ? usleep_range_state+0x90/0x90\n[ 864.043368] __ib_drain_sq+0xf6/0x170 [ib_core]\n[ 864.049371] ? __rdma_block_iter_next+0x80/0x80 [ib_core]\n[ 864.056240] ib_drain_sq+0x66/0x70 [ib_core]\n[ 864.062003] rpcrdma_xprt_disconnect+0x82/0x3b0 [rpcrdma]\n[ 864.069365] ? xprt_prepare_transmit+0x5d/0xc0 [sunrpc]\n[ 864.076386] xprt_rdma_close+0xe/0x30 [rpcrdma]\n[ 864.082593] xprt_autoclose+0x52/0x100 [sunrpc]\n[ 864.088718] process_one_work+0x1e8/0x3c0\n[ 864.094170] worker_thread+0x50/0x3b0\n[ 864.099109] ? rescuer_thread+0x370/0x370\n[ 864.104473] kthread+0x149/0x170\n[ 864.109022] ? set_kthread_struct+0x40/0x40\n[ 864.114713] ret_from_fork+0x22/0x30",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48694"
},
{
"id": "CVE-2023-0030",
"summary": "A use-after-free flaw was found in the Linux kernel\u2019s nouveau driver in how a user triggers a memory overflow that causes the nvkm_vma_tail function to fail. This flaw allows a local user to crash or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0030",
"detail": "fixed-version",
"description": "Fixed from version 5.0rc1"
},
{
"id": "CVE-2023-0045",
"summary": "The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set \u00a0function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. \u00a0The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176.\n\nWe recommend upgrading past commit\u00a0a664ec9158eeddd75121d39c9a0758016097fa96\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0045",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc3"
},
{
"id": "CVE-2023-0122",
"summary": "A NULL pointer dereference vulnerability in the Linux kernel NVMe functionality, in nvmet_setup_auth(), allows an attacker to perform a Pre-Auth Denial of Service (DoS) attack on a remote machine. Affected versions v6.0-rc1 to v6.0-rc3, fixed in v6.0-rc4.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0122",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc4"
},
{
"id": "CVE-2023-0160",
"summary": "A deadlock flaw was found in the Linux kernel\u2019s BPF subsystem. This flaw allows a local user to potentially crash the system.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0160",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-0179",
"summary": "A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0179",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc5"
},
{
"id": "CVE-2023-0210",
"summary": "A bug affects the Linux kernel\u2019s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0210",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc4"
},
{
"id": "CVE-2023-0240",
"summary": "There is a logic error in io_uring's implementation which can be used to trigger a use-after-free vulnerability leading to privilege escalation.\n\nIn the io_prep_async_work function the assumption that the last io_grab_identity call cannot return false is not true, and in this case the function will use the init_cred or the previous linked requests identity to do operations instead of using the current identity. This can lead to reference counting issues causing use-after-free. We recommend upgrading past version 5.10.161.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0240",
"detail": "fixed-version",
"description": "Fixed from version 5.10rc1"
},
{
"id": "CVE-2023-0266",
"summary": "A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel.\u00a0SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit\u00a056b88b50565cd8b946a2d00b0c83927b7ebb055e\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0266",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc4"
},
{
"id": "CVE-2023-0386",
"summary": "A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel\u2019s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0386",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc6"
},
{
"id": "CVE-2023-0394",
"summary": "A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0394",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc4"
},
{
"id": "CVE-2023-0458",
"summary": "A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit\u00a0739790605705ddcf18f21782b9c99ad7d53a8c11",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0458",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc5"
},
{
"id": "CVE-2023-0459",
"summary": "Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the \"access_ok\" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit\u00a074e19ef0ff8061ef55957c3abd71614ef0f42f47",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0459",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc1"
},
{
"id": "CVE-2023-0461",
"summary": "There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS\u00a0or CONFIG_XFRM_ESPINTCP\u00a0has to be configured, but the operation does not require any privilege.\n\nThere is a use-after-free bug of icsk_ulp_data\u00a0of a struct inet_connection_sock.\n\nWhen CONFIG_TLS\u00a0is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable.\n\nThe setsockopt\u00a0TCP_ULP\u00a0operation does not require any privilege.\n\nWe recommend upgrading past commit\u00a02c02d41d71f90a5168391b6a5f2954112ba2307c",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0461",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc3"
},
{
"id": "CVE-2023-0468",
"summary": "A use-after-free flaw was found in io_uring/poll.c in io_poll_check_events in the io_uring subcomponent in the Linux Kernel due to a race condition of poll_refs. This flaw may cause a NULL pointer dereference.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0468",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc7"
},
{
"id": "CVE-2023-0469",
"summary": "A use-after-free flaw was found in io_uring/filetable.c in io_install_fixed_file in the io_uring subcomponent in the Linux Kernel during call cleanup. This flaw may lead to a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0469",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc7"
},
{
"id": "CVE-2023-0590",
"summary": "A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 (\"net: sched: fix race condition in qdisc_graft()\") not applied yet, then kernel could be affected.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0590",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc2"
},
{
"id": "CVE-2023-0597",
"summary": "A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data. A local user could use this flaw to get access to some important data with expected location in memory.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0597",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc1"
},
{
"id": "CVE-2023-0615",
"summary": "A memory leak flaw and potential divide by zero and Integer overflow was found in the Linux kernel V4L2 and vivid test code functionality. This issue occurs when a user triggers ioctls, such as VIDIOC_S_DV_TIMINGS ioctl. This could allow a local user to crash the system if vivid test code enabled.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0615",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc3"
},
{
"id": "CVE-2023-1032",
"summary": "The Linux kernel io_uring IORING_OP_SOCKET operation contained a double free in function __sys_socket_file() in file net/socket.c. This issue was introduced in da214a475f8bd1d3e9e7a19ddfeb4d1617551bab and fixed in 649c15c7691e9b13cbe9bf6c65c365350e056067.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1032",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc2"
},
{
"id": "CVE-2023-1073",
"summary": "A memory corruption flaw was found in the Linux kernel\u2019s human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "6.6",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1073",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc5"
},
{
"id": "CVE-2023-1074",
"summary": "A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1074",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc6"
},
{
"id": "CVE-2023-1075",
"summary": "A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready.",
"scorev2": "0.0",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1075",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc7"
},
{
"id": "CVE-2023-1076",
"summary": "A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1076",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc1"
},
{
"id": "CVE-2023-1077",
"summary": "In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1077",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc1"
},
{
"id": "CVE-2023-1078",
"summary": "A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user. It is known how to trigger this, which causes an out of bounds access, and a lock corruption.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1078",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc8"
},
{
"id": "CVE-2023-1079",
"summary": "A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.",
"scorev2": "0.0",
"scorev3": "6.8",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1079",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc1"
},
{
"id": "CVE-2023-1095",
"summary": "In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list -- the list head is all zeroes, this results in a NULL pointer dereference.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1095",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2023-1118",
"summary": "A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1118",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc1"
},
{
"id": "CVE-2023-1192",
"summary": "A use-after-free flaw was found in smb2_is_status_io_timeout() in CIFS in the Linux Kernel. After CIFS transfers response data to a system call, there are still local variable points to the memory region, and if the system call frees it faster than CIFS uses it, CIFS will access a free memory region, leading to a denial of service.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1192",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-1193",
"summary": "A use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1193",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc6"
},
{
"id": "CVE-2023-1194",
"summary": "An out-of-bounds (OOB) memory read flaw was found in parse_lease_state in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. When an attacker sends the CREATE command with a malformed payload to KSMBD, due to a missing check of `NameOffset` in the `parse_lease_state()` function, the `create_context` object can access invalid memory.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1194",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc6"
},
{
"id": "CVE-2023-1195",
"summary": "A use-after-free flaw was found in reconn_set_ipaddr_from_hostname in fs/cifs/connect.c in the Linux kernel. The issue occurs when it forgets to set the free pointer server->hostname to NULL, leading to an invalid pointer request.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1195",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc3"
},
{
"id": "CVE-2023-1206",
"summary": "A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel\u2019s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.",
"scorev2": "0.0",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1206",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc4"
},
{
"id": "CVE-2023-1249",
"summary": "A use-after-free flaw was found in the Linux kernel\u2019s core dump subsystem. This flaw allows a local user to crash the system. Only if patch 390031c94211 (\"coredump: Use the vma snapshot in fill_files_note\") not applied yet, then kernel could be affected.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1249",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2023-1252",
"summary": "A use-after-free flaw was found in the Linux kernel\u2019s Ext4 File System in how a user triggers several file operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially escalate their privileges on the system. Only if patch 9a2544037600 (\"ovl: fix use after free in struct ovl_aio_req\") not applied yet, the kernel could be affected.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1252",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc1"
},
{
"id": "CVE-2023-1281",
"summary": "Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation.\u00a0The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext.\u00a0A local attacker user can use this vulnerability to elevate its privileges to root.\nThis issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1281",
"detail": "fixed-version",
"description": "Fixed from version 6.2"
},
{
"id": "CVE-2023-1295",
"summary": "A time-of-check to time-of-use issue exists in io_uring subsystem's IORING_OP_CLOSE operation in the Linux kernel's versions 5.6 - 5.11 (inclusive), which allows a local user to elevate their privileges to root. Introduced in b5dba59e0cf7e2cc4d3b3b1ac5fe81ddf21959eb, patched in 9eac1904d3364254d622bf2c771c4f85cd435fc2, backported to stable in 788d0824269bef539fe31a785b1517882eafed93.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1295",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2023-1380",
"summary": "A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1380",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-1382",
"summary": "A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc protocol in the Linux kernel.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1382",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc7"
},
{
"id": "CVE-2023-1390",
"summary": "A remote denial of service vulnerability was found in the Linux kernel\u2019s TIPC kernel module. The while loop in tipc_link_xmit() hits an unknown state while attempting to parse SKBs, which are not in the queue. Sending two small UDP packets to a system with a UDP bearer results in the CPU utilization for the system to instantly spike to 100%, causing a denial of service condition.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1390",
"detail": "fixed-version",
"description": "Fixed from version 5.11rc4"
},
{
"id": "CVE-2023-1476",
"summary": "A use-after-free flaw was found in the Linux kernel\u2019s mm/mremap memory address space accounting source code. This issue occurs due to a race condition between rmap walk and mremap, allowing a local user to crash the system or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1476"
},
{
"id": "CVE-2023-1513",
"summary": "A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak.",
"scorev2": "0.0",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1513",
"detail": "fixed-version",
"description": "Fixed from version 6.2"
},
{
"id": "CVE-2023-1582",
"summary": "A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel. This issue may allow a local attacker with user privilege to cause a denial of service.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1582",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc4"
},
{
"id": "CVE-2023-1583",
"summary": "A NULL pointer dereference was found in io_file_bitmap_get in io_uring/filetable.c in the io_uring sub-component in the Linux Kernel. When fixed files are unregistered, some context information (file_alloc_{start,end} and alloc_hint) is not cleared. A subsequent request that has auto index selection enabled via IORING_FILE_INDEX_ALLOC can cause a NULL pointer dereference. An unprivileged user can use the flaw to cause a system crash.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1583",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc4"
},
{
"id": "CVE-2023-1611",
"summary": "A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea",
"scorev2": "0.0",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1611",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc5"
},
{
"id": "CVE-2023-1637",
"summary": "A flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from suspend-to-RAM. A local user could use this flaw to potentially get unauthorized access to some memory of the CPU similar to the speculative execution behavior kind of attacks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1637",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc2"
},
{
"id": "CVE-2023-1652",
"summary": "A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel information leak problem.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1652",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc5"
},
{
"id": "CVE-2023-1670",
"summary": "A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1670",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc4"
},
{
"id": "CVE-2023-1829",
"summary": "A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation.\u00a0The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure.\u00a0A local attacker user can use this vulnerability to elevate its privileges to root.\nWe recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1829",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc1"
},
{
"id": "CVE-2023-1838",
"summary": "A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system, and could even lead to a kernel information leak problem.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1838",
"detail": "fixed-version",
"description": "Fixed from version 5.18"
},
{
"id": "CVE-2023-1855",
"summary": "A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system due to a race problem. This vulnerability could even lead to a kernel information leak problem.",
"scorev2": "0.0",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1855",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc3"
},
{
"id": "CVE-2023-1859",
"summary": "A use-after-free flaw was found in xen_9pfs_front_removet in net/9p/trans_xen.c in Xen transport for 9pfs in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a race problem, possibly leading to a kernel information leak.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1859",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc7"
},
{
"id": "CVE-2023-1872",
"summary": "A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation.\n\nThe io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered.\n\nWe recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.\n\n",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1872",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc2"
},
{
"id": "CVE-2023-1989",
"summary": "A use-after-free flaw was found in btsdio_remove in drivers\\bluetooth\\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1989",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc4"
},
{
"id": "CVE-2023-1990",
"summary": "A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1990",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc3"
},
{
"id": "CVE-2023-1998",
"summary": "The Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line.\n\nThis happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects.\n\n\n",
"scorev2": "0.0",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1998",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc1"
},
{
"id": "CVE-2023-2002",
"summary": "A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication.",
"scorev2": "0.0",
"scorev3": "6.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2002",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-2006",
"summary": "A race condition was found in the Linux kernel's RxRPC network protocol, within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an object. This may allow an attacker to escalate privileges and execute arbitrary code in the context of the kernel.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2006",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc7"
},
{
"id": "CVE-2023-2007",
"summary": "The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2007",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2023-2008",
"summary": "A flaw was found in the Linux kernel's udmabuf device driver. The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an array. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2008",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc4"
},
{
"id": "CVE-2023-2019",
"summary": "A flaw was found in the Linux kernel's netdevsim device driver, within the scheduling of events. This issue results from the improper management of a reference count. This may allow an attacker to create a denial of service condition on the system.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2019",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2023-20569",
"summary": "\n\n\nA side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled\u202faddress, potentially leading to information disclosure.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20569",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc6"
},
{
"id": "CVE-2023-20588",
"summary": "\nA division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.\u00a0\n\n\n\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20588",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc6"
},
{
"id": "CVE-2023-20593",
"summary": "\nAn issue in \u201cZen 2\u201d CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information.\n\n\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20593",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc4"
},
{
"id": "CVE-2023-20659",
"summary": "In wlan, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588413; Issue ID: ALPS07588413.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20659"
},
{
"id": "CVE-2023-20660",
"summary": "In wlan, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588383; Issue ID: ALPS07588383.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20660"
},
{
"id": "CVE-2023-20661",
"summary": "In wlan, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07560782; Issue ID: ALPS07560782.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20661"
},
{
"id": "CVE-2023-20662",
"summary": "In wlan, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07560765; Issue ID: ALPS07560765.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20662"
},
{
"id": "CVE-2023-20663",
"summary": "In wlan, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07560741; Issue ID: ALPS07560741.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20663"
},
{
"id": "CVE-2023-20674",
"summary": "In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588569; Issue ID: ALPS07588552.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20674"
},
{
"id": "CVE-2023-20675",
"summary": "In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588569; Issue ID: ALPS07588569.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20675"
},
{
"id": "CVE-2023-20676",
"summary": "In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588569; Issue ID: ALPS07628518.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20676"
},
{
"id": "CVE-2023-20677",
"summary": "In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588413; Issue ID: ALPS07588436.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20677"
},
{
"id": "CVE-2023-20679",
"summary": "In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588413; Issue ID: ALPS07588453.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20679"
},
{
"id": "CVE-2023-20682",
"summary": "In wlan, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07441605; Issue ID: ALPS07441605.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20682"
},
{
"id": "CVE-2023-20712",
"summary": "In wlan, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07796914; Issue ID: ALPS07796914.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20712"
},
{
"id": "CVE-2023-20715",
"summary": "In wlan, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07796900; Issue ID: ALPS07796900.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20715"
},
{
"id": "CVE-2023-20716",
"summary": "In wlan, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07796883; Issue ID: ALPS07796883.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20716"
},
{
"id": "CVE-2023-20810",
"summary": "In IOMMU, there is a possible information disclosure due to improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03692061; Issue ID: DTV03692061.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20810"
},
{
"id": "CVE-2023-20811",
"summary": "In IOMMU, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03692061; Issue ID: DTV03692061.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20811"
},
{
"id": "CVE-2023-20838",
"summary": "In imgsys, there is a possible out of bounds read due to a race condition. This could lead to local information disclosure with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07326455; Issue ID: ALPS07326418.",
"scorev2": "0.0",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20838"
},
{
"id": "CVE-2023-20839",
"summary": "In imgsys, there is a possible out of bounds read due to a missing valid range checking. This could lead to local information disclosure with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07326455; Issue ID: ALPS07326409.",
"scorev2": "0.0",
"scorev3": "4.2",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20839"
},
{
"id": "CVE-2023-20840",
"summary": "In imgsys, there is a possible out of bounds read and write due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07326430; Issue ID: ALPS07326430.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20840"
},
{
"id": "CVE-2023-20841",
"summary": "In imgsys, there is a possible out of bounds write due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07326455; Issue ID: ALPS07326441.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20841"
},
{
"id": "CVE-2023-20842",
"summary": "In imgsys_cmdq, there is a possible out of bounds write due to a missing\u00a0valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07354259; Issue ID: ALPS07340477.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20842"
},
{
"id": "CVE-2023-20843",
"summary": "In imgsys_cmdq, there is a possible out of bounds read due to a missing valid range checking. This could lead to local information disclosure with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07340119; Issue ID: ALPS07340119.",
"scorev2": "0.0",
"scorev3": "4.2",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20843"
},
{
"id": "CVE-2023-20844",
"summary": "In imgsys_cmdq, there is a possible out of bounds read due to a missing valid range checking. This could lead to local information disclosure with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07354058; Issue ID: ALPS07340121.",
"scorev2": "0.0",
"scorev3": "4.2",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20844"
},
{
"id": "CVE-2023-20845",
"summary": "In imgsys, there is a possible out of bounds read due to a missing valid range checking. This could lead to local information disclosure with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07197795; Issue ID: ALPS07340357.",
"scorev2": "0.0",
"scorev3": "4.2",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20845"
},
{
"id": "CVE-2023-20846",
"summary": "In imgsys_cmdq, there is a possible out of bounds read due to a missing valid range checking. This could lead to local information disclosure with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07354023; Issue ID: ALPS07340098.",
"scorev2": "0.0",
"scorev3": "4.2",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20846"
},
{
"id": "CVE-2023-20847",
"summary": "In imgsys_cmdq, there is a possible out of bounds read due to a missing valid range checking. This could lead to local denial of service with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07354025; Issue ID: ALPS07340108.",
"scorev2": "0.0",
"scorev3": "4.2",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20847"
},
{
"id": "CVE-2023-20848",
"summary": "In imgsys_cmdq, there is a possible out of bounds read due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07340433; Issue ID: ALPS07340433.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20848"
},
{
"id": "CVE-2023-20849",
"summary": "In imgsys_cmdq, there is a possible use after free due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07340433; Issue ID: ALPS07340350.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20849"
},
{
"id": "CVE-2023-20850",
"summary": "In imgsys_cmdq, there is a possible out of bounds write due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07340433; Issue ID: ALPS07340381.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20850"
},
{
"id": "CVE-2023-20928",
"summary": "In binder_vma_close of binder.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-254837884References: Upstream kernel",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20928",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2023-20938",
"summary": "In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257685302References: Upstream kernel",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20938",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc5"
},
{
"id": "CVE-2023-21102",
"summary": "In __efi_rt_asm_wrapper of efi-rt-wrapper.S, there is a possible bypass of shadow stack protection due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-260821414References: Upstream kernel",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-21102",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc4"
},
{
"id": "CVE-2023-21106",
"summary": "In adreno_set_param of adreno_gpu.c, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-265016072References: Upstream kernel",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-21106",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc5"
},
{
"id": "CVE-2023-2124",
"summary": "An out-of-bounds memory access flaw was found in the Linux kernel\u2019s XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2124",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-21255",
"summary": "In multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-21255",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc4"
},
{
"id": "CVE-2023-21264",
"summary": "In multiple functions of mem_protect.c, there is a possible way to access hypervisor memory due to a memory access check in the wrong place. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.\n\n",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-21264",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc5"
},
{
"id": "CVE-2023-2156",
"summary": "A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol. This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the system.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2156",
"detail": "fixed-version",
"description": "Fixed from version 6.3"
},
{
"id": "CVE-2023-2162",
"summary": "A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2162",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc6"
},
{
"id": "CVE-2023-2163",
"summary": "Incorrect verifier pruning\u00a0in BPF in Linux Kernel\u00a0>=5.4\u00a0leads to unsafe\ncode paths being incorrectly marked as safe, resulting in\u00a0arbitrary read/write in\nkernel memory, lateral privilege escalation, and container escape.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2163",
"detail": "fixed-version",
"description": "Fixed from version 6.3"
},
{
"id": "CVE-2023-2166",
"summary": "A null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized in the receive path of CAN frames. A local user could use this flaw to crash the system or potentially cause a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2166",
"detail": "fixed-version",
"description": "Fixed from version 6.1"
},
{
"id": "CVE-2023-2176",
"summary": "A vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the Linux Kernel. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2176",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc1"
},
{
"id": "CVE-2023-2177",
"summary": "A null pointer dereference issue was found in the sctp network protocol in net/sctp/stream_sched.c in Linux Kernel. If stream_in allocation is failed, stream_out is freed which would further be accessed. A local user could use this flaw to crash the system or potentially cause a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2177",
"detail": "fixed-version",
"description": "Fixed from version 5.19"
},
{
"id": "CVE-2023-2194",
"summary": "An out-of-bounds write vulnerability was found in the Linux kernel's SLIMpro I2C device driver. The userspace \"data->block[0]\" variable was not capped to a number between 0-255 and was used as the size of a memcpy, possibly writing beyond the end of dma_buffer. This flaw could allow a local privileged user to crash the system or potentially achieve code execution.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2194",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc4"
},
{
"id": "CVE-2023-2235",
"summary": "A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve local privilege escalation.\n\nThe perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but\u00a0remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability.\n\nWe recommend upgrading past commit fd0815f632c24878e325821943edccc7fde947a2.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2235",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc3"
},
{
"id": "CVE-2023-2236",
"summary": "A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.\n\nBoth\u00a0io_install_fixed_file\u00a0and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability.\n\nWe recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2236",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc7"
},
{
"id": "CVE-2023-2269",
"summary": "A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2269",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-22995",
"summary": "In the Linux kernel before 5.17, an error path in dwc3_qcom_acpi_register_core in drivers/usb/dwc3/dwc3-qcom.c lacks certain platform_device_put and kfree calls.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-22995",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc1"
},
{
"id": "CVE-2023-22996",
"summary": "In the Linux kernel before 5.17.2, drivers/soc/qcom/qcom_aoss.c does not release an of_find_device_by_node reference after use, e.g., with put_device.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-22996",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2023-22997",
"summary": "In the Linux kernel before 6.1.2, kernel/module/decompress.c misinterprets the module_get_next_page return value (expects it to be NULL in the error case, whereas it is actually an error pointer).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-22997",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc1"
},
{
"id": "CVE-2023-22998",
"summary": "In the Linux kernel before 6.0.3, drivers/gpu/drm/virtio/virtgpu_object.c misinterprets the drm_gem_shmem_get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-22998",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2023-22999",
"summary": "In the Linux kernel before 5.16.3, drivers/usb/dwc3/dwc3-qcom.c misinterprets the dwc3_qcom_create_urs_usb_platdev return value (expects it to be NULL in the error case, whereas it is actually an error pointer).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-22999",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc1"
},
{
"id": "CVE-2023-23000",
"summary": "In the Linux kernel before 5.17, drivers/phy/tegra/xusb.c mishandles the tegra_xusb_find_port_node return value. Callers expect NULL in the error case, but an error pointer is used.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23000",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc1"
},
{
"id": "CVE-2023-23001",
"summary": "In the Linux kernel before 5.16.3, drivers/scsi/ufs/ufs-mediatek.c misinterprets the regulator_get return value (expects it to be NULL in the error case, whereas it is actually an error pointer).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23001",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc1"
},
{
"id": "CVE-2023-23002",
"summary": "In the Linux kernel before 5.16.3, drivers/bluetooth/hci_qca.c misinterprets the devm_gpiod_get_index_optional return value (expects it to be NULL in the error case, whereas it is actually an error pointer).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23002",
"detail": "fixed-version",
"description": "Fixed from version 5.17rc1"
},
{
"id": "CVE-2023-23003",
"summary": "In the Linux kernel before 5.16, tools/perf/util/expr.c lacks a check for the hashmap__new return value.",
"scorev2": "0.0",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23003",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc6"
},
{
"id": "CVE-2023-23004",
"summary": "In the Linux kernel before 5.19, drivers/gpu/drm/arm/malidp_planes.c misinterprets the get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23004",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2023-23005",
"summary": "In the Linux kernel before 6.2, mm/memory-tiers.c misinterprets the alloc_memory_type return value (expects it to be NULL in the error case, whereas it is actually an error pointer). NOTE: this is disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23005",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc1"
},
{
"id": "CVE-2023-23006",
"summary": "In the Linux kernel before 5.15.13, drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c misinterprets the mlx5_get_uars_page return value (expects it to be NULL in the error case, whereas it is actually an error pointer).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23006",
"detail": "fixed-version",
"description": "Fixed from version 5.16rc8"
},
{
"id": "CVE-2023-23039",
"summary": "An issue was discovered in the Linux kernel through 6.2.0-rc2. drivers/tty/vcc.c has a race condition and resultant use-after-free if a physically proximate attacker removes a VCC device while calling open(), aka a race condition between vcc_open() and vcc_remove().",
"scorev2": "0.0",
"scorev3": "5.7",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23039"
},
{
"id": "CVE-2023-23454",
"summary": "cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23454",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc3"
},
{
"id": "CVE-2023-23455",
"summary": "atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23455",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc3"
},
{
"id": "CVE-2023-23559",
"summary": "In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23559",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc5"
},
{
"id": "CVE-2023-23586",
"summary": "Due to a vulnerability in the io_uring subsystem, it is possible to leak kernel memory information to the user process.\u00a0timens_install calls current_is_single_threaded to determine if the current process is single-threaded, but this call does not consider io_uring's io_worker threads, thus it is possible to insert a time namespace's vvar page to process's memory space via a page fault. When this time namespace is destroyed, the vvar page is also freed, but not removed from the process' memory, and a next page allocated by the kernel will be still available from the user-space process and can leak memory contents via this (read-only) use-after-free vulnerability. We recommend upgrading past version 5.10.161 or commit\u00a0 788d0824269bef539fe31a785b1517882eafed93 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/io_uring \n",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23586",
"detail": "fixed-version",
"description": "Fixed from version 5.12rc1"
},
{
"id": "CVE-2023-2430",
"summary": "A vulnerability was found due to missing lock for IOPOLL flaw in io_cqring_event_overflow() in io_uring.c in Linux Kernel. This flaw allows a local attacker with user privilege to trigger a Denial of Service threat.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2430",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc5"
},
{
"id": "CVE-2023-25012",
"summary": "The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long.",
"scorev2": "0.0",
"scorev3": "4.6",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25012",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc1"
},
{
"id": "CVE-2023-2513",
"summary": "A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2513",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2023-25775",
"summary": "Improper access control in the Intel(R) Ethernet Controller RDMA driver for linux before version 1.9.30 may allow an unauthenticated user to potentially enable escalation of privilege via network access.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25775",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc1"
},
{
"id": "CVE-2023-2598",
"summary": "A flaw was found in the fixed buffer registration code for io_uring (io_sqe_buffer_register in io_uring/rsrc.c) in the Linux kernel that allows out-of-bounds access to physical memory beyond the end of the buffer. This flaw enables full local privilege escalation.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2598",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-26242",
"summary": "afu_mmio_region_get_by_offset in drivers/fpga/dfl-afu-region.c in the Linux kernel through 6.1.12 has an integer overflow.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-26242"
},
{
"id": "CVE-2023-26544",
"summary": "In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a difference between NTFS sector size and media sector size.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-26544",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc1"
},
{
"id": "CVE-2023-26545",
"summary": "In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-26545",
"detail": "fixed-version",
"description": "Fixed from version 6.2"
},
{
"id": "CVE-2023-26605",
"summary": "In the Linux kernel 6.0.8, there is a use-after-free in inode_cgwb_move_to_attached in fs/fs-writeback.c, related to __list_del_entry_valid.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-26605",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc7"
},
{
"id": "CVE-2023-26606",
"summary": "In the Linux kernel 6.0.8, there is a use-after-free in ntfs_trim_fs in fs/ntfs3/bitmap.c.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-26606",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc1"
},
{
"id": "CVE-2023-26607",
"summary": "In the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-26607",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2023-28327",
"summary": "A NULL pointer dereference flaw was found in the UNIX protocol in net/unix/diag.c In unix_diag_get_exact in the Linux Kernel. The newly allocated skb does not have sk, leading to a NULL pointer. This flaw allows a local user to crash or potentially cause a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-28327",
"detail": "fixed-version",
"description": "Fixed from version 6.1"
},
{
"id": "CVE-2023-28328",
"summary": "A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into the device. This flaw allows a local user to crash the system or potentially cause a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-28328",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc1"
},
{
"id": "CVE-2023-28410",
"summary": "Improper restriction of operations within the bounds of a memory buffer in some Intel(R) i915 Graphics drivers for linux before kernel version 6.2.10 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-28410",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2023-28464",
"summary": "hci_conn_cleanup in net/bluetooth/hci_conn.c in the Linux kernel through 6.2.9 has a use-after-free (observed in hci_conn_hash_flush) because of calls to hci_dev_put and hci_conn_put. There is a double free that may lead to privilege escalation.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-28464",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc7"
},
{
"id": "CVE-2023-28466",
"summary": "do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference).",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-28466",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc2"
},
{
"id": "CVE-2023-2860",
"summary": "An out-of-bounds read vulnerability was found in the SR-IPv6 implementation in the Linux kernel. The flaw exists within the processing of seg6 attributes. The issue results from the improper validation of user-supplied data, which can result in a read past the end of an allocated buffer. This flaw allows a privileged local user to disclose sensitive information on affected installations of the Linux kernel.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2860",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc5"
},
{
"id": "CVE-2023-28772",
"summary": "An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-28772",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc1"
},
{
"id": "CVE-2023-28866",
"summary": "In the Linux kernel through 6.2.8, net/bluetooth/hci_sync.c allows out-of-bounds access because amp_init1[] and amp_init2[] are supposed to have an intentionally invalid element, but do not.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-28866",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc4"
},
{
"id": "CVE-2023-2898",
"summary": "There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2898",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc1"
},
{
"id": "CVE-2023-2985",
"summary": "A use after free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local user to cause a denial of service problem.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2985",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc1"
},
{
"id": "CVE-2023-3006",
"summary": "A known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim's hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information that should not be accessible.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3006",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2023-3022",
"summary": "A flaw was found in the IPv6 module of the Linux kernel. The arg.result was not used consistently in fib6_rule_lookup, sometimes holding rt6_info and other times fib6_info. This was not accounted for in other parts of the code where rt6_info was expected unconditionally, potentially leading to a kernel panic in fib6_rule_suppress.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3022"
},
{
"id": "CVE-2023-30456",
"summary": "An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-30456",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc3"
},
{
"id": "CVE-2023-30772",
"summary": "The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device.",
"scorev2": "0.0",
"scorev3": "6.4",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-30772",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc4"
},
{
"id": "CVE-2023-3090",
"summary": "A heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation.\n\nThe out-of-bounds write is caused by missing skb->cb initialization in the ipvlan network driver. The vulnerability is reachable if\u00a0CONFIG_IPVLAN is enabled.\n\n\nWe recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3090",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc2"
},
{
"id": "CVE-2023-3106",
"summary": "A NULL pointer dereference vulnerability was found in netlink_dump. This issue can occur when the Netlink socket receives the message(sendmsg) for the XFRM_MSG_GETSA, XFRM_MSG_GETPOLICY type message, and the DUMP flag is set and can cause a denial of service or possibly another unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3106",
"detail": "fixed-version",
"description": "Fixed from version 4.8rc7"
},
{
"id": "CVE-2023-3108",
"summary": "A flaw was found in the subsequent get_user_pages_fast in the Linux kernel\u2019s interface for symmetric key cipher algorithms in the skcipher_recvmsg of crypto/algif_skcipher.c function. This flaw allows a local user to crash the system.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3108"
},
{
"id": "CVE-2023-31081",
"summary": "An issue was discovered in drivers/media/test-drivers/vidtv/vidtv_bridge.c in the Linux kernel 6.2. There is a NULL pointer dereference in vidtv_mux_stop_thread. In vidtv_stop_streaming, after dvb->mux=NULL occurs, it executes vidtv_mux_stop_thread(dvb->mux).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31081"
},
{
"id": "CVE-2023-31082",
"summary": "An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2. There is a sleeping function called from an invalid context in gsmld_write, which will block the kernel. Note: This has been disputed by 3rd parties as not a valid vulnerability.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31082"
},
{
"id": "CVE-2023-31083",
"summary": "An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31083",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc1"
},
{
"id": "CVE-2023-31084",
"summary": "An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31084",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc3"
},
{
"id": "CVE-2023-31085",
"summary": "An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31085",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc5"
},
{
"id": "CVE-2023-3111",
"summary": "A use after free vulnerability was found in prepare_to_relocate in fs/btrfs/relocation.c in btrfs in the Linux Kernel. This possible flaw can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag().",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3111",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc2"
},
{
"id": "CVE-2023-31248",
"summary": "Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31248",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc2"
},
{
"id": "CVE-2023-3141",
"summary": "A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3141",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-31436",
"summary": "qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31436",
"detail": "fixed-version",
"description": "Fixed from version 6.3"
},
{
"id": "CVE-2023-3159",
"summary": "A use after free issue was discovered in driver/firewire in outbound_phy_packet_callback in the Linux Kernel. In this flaw a local attacker with special privilege may cause a use after free problem when queue_event() fails.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3159",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc6"
},
{
"id": "CVE-2023-3161",
"summary": "A flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds occurs leading to undefined behavior and possible denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3161",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc7"
},
{
"id": "CVE-2023-3212",
"summary": "A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3212",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc2"
},
{
"id": "CVE-2023-3220",
"summary": "An issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3220",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc1"
},
{
"id": "CVE-2023-32233",
"summary": "In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32233",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-32247",
"summary": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_SESSION_SETUP commands. The issue results from the lack of control of resource consumption. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32247",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-32248",
"summary": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_TREE_CONNECT and SMB2_QUERY_INFO commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32248",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-32250",
"summary": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32250",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-32252",
"summary": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_LOGOFF commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32252",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-32254",
"summary": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32254",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-32257",
"summary": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP and SMB2_LOGOFF commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32257",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-32258",
"summary": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_LOGOFF and SMB2_CLOSE commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32258",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-32269",
"summary": "An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32269",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc7"
},
{
"id": "CVE-2023-3268",
"summary": "An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3268",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-3269",
"summary": "A vulnerability exists in the memory management subsystem of the Linux kernel. The lock handling for accessing and updating virtual memory areas (VMAs) is incorrect, leading to use-after-free problems. This issue can be successfully exploited to execute arbitrary kernel code, escalate containers, and gain root privileges.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3269",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc1"
},
{
"id": "CVE-2023-32810",
"summary": "In bluetooth driver, there is a possible out of bounds read due to improper input validation. This could lead to local information leak with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07867212; Issue ID: ALPS07867212.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32810"
},
{
"id": "CVE-2023-32820",
"summary": "In wlan firmware, there is a possible firmware assertion due to improper input handling. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07932637; Issue ID: ALPS07932637.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32820"
},
{
"id": "CVE-2023-3312",
"summary": "A vulnerability was found in drivers/cpufreq/qcom-cpufreq-hw.c in cpufreq subsystem in the Linux Kernel. This flaw, during device unbind will lead to double release problem leading to denial of service.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3312",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-3317",
"summary": "A use-after-free flaw was found in mt7921_check_offload_capability in drivers/net/wireless/mediatek/mt76/mt7921/init.c in wifi mt76/mt7921 sub-component in the Linux Kernel. This flaw could allow an attacker to crash the system after 'features' memory release. This vulnerability could even lead to a kernel information leak problem.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3317",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc6"
},
{
"id": "CVE-2023-33203",
"summary": "The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/net/ethernet/qualcomm/emac/emac.c if a physically proximate attacker unplugs an emac based device.",
"scorev2": "0.0",
"scorev3": "6.4",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33203",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc4"
},
{
"id": "CVE-2023-33250",
"summary": "The Linux kernel 6.3 has a use-after-free in iopt_unmap_iova_range in drivers/iommu/iommufd/io_pagetable.c.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33250",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc1"
},
{
"id": "CVE-2023-33288",
"summary": "An issue was discovered in the Linux kernel before 6.2.9. A use-after-free was found in bq24190_remove in drivers/power/supply/bq24190_charger.c. It could allow a local attacker to crash the system due to a race condition.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33288",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc4"
},
{
"id": "CVE-2023-3338",
"summary": "A null pointer dereference flaw was found in the Linux kernel's DECnet networking protocol. This issue could allow a remote user to crash the system.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3338",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc1"
},
{
"id": "CVE-2023-3355",
"summary": "A NULL pointer dereference flaw was found in the Linux kernel's drivers/gpu/drm/msm/msm_gem_submit.c code in the submit_lookup_cmds function, which fails because it lacks a check of the return value of kmalloc(). This issue allows a local user to crash the system.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3355",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc1"
},
{
"id": "CVE-2023-3357",
"summary": "A NULL pointer dereference flaw was found in the Linux kernel AMD Sensor Fusion Hub driver. This flaw allows a local user to crash the system.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3357",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc1"
},
{
"id": "CVE-2023-3358",
"summary": "A null pointer dereference was found in the Linux kernel's Integrated Sensor Hub (ISH) driver. This issue could allow a local user to crash the system.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3358",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc5"
},
{
"id": "CVE-2023-3359",
"summary": "An issue was discovered in the Linux kernel brcm_nvram_parse in drivers/nvmem/brcm_nvram.c. Lacks for the check of the return value of kzalloc() can cause the NULL Pointer Dereference.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3359",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc7"
},
{
"id": "CVE-2023-3389",
"summary": "A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.\n\nRacing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer.\n\nWe recommend upgrading past commit ef7dfac51d8ed961b742218f526bd589f3900a59 (4716c73b188566865bdd79c3a6709696a224ac04 for 5.10 stable and\u00a00e388fce7aec40992eadee654193cad345d62663 for 5.15 stable).\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3389",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc1"
},
{
"id": "CVE-2023-3390",
"summary": "A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c.\n\nMishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue.\n\nWe recommend upgrading past commit\u00a01240eb93f0616b21c675416516ff3d74798fdc97.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3390",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc7"
},
{
"id": "CVE-2023-33951",
"summary": "A race condition vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within the handling of GEM objects. The issue results from improper locking when performing operations on an object. This flaw allows a local privileged user to disclose information in the context of the kernel.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33951",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-33952",
"summary": "A double-free vulnerability was found in handling vmw_buffer_object objects in the vmwgfx driver in the Linux kernel. This issue occurs due to the lack of validating the existence of an object prior to performing further free operations on the object, which may allow a local privileged user to escalate privileges and execute code in the context of the kernel.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33952",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-3397",
"summary": "A race condition occurred between the functions lmLogClose and txEnd in JFS, in the Linux Kernel, executed in different threads. This flaw allows a local attacker with normal user privileges to crash the system or leak internal kernel information.",
"scorev2": "0.0",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3397"
},
{
"id": "CVE-2023-34256",
"summary": "An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against attackers with the stated \"When modifying the block device while it is mounted by the filesystem\" access.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34256",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc2"
},
{
"id": "CVE-2023-34319",
"summary": "The fix for XSA-423 added logic to Linux'es netback driver to deal with\na frontend splitting a packet in a way such that not all of the headers\nwould come in one piece. Unfortunately the logic introduced there\ndidn't account for the extreme case of the entire packet being split\ninto as many pieces as permitted by the protocol, yet still being\nsmaller than the area that's specially dealt with to keep all (possible)\nheaders together. Such an unusual packet would therefore trigger a\nbuffer overrun in the driver.\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34319",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc6"
},
{
"id": "CVE-2023-34324",
"summary": "Closing of an event channel in the Linux kernel can result in a deadlock.\nThis happens when the close is being performed in parallel to an unrelated\nXen console action and the handling of a Xen console interrupt in an\nunprivileged guest.\n\nThe closing of an event channel is e.g. triggered by removal of a\nparavirtual device on the other side. As this action will cause console\nmessages to be issued on the other side quite often, the chance of\ntriggering the deadlock is not neglectable.\n\nNote that 32-bit Arm-guests are not affected, as the 32-bit Linux kernel\non Arm doesn't use queued-RW-locks, which are required to trigger the\nissue (on Arm32 a waiting writer doesn't block further readers to get\nthe lock).\n",
"scorev2": "0.0",
"scorev3": "4.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34324",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc6"
},
{
"id": "CVE-2023-3439",
"summary": "A flaw was found in the MCTP protocol in the Linux kernel. The function mctp_unregister() reclaims the device's relevant resource when a netcard detaches. However, a running routine may be unaware of this and cause the use-after-free of the mdev->addrs object, potentially leading to a denial of service.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3439",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc5"
},
{
"id": "CVE-2023-35001",
"summary": "Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35001",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc2"
},
{
"id": "CVE-2023-3567",
"summary": "A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This issue may allow an attacker with local user access to cause a system crash or leak internal kernel information.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3567",
"detail": "fixed-version",
"description": "Fixed from version 6.2rc7"
},
{
"id": "CVE-2023-35788",
"summary": "An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35788",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc5"
},
{
"id": "CVE-2023-35823",
"summary": "An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35823",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-35824",
"summary": "An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35824",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-35826",
"summary": "An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in cedrus_remove in drivers/staging/media/sunxi/cedrus/cedrus.c.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35826",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-35827",
"summary": "An issue was discovered in the Linux kernel through 6.3.8. A use-after-free was found in ravb_remove in drivers/net/ethernet/renesas/ravb_main.c.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35827",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc6"
},
{
"id": "CVE-2023-35828",
"summary": "An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35828",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-35829",
"summary": "An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in rkvdec_remove in drivers/staging/media/rkvdec/rkvdec.c.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35829",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc1"
},
{
"id": "CVE-2023-3609",
"summary": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\n\nIf tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\n\nWe recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3609",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc7"
},
{
"id": "CVE-2023-3610",
"summary": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nFlaw in the error handling of bound chains causes a use-after-free in the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered.\n\nWe recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3610",
"detail": "fixed-version",
"description": "Fixed from version 6.4"
},
{
"id": "CVE-2023-3611",
"summary": "An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.\n\nThe qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks.\n\nWe recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3611",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc2"
},
{
"id": "CVE-2023-3640",
"summary": "A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3640"
},
{
"id": "CVE-2023-37453",
"summary": "An issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds and crash in read_descriptors in drivers/usb/core/sysfs.c.",
"scorev2": "0.0",
"scorev3": "4.6",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37453",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc1"
},
{
"id": "CVE-2023-37454",
"summary": "An issue was discovered in the Linux kernel through 6.4.2. A crafted UDF filesystem image causes a use-after-free write operation in the udf_put_super and udf_close_lvid functions in fs/udf/super.c. NOTE: the suse.com reference has a different perspective about this.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37454"
},
{
"id": "CVE-2023-3772",
"summary": "A flaw was found in the Linux kernel\u2019s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3772",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc7"
},
{
"id": "CVE-2023-3773",
"summary": "A flaw was found in the Linux kernel\u2019s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data to userspace.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3773",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc7"
},
{
"id": "CVE-2023-3776",
"summary": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\n\nIf tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\n\nWe recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3776",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc2"
},
{
"id": "CVE-2023-3777",
"summary": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nWhen nf_tables_delrule() is flushing table rules, it is not checked whether the chain is bound and the chain's owner rule can also release the objects in certain circumstances.\n\nWe recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3777",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc3"
},
{
"id": "CVE-2023-3812",
"summary": "An out-of-bounds memory access flaw was found in the Linux kernel\u2019s TUN/TAP device driver functionality in how a user generates a malicious (too big) networking packet when napi frags is enabled. This flaw allows a local user to crash or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3812",
"detail": "fixed-version",
"description": "Fixed from version 6.1rc4"
},
{
"id": "CVE-2023-38409",
"summary": "An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/fbcon.c in the Linux kernel before 6.2.12. Because an assignment occurs only for the first vc, the fbcon_registered_fb and fbcon_display arrays can be desynchronized in fbcon_mode_deleted (the con2fb_map points at the old fb_info).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38409",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc7"
},
{
"id": "CVE-2023-38426",
"summary": "An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an out-of-bounds read in smb2_find_context_vals when create_context's name_len is larger than the tag length.",
"scorev2": "0.0",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38426",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc3"
},
{
"id": "CVE-2023-38427",
"summary": "An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/smb2pdu.c in ksmbd has an integer underflow and out-of-bounds read in deassemble_neg_contexts.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38427",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc6"
},
{
"id": "CVE-2023-38428",
"summary": "An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb2pdu.c in ksmbd does not properly check the UserName value because it does not consider the address of security buffer, leading to an out-of-bounds read.",
"scorev2": "0.0",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38428",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc3"
},
{
"id": "CVE-2023-38429",
"summary": "An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/connection.c in ksmbd has an off-by-one error in memory allocation (because of ksmbd_smb2_check_message) that may lead to out-of-bounds access.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38429",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc3"
},
{
"id": "CVE-2023-38430",
"summary": "An issue was discovered in the Linux kernel before 6.3.9. ksmbd does not validate the SMB request protocol ID, leading to an out-of-bounds read.",
"scorev2": "0.0",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38430",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc6"
},
{
"id": "CVE-2023-38431",
"summary": "An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/connection.c in ksmbd does not validate the relationship between the NetBIOS header's length field and the SMB header sizes, via pdu_size in ksmbd_conn_handler_loop, leading to an out-of-bounds read.",
"scorev2": "0.0",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38431",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc6"
},
{
"id": "CVE-2023-38432",
"summary": "An issue was discovered in the Linux kernel before 6.3.10. fs/smb/server/smb2misc.c in ksmbd does not validate the relationship between the command payload size and the RFC1002 length specification, leading to an out-of-bounds read.",
"scorev2": "0.0",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38432",
"detail": "fixed-version",
"description": "Fixed from version 6.4"
},
{
"id": "CVE-2023-3863",
"summary": "A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue.",
"scorev2": "0.0",
"scorev3": "4.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3863",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc1"
},
{
"id": "CVE-2023-39189",
"summary": "A flaw was found in the Netfilter subsystem in the Linux kernel. The nfnl_osf_add_callback function did not validate the user mode controlled opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.",
"scorev2": "0.0",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39189",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc1"
},
{
"id": "CVE-2023-39191",
"summary": "An improper input validation flaw was found in the eBPF subsystem in the Linux kernel. The issue occurs due to a lack of proper validation of dynamic pointers within user-supplied eBPF programs prior to executing them. This may allow an attacker with CAP_BPF privileges to escalate privileges and execute arbitrary code in the context of the kernel.",
"scorev2": "0.0",
"scorev3": "8.2",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39191",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc1"
},
{
"id": "CVE-2023-39192",
"summary": "A flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure.",
"scorev2": "0.0",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39192",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc1"
},
{
"id": "CVE-2023-39193",
"summary": "A flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.",
"scorev2": "0.0",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39193",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc1"
},
{
"id": "CVE-2023-39194",
"summary": "A flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39194",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc7"
},
{
"id": "CVE-2023-39197",
"summary": "An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39197",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc1"
},
{
"id": "CVE-2023-39198",
"summary": "A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.",
"scorev2": "0.0",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39198",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc7"
},
{
"id": "CVE-2023-4004",
"summary": "A use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4004",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc3"
},
{
"id": "CVE-2023-4010",
"summary": "A flaw was found in the USB Host Controller Driver framework in the Linux kernel. The usb_giveback_urb function has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, so it falls into an endless loop, resulting in a denial of service.",
"scorev2": "0.0",
"scorev3": "4.6",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4010"
},
{
"id": "CVE-2023-4015",
"summary": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nOn an error when building a nftables rule, deactivating immediate expressions in nft_immediate_deactivate() can lead unbinding the chain and objects be deactivated but later used.\n\nWe recommend upgrading past commit 0a771f7b266b02d262900c75f1e175c7fe76fec2.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4015",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc4"
},
{
"id": "CVE-2023-40283",
"summary": "An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-40283",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc1"
},
{
"id": "CVE-2023-40791",
"summary": "extract_user_to_sg in lib/scatterlist.c in the Linux kernel before 6.4.12 fails to unpin pages in a certain situation, as demonstrated by a WARNING for try_grab_page.",
"scorev2": "0.0",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-40791",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc6"
},
{
"id": "CVE-2023-4132",
"summary": "A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4132",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc1"
},
{
"id": "CVE-2023-4133",
"summary": "A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4133",
"detail": "fixed-version",
"description": "Fixed from version 6.3"
},
{
"id": "CVE-2023-4147",
"summary": "A use-after-free flaw was found in the Linux kernel\u2019s Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4147",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc4"
},
{
"id": "CVE-2023-4155",
"summary": "A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages (`CONFIG_VMAP_STACK`).",
"scorev2": "0.0",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4155",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc6"
},
{
"id": "CVE-2023-4194",
"summary": "A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 (\"tun: tun_chr_open(): correctly initialize socket uid\"), - 66b2c338adce (\"tap: tap_open(): correctly initialize socket uid\"), pass \"inode->i_uid\" to sock_init_data_uid() as the last parameter and that turns out to not be accurate.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4194",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc5"
},
{
"id": "CVE-2023-4206",
"summary": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation.\n\nWhen route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\n\nWe recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4206",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc5"
},
{
"id": "CVE-2023-4207",
"summary": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\n\nWhen fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\n\nWe recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4207",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc5"
},
{
"id": "CVE-2023-4208",
"summary": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\n\nWhen u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\n\nWe recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4208",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc5"
},
{
"id": "CVE-2023-4244",
"summary": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nDue to a race condition between nf_tables netlink control plane transaction and nft_set element garbage collection, it is possible to underflow the reference counter causing a use-after-free vulnerability.\n\nWe recommend upgrading past commit 3e91b0ebd994635df2346353322ac51ce84ce6d8.\n\n",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4244",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc7"
},
{
"id": "CVE-2023-4273",
"summary": "A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4273",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc5"
},
{
"id": "CVE-2023-42752",
"summary": "An integer overflow flaw was found in the Linux kernel. This issue leads to the kernel allocating `skb_shared_info` in the userspace, which is exploitable in systems without SMAP protection since `skb_shared_info` contains references to function pointers.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-42752",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc1"
},
{
"id": "CVE-2023-42753",
"summary": "An array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-42753",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc1"
},
{
"id": "CVE-2023-42754",
"summary": "A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was assumed to be associated with a device before calling __ip_options_compile, which is not always the case if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash the system.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-42754",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc3"
},
{
"id": "CVE-2023-42755",
"summary": "A flaw was found in the IPv4 Resource Reservation Protocol (RSVP) classifier in the Linux kernel. The xprt pointer may go beyond the linear part of the skb, leading to an out-of-bounds read in the `rsvp_classify` function. This issue may allow a local user to crash the system and cause a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-42755",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc1"
},
{
"id": "CVE-2023-42756",
"summary": "A flaw was found in the Netfilter subsystem of the Linux kernel. A race condition between IPSET_CMD_ADD and IPSET_CMD_SWAP can lead to a kernel panic due to the invocation of `__ip_set_put` on a wrong `set`. This issue may allow a local user to crash the system.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-42756",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc3"
},
{
"id": "CVE-2023-4385",
"summary": "A NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap.c in the journaling file system (JFS) in the Linux Kernel. This issue may allow a local attacker to crash the system due to a missing sanity check.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4385",
"detail": "fixed-version",
"description": "Fixed from version 5.19rc1"
},
{
"id": "CVE-2023-4387",
"summary": "A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a kernel information leak problem.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4387",
"detail": "fixed-version",
"description": "Fixed from version 5.18"
},
{
"id": "CVE-2023-4389",
"summary": "A flaw was found in btrfs_get_root_ref in fs/btrfs/disk-io.c in the btrfs filesystem in the Linux Kernel due to a double decrement of the reference count. This issue may allow a local attacker with user privilege to crash the system or may lead to leaked internal kernel information.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4389",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc3"
},
{
"id": "CVE-2023-4394",
"summary": "A use-after-free flaw was found in btrfs_get_dev_args_from_path in fs/btrfs/volumes.c in btrfs file-system in the Linux Kernel. This flaw allows a local attacker with special privileges to cause a system crash or leak internal kernel information",
"scorev2": "0.0",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4394",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc3"
},
{
"id": "CVE-2023-44466",
"summary": "An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-44466",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc2"
},
{
"id": "CVE-2023-4459",
"summary": "A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with normal user privilege to cause a denial of service due to a missing sanity check during cleanup.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4459",
"detail": "fixed-version",
"description": "Fixed from version 5.18"
},
{
"id": "CVE-2023-4569",
"summary": "A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux Kernel. This issue may allow a local attacker to cause double-deactivations of catchall elements, which can result in a memory leak.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4569",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc7"
},
{
"id": "CVE-2023-45862",
"summary": "An issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-45862",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc1"
},
{
"id": "CVE-2023-45863",
"summary": "An issue was discovered in lib/kobject.c in the Linux kernel before 6.2.3. With root access, an attacker can trigger a race condition that results in a fill_kobj_path out-of-bounds write.",
"scorev2": "0.0",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-45863",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc1"
},
{
"id": "CVE-2023-45871",
"summary": "An issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-45871",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc1"
},
{
"id": "CVE-2023-45898",
"summary": "The Linux kernel before 6.5.4 has an es1 use-after-free in fs/ext4/extents_status.c, related to ext4_es_insert_extent.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-45898",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc1"
},
{
"id": "CVE-2023-4611",
"summary": "A use-after-free flaw was found in mm/mempolicy.c in the memory management subsystem in the Linux Kernel. This issue is caused by a race between mbind() and VMA-locked page fault, and may allow a local attacker to crash the system or lead to a kernel information leak.",
"scorev2": "0.0",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4611",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc4"
},
{
"id": "CVE-2023-4622",
"summary": "A use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation.\n\nThe unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free.\n\nWe recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.\n\n",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4622",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc1"
},
{
"id": "CVE-2023-4623",
"summary": "A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation.\n\nIf a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free.\n\nWe recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4623",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc1"
},
{
"id": "CVE-2023-46343",
"summary": "In the Linux kernel before 6.5.9, there is a NULL pointer dereference in send_acknowledge in net/nfc/nci/spi.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-46343",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc7"
},
{
"id": "CVE-2023-46813",
"summary": "An issue was discovered in the Linux kernel before 6.5.9, exploitable by local users with userspace access to MMIO registers. Incorrect access checking in the #VC handler and instruction emulation of the SEV-ES emulation of MMIO accesses could lead to arbitrary write access to kernel memory (and thus privilege escalation). This depends on a race condition through which userspace can replace an instruction before the #VC handler reads it.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-46813",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc7"
},
{
"id": "CVE-2023-46838",
"summary": "Transmit requests in Xen's virtual network protocol can consist of\nmultiple parts. While not really useful, except for the initial part\nany of them may be of zero length, i.e. carry no data at all. Besides a\ncertain initial portion of the to be transferred data, these parts are\ndirectly translated into what Linux calls SKB fragments. Such converted\nrequest parts can, when for a particular SKB they are all of length\nzero, lead to a de-reference of NULL in core networking code.\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-46838",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-46862",
"summary": "An issue was discovered in the Linux kernel through 6.5.9. During a race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo NULL pointer dereference can occur.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-46862",
"detail": "fixed-version",
"description": "Fixed from version 6.6"
},
{
"id": "CVE-2023-47233",
"summary": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.",
"scorev2": "0.0",
"scorev3": "4.3",
"vector": "PHYSICAL",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-47233"
},
{
"id": "CVE-2023-4732",
"summary": "A flaw was found in pfn_swap_entry_to_page in memory management subsystem in the Linux Kernel. In this flaw, an attacker with a local user privilege may cause a denial of service problem due to a BUG statement referencing pmd_t x.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4732",
"detail": "fixed-version",
"description": "Fixed from version 5.14rc1"
},
{
"id": "CVE-2023-4921",
"summary": "A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.\n\nWhen the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue().\n\nWe recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4921",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc1"
},
{
"id": "CVE-2023-50431",
"summary": "sec_attest_info in drivers/accel/habanalabs/common/habanalabs_ioctl.c in the Linux kernel through 6.6.5 allows an information leak to user space because info->pad0 is not initialized.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-50431",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-5090",
"summary": "A flaw was found in KVM. An improper check in svm_set_x2apic_msr_interception() may allow direct access to host x2apic msrs when the guest resets its apic, potentially leading to a denial of service condition.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5090",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc7"
},
{
"id": "CVE-2023-51042",
"summary": "In the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51042",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc1"
},
{
"id": "CVE-2023-51043",
"summary": "In the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a use-after-free during a race condition between a nonblocking atomic commit and a driver unload.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51043",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc3"
},
{
"id": "CVE-2023-5158",
"summary": "A flaw was found in vringh_kiov_advance in drivers/vhost/vringh.c in the host side of a virtio ring in the Linux Kernel. This issue may result in a denial of service from guest to host via zero length descriptor.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5158",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc5"
},
{
"id": "CVE-2023-51779",
"summary": "bt_sock_recvmsg in net/bluetooth/af_bluetooth.c in the Linux kernel through 6.6.8 has a use-after-free because of a bt_sock_ioctl race condition.",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51779",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.9"
},
{
"id": "CVE-2023-5178",
"summary": "A use-after-free vulnerability was found in drivers/nvme/target/tcp.c` in `nvmet_tcp_free_crypto` due to a logical bug in the NVMe/TCP subsystem in the Linux kernel. This issue may allow a malicious user to cause a use-after-free and double-free problem, which may permit remote code execution or lead to local privilege escalation.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5178",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc7"
},
{
"id": "CVE-2023-51780",
"summary": "An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51780",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.8"
},
{
"id": "CVE-2023-51781",
"summary": "An issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use-after-free because of an atalk_recvmsg race condition.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51781",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.8"
},
{
"id": "CVE-2023-51782",
"summary": "An issue was discovered in the Linux kernel before 6.6.8. rose_ioctl in net/rose/af_rose.c has a use-after-free because of a rose_accept race condition.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51782",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.8"
},
{
"id": "CVE-2023-5197",
"summary": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nAddition and removal of rules from chain bindings within the same transaction causes leads to use-after-free.\n\nWe recommend upgrading past commit f15f29fd4779be8a418b66e9d52979bb6d6c2325.\n\n",
"scorev2": "0.0",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5197",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc3"
},
{
"id": "CVE-2023-52340",
"summary": "The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g., leading to a denial of service (network is unreachable errors) when IPv6 packets are sent in a loop via a raw socket.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52340",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc1"
},
{
"id": "CVE-2023-52429",
"summary": "dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52429",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.18"
},
{
"id": "CVE-2023-52433",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: skip sync GC for new elements in this transaction\n\nNew elements in this transaction might expired before such transaction\nends. Skip sync GC for such elements otherwise commit path might walk\nover an already released object. Once transaction is finished, async GC\nwill collect such expired element.",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52433",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc1"
},
{
"id": "CVE-2023-52434",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential OOBs in smb2_parse_contexts()\n\nValidate offsets and lengths before dereferencing create contexts in\nsmb2_parse_contexts().\n\nThis fixes following oops when accessing invalid create contexts from\nserver:\n\n BUG: unable to handle page fault for address: ffff8881178d8cc3\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 4a01067 P4D 4a01067 PUD 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 3 PID: 1736 Comm: mount.cifs Not tainted 6.7.0-rc4 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n RIP: 0010:smb2_parse_contexts+0xa0/0x3a0 [cifs]\n Code: f8 10 75 13 48 b8 93 ad 25 50 9c b4 11 e7 49 39 06 0f 84 d2 00\n 00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 <0f> b7\n 7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00\n RSP: 0018:ffffc900007939e0 EFLAGS: 00010216\n RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90\n RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000\n RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000\n R10: ffff8880180cc000 R11: 0000000000000024 R12: 0000000000000000\n R13: 0000000000000020 R14: 0000000000000000 R15: ffffc90000793c22\n FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000)\n knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffff8881178d8cc3 CR3: 00000000181ca000 CR4: 0000000000750ef0\n PKRU: 55555554\n Call Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x181/0x480\n ? search_module_extables+0x19/0x60\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? exc_page_fault+0x1b6/0x1c0\n ? asm_exc_page_fault+0x26/0x30\n ? smb2_parse_contexts+0xa0/0x3a0 [cifs]\n SMB2_open+0x38d/0x5f0 [cifs]\n ? smb2_is_path_accessible+0x138/0x260 [cifs]\n smb2_is_path_accessible+0x138/0x260 [cifs]\n cifs_is_path_remote+0x8d/0x230 [cifs]\n cifs_mount+0x7e/0x350 [cifs]\n cifs_smb3_do_mount+0x128/0x780 [cifs]\n smb3_get_tree+0xd9/0x290 [cifs]\n vfs_get_tree+0x2c/0x100\n ? capable+0x37/0x70\n path_mount+0x2d7/0xb80\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? _raw_spin_unlock_irqrestore+0x44/0x60\n __x64_sys_mount+0x11a/0x150\n do_syscall_64+0x47/0xf0\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n RIP: 0033:0x7f8737657b1e",
"scorev2": "0.0",
"scorev3": "8.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52434",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.8"
},
{
"id": "CVE-2023-52435",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: prevent mss overflow in skb_segment()\n\nOnce again syzbot is able to crash the kernel in skb_segment() [1]\n\nGSO_BY_FRAGS is a forbidden value, but unfortunately the following\ncomputation in skb_segment() can reach it quite easily :\n\n\tmss = mss * partial_segs;\n\n65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to\na bad final result.\n\nMake sure to limit segmentation so that the new mss value is smaller\nthan GSO_BY_FRAGS.\n\n[1]\n\ngeneral protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0\nR13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046\nFS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\nudp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109\nipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120\nskb_mac_gso_segment+0x290/0x610 net/core/gso.c:53\n__skb_gso_segment+0x339/0x710 net/core/gso.c:124\nskb_gso_segment include/net/gso.h:83 [inline]\nvalidate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626\n__dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\npacket_xmit+0x257/0x380 net/packet/af_packet.c:276\npacket_snd net/packet/af_packet.c:3087 [inline]\npacket_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n__sys_sendto+0x255/0x340 net/socket.c:2190\n__do_sys_sendto net/socket.c:2202 [inline]\n__se_sys_sendto net/socket.c:2198 [inline]\n__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7f8692032aa9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9\nRDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003\nRBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480\nR13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003\n\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R0\n---truncated---",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52435",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.11"
},
{
"id": "CVE-2023-52436",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: explicitly null-terminate the xattr list\n\nWhen setting an xattr, explicitly null-terminate the xattr list. This\neliminates the fragile assumption that the unused xattr space is always\nzeroed.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52436",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.13"
},
{
"id": "CVE-2023-52438",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix use-after-free in shinker's callback\n\nThe mmap read lock is used during the shrinker's callback, which means\nthat using alloc->vma pointer isn't safe as it can race with munmap().\nAs of commit dd2283f2605e (\"mm: mmap: zap pages with read mmap_sem in\nmunmap\") the mmap lock is downgraded after the vma has been isolated.\n\nI was able to reproduce this issue by manually adding some delays and\ntriggering page reclaiming through the shrinker's debug sysfs. The\nfollowing KASAN report confirms the UAF:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8\n Read of size 8 at addr ffff356ed50e50f0 by task bash/478\n\n CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n zap_page_range_single+0x470/0x4b8\n binder_alloc_free_page+0x608/0xadc\n __list_lru_walk_one+0x130/0x3b0\n list_lru_walk_node+0xc4/0x22c\n binder_shrink_scan+0x108/0x1dc\n shrinker_debugfs_scan_write+0x2b4/0x500\n full_proxy_write+0xd4/0x140\n vfs_write+0x1ac/0x758\n ksys_write+0xf0/0x1dc\n __arm64_sys_write+0x6c/0x9c\n\n Allocated by task 492:\n kmem_cache_alloc+0x130/0x368\n vm_area_alloc+0x2c/0x190\n mmap_region+0x258/0x18bc\n do_mmap+0x694/0xa60\n vm_mmap_pgoff+0x170/0x29c\n ksys_mmap_pgoff+0x290/0x3a0\n __arm64_sys_mmap+0xcc/0x144\n\n Freed by task 491:\n kmem_cache_free+0x17c/0x3c8\n vm_area_free_rcu_cb+0x74/0x98\n rcu_core+0xa38/0x26d4\n rcu_core_si+0x10/0x1c\n __do_softirq+0x2fc/0xd24\n\n Last potentially related work creation:\n __call_rcu_common.constprop.0+0x6c/0xba0\n call_rcu+0x10/0x1c\n vm_area_free+0x18/0x24\n remove_vma+0xe4/0x118\n do_vmi_align_munmap.isra.0+0x718/0xb5c\n do_vmi_munmap+0xdc/0x1fc\n __vm_munmap+0x10c/0x278\n __arm64_sys_munmap+0x58/0x7c\n\nFix this issue by performing instead a vma_lookup() which will fail to\nfind the vma that was isolated before the mmap lock downgrade. Note that\nthis option has better performance than upgrading to a mmap write lock\nwhich would increase contention. Plus, mmap_write_trylock() has been\nrecently removed anyway.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52438",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.13"
},
{
"id": "CVE-2023-52439",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio: Fix use-after-free in uio_open\n\ncore-1\t\t\t\tcore-2\n-------------------------------------------------------\nuio_unregister_device\t\tuio_open\n\t\t\t\tidev = idr_find()\ndevice_unregister(&idev->dev)\nput_device(&idev->dev)\nuio_device_release\n\t\t\t\tget_device(&idev->dev)\nkfree(idev)\nuio_free_minor(minor)\n\t\t\t\tuio_release\n\t\t\t\tput_device(&idev->dev)\n\t\t\t\tkfree(idev)\n-------------------------------------------------------\n\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\nidev when the idev->dev kobject ref is 1. But after core-1\ndevice_unregister, put_device and before doing kfree, the core-2 may\nget_device. Then:\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\n2. When core-2 do uio_release and put_device, the idev will be double\n freed.\n\nTo address this issue, we can get idev atomic & inc idev reference with\nminor_lock.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52439",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.13"
},
{
"id": "CVE-2023-52440",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob()\n\nIf authblob->SessionKey.Length is bigger than session key\nsize(CIFS_KEY_SIZE), slub overflow can happen in key exchange codes.\ncifs_arc4_crypt copy to session key array from SessionKey from client.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52440",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc1"
},
{
"id": "CVE-2023-52441",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix out of bounds in init_smb2_rsp_hdr()\n\nIf client send smb2 negotiate request and then send smb1 negotiate\nrequest, init_smb2_rsp_hdr is called for smb1 negotiate request since\nneed_neg is set to false. This patch ignore smb1 packets after ->need_neg\nis set to false.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52441",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc4"
},
{
"id": "CVE-2023-52442",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate session id and tree id in compound request\n\n`smb2_get_msg()` in smb2_get_ksmbd_tcon() and smb2_check_user_session()\nwill always return the first request smb2 header in a compound request.\nif `SMB2_TREE_CONNECT_HE` is the first command in compound request, will\nreturn 0, i.e. The tree id check is skipped.\nThis patch use ksmbd_req_buf_next() to get current command in compound.",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52442",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc4"
},
{
"id": "CVE-2023-52443",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: avoid crash when parsed profile name is empty\n\nWhen processing a packed profile in unpack_profile() described like\n\n \"profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}\"\n\na string \":samba-dcerpcd\" is unpacked as a fully-qualified name and then\npassed to aa_splitn_fqname().\n\naa_splitn_fqname() treats \":samba-dcerpcd\" as only containing a namespace.\nThus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later\naa_alloc_profile() crashes as the new profile name is NULL now.\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\nRIP: 0010:strlen+0x1e/0xa0\nCall Trace:\n \n ? strlen+0x1e/0xa0\n aa_policy_init+0x1bb/0x230\n aa_alloc_profile+0xb1/0x480\n unpack_profile+0x3bc/0x4960\n aa_unpack+0x309/0x15e0\n aa_replace_profiles+0x213/0x33c0\n policy_update+0x261/0x370\n profile_replace+0x20e/0x2a0\n vfs_write+0x2af/0xe00\n ksys_write+0x126/0x250\n do_syscall_64+0x46/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n \n---[ end trace 0000000000000000 ]---\nRIP: 0010:strlen+0x1e/0xa0\n\nIt seems such behaviour of aa_splitn_fqname() is expected and checked in\nother places where it is called (e.g. aa_remove_profiles). Well, there\nis an explicit comment \"a ns name without a following profile is allowed\"\ninside.\n\nAFAICS, nothing can prevent unpacked \"name\" to be in form like\n\":samba-dcerpcd\" - it is passed from userspace.\n\nDeny the whole profile set replacement in such case and inform user with\nEPROTO and an explaining message.\n\nFound by Linux Verification Center (linuxtesting.org).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52443",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52444",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid dirent corruption\n\nAs Al reported in link[1]:\n\nf2fs_rename()\n...\n\tif (old_dir != new_dir && !whiteout)\n\t\tf2fs_set_link(old_inode, old_dir_entry,\n\t\t\t\t\told_dir_page, new_dir);\n\telse\n\t\tf2fs_put_page(old_dir_page, 0);\n\nYou want correct inumber in the \"..\" link. And cross-directory\nrename does move the source to new parent, even if you'd been asked\nto leave a whiteout in the old place.\n\n[1] https://lore.kernel.org/all/20231017055040.GN800259@ZenIV/\n\nWith below testcase, it may cause dirent corruption, due to it missed\nto call f2fs_set_link() to update \"..\" link to new directory.\n- mkdir -p dir/foo\n- renameat2 -w dir/foo bar\n\n[ASSERT] (__chk_dots_dentries:1421) --> Bad inode number[0x4] for '..', parent parent ino is [0x3]\n[FSCK] other corrupted bugs [Fail]",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52444",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52445",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pvrusb2: fix use after free on context disconnection\n\nUpon module load, a kthread is created targeting the\npvr2_context_thread_func function, which may call pvr2_context_destroy\nand thus call kfree() on the context object. However, that might happen\nbefore the usb hub_event handler is able to notify the driver. This\npatch adds a sanity check before the invalid read reported by syzbot,\nwithin the context disconnection call stack.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52445",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52446",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a race condition between btf_put() and map_free()\n\nWhen running `./test_progs -j` in my local vm with latest kernel,\nI once hit a kasan error like below:\n\n [ 1887.184724] BUG: KASAN: slab-use-after-free in bpf_rb_root_free+0x1f8/0x2b0\n [ 1887.185599] Read of size 4 at addr ffff888106806910 by task kworker/u12:2/2830\n [ 1887.186498]\n [ 1887.186712] CPU: 3 PID: 2830 Comm: kworker/u12:2 Tainted: G OEL 6.7.0-rc3-00699-g90679706d486-dirty #494\n [ 1887.188034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n [ 1887.189618] Workqueue: events_unbound bpf_map_free_deferred\n [ 1887.190341] Call Trace:\n [ 1887.190666] \n [ 1887.190949] dump_stack_lvl+0xac/0xe0\n [ 1887.191423] ? nf_tcp_handle_invalid+0x1b0/0x1b0\n [ 1887.192019] ? panic+0x3c0/0x3c0\n [ 1887.192449] print_report+0x14f/0x720\n [ 1887.192930] ? preempt_count_sub+0x1c/0xd0\n [ 1887.193459] ? __virt_addr_valid+0xac/0x120\n [ 1887.194004] ? bpf_rb_root_free+0x1f8/0x2b0\n [ 1887.194572] kasan_report+0xc3/0x100\n [ 1887.195085] ? bpf_rb_root_free+0x1f8/0x2b0\n [ 1887.195668] bpf_rb_root_free+0x1f8/0x2b0\n [ 1887.196183] ? __bpf_obj_drop_impl+0xb0/0xb0\n [ 1887.196736] ? preempt_count_sub+0x1c/0xd0\n [ 1887.197270] ? preempt_count_sub+0x1c/0xd0\n [ 1887.197802] ? _raw_spin_unlock+0x1f/0x40\n [ 1887.198319] bpf_obj_free_fields+0x1d4/0x260\n [ 1887.198883] array_map_free+0x1a3/0x260\n [ 1887.199380] bpf_map_free_deferred+0x7b/0xe0\n [ 1887.199943] process_scheduled_works+0x3a2/0x6c0\n [ 1887.200549] worker_thread+0x633/0x890\n [ 1887.201047] ? __kthread_parkme+0xd7/0xf0\n [ 1887.201574] ? kthread+0x102/0x1d0\n [ 1887.202020] kthread+0x1ab/0x1d0\n [ 1887.202447] ? pr_cont_work+0x270/0x270\n [ 1887.202954] ? kthread_blkcg+0x50/0x50\n [ 1887.203444] ret_from_fork+0x34/0x50\n [ 1887.203914] ? kthread_blkcg+0x50/0x50\n [ 1887.204397] ret_from_fork_asm+0x11/0x20\n [ 1887.204913] \n [ 1887.204913] \n [ 1887.205209]\n [ 1887.205416] Allocated by task 2197:\n [ 1887.205881] kasan_set_track+0x3f/0x60\n [ 1887.206366] __kasan_kmalloc+0x6e/0x80\n [ 1887.206856] __kmalloc+0xac/0x1a0\n [ 1887.207293] btf_parse_fields+0xa15/0x1480\n [ 1887.207836] btf_parse_struct_metas+0x566/0x670\n [ 1887.208387] btf_new_fd+0x294/0x4d0\n [ 1887.208851] __sys_bpf+0x4ba/0x600\n [ 1887.209292] __x64_sys_bpf+0x41/0x50\n [ 1887.209762] do_syscall_64+0x4c/0xf0\n [ 1887.210222] entry_SYSCALL_64_after_hwframe+0x63/0x6b\n [ 1887.210868]\n [ 1887.211074] Freed by task 36:\n [ 1887.211460] kasan_set_track+0x3f/0x60\n [ 1887.211951] kasan_save_free_info+0x28/0x40\n [ 1887.212485] ____kasan_slab_free+0x101/0x180\n [ 1887.213027] __kmem_cache_free+0xe4/0x210\n [ 1887.213514] btf_free+0x5b/0x130\n [ 1887.213918] rcu_core+0x638/0xcc0\n [ 1887.214347] __do_softirq+0x114/0x37e\n\nThe error happens at bpf_rb_root_free+0x1f8/0x2b0:\n\n 00000000000034c0 :\n ; {\n 34c0: f3 0f 1e fa endbr64\n 34c4: e8 00 00 00 00 callq 0x34c9 \n 34c9: 55 pushq %rbp\n 34ca: 48 89 e5 movq %rsp, %rbp\n ...\n ; if (rec && rec->refcount_off >= 0 &&\n 36aa: 4d 85 ed testq %r13, %r13\n 36ad: 74 a9 je 0x3658 \n 36af: 49 8d 7d 10 leaq 0x10(%r13), %rdi\n 36b3: e8 00 00 00 00 callq 0x36b8 \n <==== kasan function\n 36b8: 45 8b 7d 10 movl 0x10(%r13), %r15d\n <==== use-after-free load\n 36bc: 45 85 ff testl %r15d, %r15d\n 36bf: 78 8c js 0x364d \n\nSo the problem \n---truncated---",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52446",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52447",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Defer the free of inner map when necessary\n\nWhen updating or deleting an inner map in map array or map htab, the map\nmay still be accessed by non-sleepable program or sleepable program.\nHowever bpf_map_fd_put_ptr() decreases the ref-counter of the inner map\ndirectly through bpf_map_put(), if the ref-counter is the last one\n(which is true for most cases), the inner map will be freed by\nops->map_free() in a kworker. But for now, most .map_free() callbacks\ndon't use synchronize_rcu() or its variants to wait for the elapse of a\nRCU grace period, so after the invocation of ops->map_free completes,\nthe bpf program which is accessing the inner map may incur\nuse-after-free problem.\n\nFix the free of inner map by invoking bpf_map_free_deferred() after both\none RCU grace period and one tasks trace RCU grace period if the inner\nmap has been removed from the outer map before. The deferment is\naccomplished by using call_rcu() or call_rcu_tasks_trace() when\nreleasing the last ref-counter of bpf map. The newly-added rcu_head\nfield in bpf_map shares the same storage space with work field to\nreduce the size of bpf_map.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52447",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52448",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump\n\nSyzkaller has reported a NULL pointer dereference when accessing\nrgd->rd_rgl in gfs2_rgrp_dump(). This can happen when creating\nrgd->rd_gl fails in read_rindex_entry(). Add a NULL pointer check in\ngfs2_rgrp_dump() to prevent that.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52448",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52449",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: Fix gluebi NULL pointer dereference caused by ftl notifier\n\nIf both ftl.ko and gluebi.ko are loaded, the notifier of ftl\ntriggers NULL pointer dereference when trying to access\n\u2018gluebi->desc\u2019 in gluebi_read().\n\nubi_gluebi_init\n ubi_register_volume_notifier\n ubi_enumerate_volumes\n ubi_notify_all\n gluebi_notify nb->notifier_call()\n gluebi_create\n mtd_device_register\n mtd_device_parse_register\n add_mtd_device\n blktrans_notify_add not->add()\n ftl_add_mtd tr->add_mtd()\n scan_header\n mtd_read\n mtd_read_oob\n mtd_read_oob_std\n gluebi_read mtd->read()\n gluebi->desc - NULL\n\nDetailed reproduction information available at the Link [1],\n\nIn the normal case, obtain gluebi->desc in the gluebi_get_device(),\nand access gluebi->desc in the gluebi_read(). However,\ngluebi_get_device() is not executed in advance in the\nftl_add_mtd() process, which leads to NULL pointer dereference.\n\nThe solution for the gluebi module is to run jffs2 on the UBI\nvolume without considering working with ftl or mtdblock [2].\nTherefore, this problem can be avoided by preventing gluebi from\ncreating the mtdblock device after creating mtd partition of the\ntype MTD_UBIVOLUME.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52449",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52450",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel/uncore: Fix NULL pointer dereference issue in upi_fill_topology()\n\nGet logical socket id instead of physical id in discover_upi_topology()\nto avoid out-of-bound access on 'upi = &type->topology[nid][idx];' line\nthat leads to NULL pointer dereference in upi_fill_topology()",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52450",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52451",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/memhp: Fix access beyond end of drmem array\n\ndlpar_memory_remove_by_index() may access beyond the bounds of the\ndrmem lmb array when the LMB lookup fails to match an entry with the\ngiven DRC index. When the search fails, the cursor is left pointing to\n&drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the\nlast valid entry in the array. The debug message at the end of the\nfunction then dereferences this pointer:\n\n pr_debug(\"Failed to hot-remove memory at %llx\\n\",\n lmb->base_addr);\n\nThis was found by inspection and confirmed with KASAN:\n\n pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658\n Read of size 8 at addr c000000364e97fd0 by task bash/949\n\n dump_stack_lvl+0xa4/0xfc (unreliable)\n print_report+0x214/0x63c\n kasan_report+0x140/0x2e0\n __asan_load8+0xa8/0xe0\n dlpar_memory+0x298/0x1658\n handle_dlpar_errorlog+0x130/0x1d0\n dlpar_store+0x18c/0x3e0\n kobj_attr_store+0x68/0xa0\n sysfs_kf_write+0xc4/0x110\n kernfs_fop_write_iter+0x26c/0x390\n vfs_write+0x2d4/0x4e0\n ksys_write+0xac/0x1a0\n system_call_exception+0x268/0x530\n system_call_vectored_common+0x15c/0x2ec\n\n Allocated by task 1:\n kasan_save_stack+0x48/0x80\n kasan_set_track+0x34/0x50\n kasan_save_alloc_info+0x34/0x50\n __kasan_kmalloc+0xd0/0x120\n __kmalloc+0x8c/0x320\n kmalloc_array.constprop.0+0x48/0x5c\n drmem_init+0x2a0/0x41c\n do_one_initcall+0xe0/0x5c0\n kernel_init_freeable+0x4ec/0x5a0\n kernel_init+0x30/0x1e0\n ret_from_kernel_user_thread+0x14/0x1c\n\n The buggy address belongs to the object at c000000364e80000\n which belongs to the cache kmalloc-128k of size 131072\n The buggy address is located 0 bytes to the right of\n allocated 98256-byte region [c000000364e80000, c000000364e97fd0)\n\n ==================================================================\n pseries-hotplug-mem: Failed to hot-remove memory at 0\n\nLog failed lookups with a separate message and dereference the\ncursor only when it points to a valid entry.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52451",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52452",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix accesses to uninit stack slots\n\nPrivileged programs are supposed to be able to read uninitialized stack\nmemory (ever since 6715df8d5) but, before this patch, these accesses\nwere permitted inconsistently. In particular, accesses were permitted\nabove state->allocated_stack, but not below it. In other words, if the\nstack was already \"large enough\", the access was permitted, but\notherwise the access was rejected instead of being allowed to \"grow the\nstack\". This undesired rejection was happening in two places:\n- in check_stack_slot_within_bounds()\n- in check_stack_range_initialized()\nThis patch arranges for these accesses to be permitted. A bunch of tests\nthat were relying on the old rejection had to change; all of them were\nchanged to add also run unprivileged, in which case the old behavior\npersists. One tests couldn't be updated - global_func16 - because it\ncan't run unprivileged for other reasons.\n\nThis patch also fixes the tracking of the stack size for variable-offset\nreads. This second fix is bundled in the same commit as the first one\nbecause they're inter-related. Before this patch, writes to the stack\nusing registers containing a variable offset (as opposed to registers\nwith fixed, known values) were not properly contributing to the\nfunction's needed stack size. As a result, it was possible for a program\nto verify, but then to attempt to read out-of-bounds data at runtime\nbecause a too small stack had been allocated for it.\n\nEach function tracks the size of the stack it needs in\nbpf_subprog_info.stack_depth, which is maintained by\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\nwas calling update_state_depth() but it was passing in only the fixed\npart of the offset register, ignoring the variable offset. This was\nincorrect; the minimum possible value of that register should be used\ninstead.\n\nThis tracking is now fixed by centralizing the tracking of stack size in\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\nnow simpler and more convincingly tracks the correct maximum stack size.\ncheck_stack_range_initialized() can now rely on enough stack having been\nallocated for the access; this helps with the fix for the first issue.\n\nA few tests were changed to also check the stack depth computation. The\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52452",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52453",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhisi_acc_vfio_pci: Update migration data pointer correctly on saving/resume\n\nWhen the optional PRE_COPY support was added to speed up the device\ncompatibility check, it failed to update the saving/resuming data\npointers based on the fd offset. This results in migration data\ncorruption and when the device gets started on the destination the\nfollowing error is reported in some cases,\n\n[ 478.907684] arm-smmu-v3 arm-smmu-v3.2.auto: event 0x10 received:\n[ 478.913691] arm-smmu-v3 arm-smmu-v3.2.auto: 0x0000310200000010\n[ 478.919603] arm-smmu-v3 arm-smmu-v3.2.auto: 0x000002088000007f\n[ 478.925515] arm-smmu-v3 arm-smmu-v3.2.auto: 0x0000000000000000\n[ 478.931425] arm-smmu-v3 arm-smmu-v3.2.auto: 0x0000000000000000\n[ 478.947552] hisi_zip 0000:31:00.0: qm_axi_rresp [error status=0x1] found\n[ 478.955930] hisi_zip 0000:31:00.0: qm_db_timeout [error status=0x400] found\n[ 478.955944] hisi_zip 0000:31:00.0: qm sq doorbell timeout in function 2",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52453",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52454",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\n\nIf the host sends an H2CData command with an invalid DATAL,\nthe kernel may crash in nvmet_tcp_build_pdu_iovec().\n\nUnable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\nlr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp]\nCall trace:\n process_one_work+0x174/0x3c8\n worker_thread+0x2d0/0x3e8\n kthread+0x104/0x110\n\nFix the bug by raising a fatal error if DATAL isn't coherent\nwith the packet size.\nAlso, the PDU length should never exceed the MAXH2CDATA parameter which\nhas been communicated to the host in nvmet_tcp_handle_icreq().",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52454",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52455",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Don't reserve 0-length IOVA region\n\nWhen the bootloader/firmware doesn't setup the framebuffers, their\naddress and size are 0 in \"iommu-addresses\" property. If IOVA region is\nreserved with 0 length, then it ends up corrupting the IOVA rbtree with\nan entry which has pfn_hi < pfn_lo.\nIf we intend to use display driver in kernel without framebuffer then\nit's causing the display IOMMU mappings to fail as entire valid IOVA\nspace is reserved when address and length are passed as 0.\nAn ideal solution would be firmware removing the \"iommu-addresses\"\nproperty and corresponding \"memory-region\" if display is not present.\nBut the kernel should be able to handle this by checking for size of\nIOVA region and skipping the IOVA reservation if size is 0. Also, add\na warning if firmware is requesting 0-length IOVA region reservation.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52455",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52456",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: imx: fix tx statemachine deadlock\n\nWhen using the serial port as RS485 port, the tx statemachine is used to\ncontrol the RTS pin to drive the RS485 transceiver TX_EN pin. When the\nTTY port is closed in the middle of a transmission (for instance during\nuserland application crash), imx_uart_shutdown disables the interface\nand disables the Transmission Complete interrupt. afer that,\nimx_uart_stop_tx bails on an incomplete transmission, to be retriggered\nby the TC interrupt. This interrupt is disabled and therefore the tx\nstatemachine never transitions out of SEND. The statemachine is in\ndeadlock now, and the TX_EN remains low, making the interface useless.\n\nimx_uart_stop_tx now checks for incomplete transmission AND whether TC\ninterrupts are enabled before bailing to be retriggered. This makes sure\nthe state machine handling is reached, and is properly set to\nWAIT_AFTER_SEND.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52456",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52457",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed\n\nReturning an error code from .remove() makes the driver core emit the\nlittle helpful error message:\n\n\tremove callback returned a non-zero value. This will be ignored.\n\nand then remove the device anyhow. So all resources that were not freed\nare leaked in this case. Skipping serial8250_unregister_port() has the\npotential to keep enough of the UART around to trigger a use-after-free.\n\nSo replace the error return (and with it the little helpful error\nmessage) by a more useful error message and continue to cleanup.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52457",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52458",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: add check that partition length needs to be aligned with block size\n\nBefore calling add partition or resize partition, there is no check\non whether the length is aligned with the logical block size.\nIf the logical block size of the disk is larger than 512 bytes,\nthen the partition size maybe not the multiple of the logical block size,\nand when the last sector is read, bio_truncate() will adjust the bio size,\nresulting in an IO error if the size of the read command is smaller than\nthe logical block size.If integrity data is supported, this will also\nresult in a null pointer dereference when calling bio_integrity_free.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52458",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52459",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l: async: Fix duplicated list deletion\n\nThe list deletion call dropped here is already called from the\nhelper function in the line before. Having a second list_del()\ncall results in either a warning (with CONFIG_DEBUG_LIST=y):\n\nlist_del corruption, c46c8198->next is LIST_POISON1 (00000100)\n\nIf CONFIG_DEBUG_LIST is disabled the operation results in a\nkernel error due to NULL pointer dereference.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52459",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52460",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix NULL pointer dereference at hibernate\n\nDuring hibernate sequence the source context might not have a clk_mgr.\nSo don't use it to look for DML2 support.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52460",
"detail": "fixed-version",
"description": "only affects 6.7rc1 onwards"
},
{
"id": "CVE-2023-52461",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Fix bounds limiting when given a malformed entity\n\nIf we're given a malformed entity in drm_sched_entity_init()--shouldn't\nhappen, but we verify--with out-of-bounds priority value, we set it to an\nallowed value. Fix the expression which sets this limit.",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52461",
"detail": "fixed-version",
"description": "only affects 6.7rc1 onwards"
},
{
"id": "CVE-2023-52462",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix check for attempt to corrupt spilled pointer\n\nWhen register is spilled onto a stack as a 1/2/4-byte register, we set\nslot_type[BPF_REG_SIZE - 1] (plus potentially few more below it,\ndepending on actual spill size). So to check if some stack slot has\nspilled register we need to consult slot_type[7], not slot_type[0].\n\nTo avoid the need to remember and double-check this in the future, just\nuse is_spilled_reg() helper.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52462",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52463",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefivarfs: force RO when remounting if SetVariable is not supported\n\nIf SetVariable at runtime is not supported by the firmware we never assign\na callback for that function. At the same time mount the efivarfs as\nRO so no one can call that. However, we never check the permission flags\nwhen someone remounts the filesystem as RW. As a result this leads to a\ncrash looking like this:\n\n$ mount -o remount,rw /sys/firmware/efi/efivars\n$ efi-updatevar -f PK.auth PK\n\n[ 303.279166] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 303.280482] Mem abort info:\n[ 303.280854] ESR = 0x0000000086000004\n[ 303.281338] EC = 0x21: IABT (current EL), IL = 32 bits\n[ 303.282016] SET = 0, FnV = 0\n[ 303.282414] EA = 0, S1PTW = 0\n[ 303.282821] FSC = 0x04: level 0 translation fault\n[ 303.283771] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004258c000\n[ 303.284913] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n[ 303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP\n[ 303.286936] Modules linked in: qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse ip_tables x_tables ipv6\n[ 303.288586] CPU: 1 PID: 755 Comm: efi-updatevar Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1\n[ 303.289748] Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d 04/01/2023\n[ 303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 303.292123] pc : 0x0\n[ 303.292443] lr : efivar_set_variable_locked+0x74/0xec\n[ 303.293156] sp : ffff800008673c10\n[ 303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27: 0000000000000000\n[ 303.294592] x26: 0000000000000800 x25: ffff000002467400 x24: 0000000000000027\n[ 303.295572] x23: ffffd49ea9832000 x22: ffff0000020c9800 x21: ffff000002467000\n[ 303.296566] x20: 0000000000000001 x19: 00000000000007fc x18: 0000000000000000\n[ 303.297531] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54\n[ 303.298495] x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4\n[ 303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 : 0000000000000002\n[ 303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230 x6 : 0000000000a85201\n[ 303.301412] x5 : 0000000000000000 x4 : ffff0000020c9800 x3 : 00000000000007fc\n[ 303.302370] x2 : 0000000000000027 x1 : ffff000002467400 x0 : ffff000002467000\n[ 303.303341] Call trace:\n[ 303.303679] 0x0\n[ 303.303938] efivar_entry_set_get_size+0x98/0x16c\n[ 303.304585] efivarfs_file_write+0xd0/0x1a4\n[ 303.305148] vfs_write+0xc4/0x2e4\n[ 303.305601] ksys_write+0x70/0x104\n[ 303.306073] __arm64_sys_write+0x1c/0x28\n[ 303.306622] invoke_syscall+0x48/0x114\n[ 303.307156] el0_svc_common.constprop.0+0x44/0xec\n[ 303.307803] do_el0_svc+0x38/0x98\n[ 303.308268] el0_svc+0x2c/0x84\n[ 303.308702] el0t_64_sync_handler+0xf4/0x120\n[ 303.309293] el0t_64_sync+0x190/0x194\n[ 303.309794] Code: ???????? ???????? ???????? ???????? (????????)\n[ 303.310612] ---[ end trace 0000000000000000 ]---\n\nFix this by adding a .reconfigure() function to the fs operations which\nwe can use to check the requested flags and deny anything that's not RO\nif the firmware doesn't implement SetVariable at runtime.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52463",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52464",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/thunderx: Fix possible out-of-bounds string access\n\nEnabling -Wstringop-overflow globally exposes a warning for a common bug\nin the usage of strncat():\n\n drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':\n drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]\n 1136 | strncat(msg, other, OCX_MESSAGE_SIZE);\n | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n ...\n 1145 | strncat(msg, other, OCX_MESSAGE_SIZE);\n ...\n 1150 | strncat(msg, other, OCX_MESSAGE_SIZE);\n\n ...\n\nApparently the author of this driver expected strncat() to behave the\nway that strlcat() does, which uses the size of the destination buffer\nas its third argument rather than the length of the source buffer. The\nresult is that there is no check on the size of the allocated buffer.\n\nChange it to strlcat().\n\n [ bp: Trim compiler output, fixup commit message. ]",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52464",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2023-52465",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: Fix null pointer dereference in smb2_probe\n\ndevm_kasprintf and devm_kzalloc return a pointer to dynamically\nallocated memory which can be NULL upon failure.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52465"
},
{
"id": "CVE-2023-52467",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: syscon: Fix null pointer dereference in of_syscon_register()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52467"
},
{
"id": "CVE-2023-52468",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclass: fix use-after-free in class_register()\n\nThe lock_class_key is still registered and can be found in\nlock_keys_hash hlist after subsys_private is freed in error\nhandler path.A task who iterate over the lock_keys_hash\nlater may cause use-after-free.So fix that up and unregister\nthe lock_class_key before kfree(cp).\n\nOn our platform, a driver fails to kset_register because of\ncreating duplicate filename '/class/xxx'.With Kasan enabled,\nit prints a invalid-access bug report.\n\nKASAN bug report:\n\nBUG: KASAN: invalid-access in lockdep_register_key+0x19c/0x1bc\nWrite of size 8 at addr 15ffff808b8c0368 by task modprobe/252\nPointer tag: [15], memory tag: [fe]\n\nCPU: 7 PID: 252 Comm: modprobe Tainted: G W\n 6.6.0-mainline-maybe-dirty #1\n\nCall trace:\ndump_backtrace+0x1b0/0x1e4\nshow_stack+0x2c/0x40\ndump_stack_lvl+0xac/0xe0\nprint_report+0x18c/0x4d8\nkasan_report+0xe8/0x148\n__hwasan_store8_noabort+0x88/0x98\nlockdep_register_key+0x19c/0x1bc\nclass_register+0x94/0x1ec\ninit_module+0xbc/0xf48 [rfkill]\ndo_one_initcall+0x17c/0x72c\ndo_init_module+0x19c/0x3f8\n...\nMemory state around the buggy address:\nffffff808b8c0100: 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a\nffffff808b8c0200: 8a 8a 8a 8a 8a 8a 8a 8a fe fe fe fe fe fe fe fe\n>ffffff808b8c0300: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\n ^\nffffff808b8c0400: 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03\n\nAs CONFIG_KASAN_GENERIC is not set, Kasan reports invalid-access\nnot use-after-free here.In this case, modprobe is manipulating\nthe corrupted lock_keys_hash hlish where lock_class_key is already\nfreed before.\n\nIt's worth noting that this only can happen if lockdep is enabled,\nwhich is not true for normal system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52468"
},
{
"id": "CVE-2023-52469",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/amd/pm: fix a use-after-free in kv_parse_power_table\n\nWhen ps allocated by kzalloc equals to NULL, kv_parse_power_table\nfrees adev->pm.dpm.ps that allocated before. However, after the control\nflow goes through the following call chains:\n\nkv_parse_power_table\n |-> kv_dpm_init\n |-> kv_dpm_sw_init\n\t |-> kv_dpm_fini\n\nThe adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its\nfirst free in kv_parse_power_table and causes a use-after-free bug.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52469"
},
{
"id": "CVE-2023-52470",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: check the alloc_workqueue return value in radeon_crtc_init()\n\ncheck the alloc_workqueue return value in radeon_crtc_init()\nto avoid null-ptr-deref.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52470"
},
{
"id": "CVE-2023-52471",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix some null pointer dereference issues in ice_ptp.c\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52471"
},
{
"id": "CVE-2023-52472",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: rsa - add a check for allocation failure\n\nStatic checkers insist that the mpi_alloc() allocation can fail so add\na check to prevent a NULL dereference. Small allocations like this\ncan't actually fail in current kernels, but adding a check is very\nsimple and makes the static checkers happy.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52472"
},
{
"id": "CVE-2023-52473",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: Fix NULL pointer dereference in zone registration error path\n\nIf device_register() in thermal_zone_device_register_with_trips()\nreturns an error, the tz variable is set to NULL and subsequently\ndereferenced in kfree(tz->tzp).\n\nCommit adc8749b150c (\"thermal/drivers/core: Use put_device() if\ndevice_register() fails\") added the tz = NULL assignment in question to\navoid a possible double-free after dropping the reference to the zone\ndevice. However, after commit 4649620d9404 (\"thermal: core: Make\nthermal_zone_device_unregister() return after freeing the zone\"), that\nassignment has become redundant, because dropping the reference to the\nzone device does not cause the zone object to be freed any more.\n\nDrop it to address the NULL pointer dereference.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52473"
},
{
"id": "CVE-2023-52474",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests\n\nhfi1 user SDMA request processing has two bugs that can cause data\ncorruption for user SDMA requests that have multiple payload iovecs\nwhere an iovec other than the tail iovec does not run up to the page\nboundary for the buffer pointed to by that iovec.a\n\nHere are the specific bugs:\n1. user_sdma_txadd() does not use struct user_sdma_iovec->iov.iov_len.\n Rather, user_sdma_txadd() will add up to PAGE_SIZE bytes from iovec\n to the packet, even if some of those bytes are past\n iovec->iov.iov_len and are thus not intended to be in the packet.\n2. user_sdma_txadd() and user_sdma_send_pkts() fail to advance to the\n next iovec in user_sdma_request->iovs when the current iovec\n is not PAGE_SIZE and does not contain enough data to complete the\n packet. The transmitted packet will contain the wrong data from the\n iovec pages.\n\nThis has not been an issue with SDMA packets from hfi1 Verbs or PSM2\nbecause they only produce iovecs that end short of PAGE_SIZE as the tail\niovec of an SDMA request.\n\nFixing these bugs exposes other bugs with the SDMA pin cache\n(struct mmu_rb_handler) that get in way of supporting user SDMA requests\nwith multiple payload iovecs whose buffers do not end at PAGE_SIZE. So\nthis commit fixes those issues as well.\n\nHere are the mmu_rb_handler bugs that non-PAGE_SIZE-end multi-iovec\npayload user SDMA requests can hit:\n1. Overlapping memory ranges in mmu_rb_handler will result in duplicate\n pinnings.\n2. When extending an existing mmu_rb_handler entry (struct mmu_rb_node),\n the mmu_rb code (1) removes the existing entry under a lock, (2)\n releases that lock, pins the new pages, (3) then reacquires the lock\n to insert the extended mmu_rb_node.\n\n If someone else comes in and inserts an overlapping entry between (2)\n and (3), insert in (3) will fail.\n\n The failure path code in this case unpins _all_ pages in either the\n original mmu_rb_node or the new mmu_rb_node that was inserted between\n (2) and (3).\n3. In hfi1_mmu_rb_remove_unless_exact(), mmu_rb_node->refcount is\n incremented outside of mmu_rb_handler->lock. As a result, mmu_rb_node\n could be evicted by another thread that gets mmu_rb_handler->lock and\n checks mmu_rb_node->refcount before mmu_rb_node->refcount is\n incremented.\n4. Related to #2 above, SDMA request submission failure path does not\n check mmu_rb_node->refcount before freeing mmu_rb_node object.\n\n If there are other SDMA requests in progress whose iovecs have\n pointers to the now-freed mmu_rb_node(s), those pointers to the\n now-freed mmu_rb nodes will be dereferenced when those SDMA requests\n complete.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52474"
},
{
"id": "CVE-2023-52645",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: mediatek: fix race conditions with genpd\n\nIf the power domains are registered first with genpd and *after that*\nthe driver attempts to power them on in the probe sequence, then it is\npossible that a race condition occurs if genpd tries to power them on\nin the same time.\nThe same is valid for powering them off before unregistering them\nfrom genpd.\nAttempt to fix race conditions by first removing the domains from genpd\nand *after that* powering down domains.\nAlso first power up the domains and *after that* register them\nto genpd.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52645"
},
{
"id": "CVE-2023-52752",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free bug in cifs_debug_data_proc_show()\n\nSkip SMB sessions that are being teared down\n(e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show()\nto avoid use-after-free in @ses.\n\nThis fixes the following GPF when reading from /proc/fs/cifs/DebugData\nwhile mounting and umounting\n\n [ 816.251274] general protection fault, probably for non-canonical\n address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI\n ...\n [ 816.260138] Call Trace:\n [ 816.260329] \n [ 816.260499] ? die_addr+0x36/0x90\n [ 816.260762] ? exc_general_protection+0x1b3/0x410\n [ 816.261126] ? asm_exc_general_protection+0x26/0x30\n [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs]\n [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs]\n [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs]\n [ 816.262689] ? seq_read_iter+0x379/0x470\n [ 816.262995] seq_read_iter+0x118/0x470\n [ 816.263291] proc_reg_read_iter+0x53/0x90\n [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f\n [ 816.263945] vfs_read+0x201/0x350\n [ 816.264211] ksys_read+0x75/0x100\n [ 816.264472] do_syscall_64+0x3f/0x90\n [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n [ 816.265135] RIP: 0033:0x7fd5e669d381",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52752"
},
{
"id": "CVE-2023-52753",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Avoid NULL dereference of timing generator\n\n[Why & How]\nCheck whether assigned timing generator is NULL or not before\naccessing its funcs to prevent NULL dereference.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52753"
},
{
"id": "CVE-2023-52760",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix slab-use-after-free in gfs2_qd_dealloc\n\nIn gfs2_put_super(), whether withdrawn or not, the quota should\nbe cleaned up by gfs2_quota_cleanup().\n\nOtherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu\ncallback) has run for all gfs2_quota_data objects, resulting in\nuse-after-free.\n\nAlso, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called\nby gfs2_make_fs_ro(), so in gfs2_put_super(), after calling\ngfs2_make_fs_ro(), there is no need to call them again.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52760"
},
{
"id": "CVE-2023-52769",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix htt mlo-offset event locking\n\nThe ath12k active pdevs are protected by RCU but the htt mlo-offset\nevent handling code calling ath12k_mac_get_ar_by_pdev_id() was not\nmarked as a read-side critical section.\n\nMark the code in question as an RCU read-side critical section to avoid\nany potential use-after-free issues.\n\nCompile tested only.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52769"
},
{
"id": "CVE-2023-52772",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: fix use-after-free in unix_stream_read_actor()\n\nsyzbot reported the following crash [1]\n\nAfter releasing unix socket lock, u->oob_skb can be changed\nby another thread. We must temporarily increase skb refcount\nto make sure this other thread will not free the skb under us.\n\n[1]\n\nBUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866\nRead of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297\n\nCPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:364 [inline]\nprint_report+0xc4/0x620 mm/kasan/report.c:475\nkasan_report+0xda/0x110 mm/kasan/report.c:588\nunix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866\nunix_stream_recv_urg net/unix/af_unix.c:2587 [inline]\nunix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666\nunix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903\nsock_recvmsg_nosec net/socket.c:1044 [inline]\nsock_recvmsg+0xe2/0x170 net/socket.c:1066\n____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803\n___sys_recvmsg+0x115/0x1a0 net/socket.c:2845\n__sys_recvmsg+0x114/0x1e0 net/socket.c:2875\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7fc67492c559\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\nRAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559\nRDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004\nRBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340\nR13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388\n\n\nAllocated by task 5295:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\n__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328\nkasan_slab_alloc include/linux/kasan.h:188 [inline]\nslab_post_alloc_hook mm/slab.h:763 [inline]\nslab_alloc_node mm/slub.c:3478 [inline]\nkmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523\n__alloc_skb+0x287/0x330 net/core/skbuff.c:641\nalloc_skb include/linux/skbuff.h:1286 [inline]\nalloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331\nsock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780\nsock_alloc_send_skb include/net/sock.h:1884 [inline]\nqueue_oob net/unix/af_unix.c:2147 [inline]\nunix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n____sys_sendmsg+0x6ac/0x940 net/socket.c:2584\n___sys_sendmsg+0x135/0x1d0 net/socket.c:2638\n__sys_sendmsg+0x117/0x1e0 net/socket.c:2667\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFreed by task 5295:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\nkasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522\n____kasan_slab_free mm/kasan/common.c:236 [inline]\n____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200\nkasan_slab_free include/linux/kasan.h:164 [inline]\nslab_free_hook mm/slub.c:1800 [inline]\nslab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826\nslab_free mm/slub.c:3809 [inline]\nkmem_cache_free+0xf8/0x340 mm/slub.c:3831\nkfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015\n__kfree_skb net/core/skbuff.c:1073 [inline]\nconsume_skb net/core/skbuff.c:1288 [inline]\nconsume_skb+0xdf/0x170 net/core/skbuff.c:1282\nqueue_oob net/unix/af_unix.c:2178 [inline]\nu\n---truncated---",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52772"
},
{
"id": "CVE-2023-52773",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix a NULL pointer dereference in amdgpu_dm_i2c_xfer()\n\nWhen ddc_service_construct() is called, it explicitly checks both the\nlink type and whether there is something on the link which will\ndictate whether the pin is marked as hw_supported.\n\nIf the pin isn't set or the link is not set (such as from\nunloading/reloading amdgpu in an IGT test) then fail the\namdgpu_dm_i2c_xfer() call.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52773"
},
{
"id": "CVE-2023-52783",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wangxun: fix kernel panic due to null pointer\n\nWhen the device uses a custom subsystem vendor ID, the function\nwx_sw_init() returns before the memory of 'wx->mac_table' is allocated.\nThe null pointer will causes the kernel panic.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52783"
},
{
"id": "CVE-2023-52806",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: Fix possible null-ptr-deref when assigning a stream\n\nWhile AudioDSP drivers assign streams exclusively of HOST or LINK type,\nnothing blocks a user to attempt to assign a COUPLED stream. As\nsupplied substream instance may be a stub, what is the case when\ncode-loading, such scenario ends with null-ptr-deref.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52806"
},
{
"id": "CVE-2023-52809",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()\n\nfc_lport_ptp_setup() did not check the return value of fc_rport_create()\nwhich can return NULL and would cause a NULL pointer dereference. Address\nthis issue by checking return value of fc_rport_create() and log error\nmessage on fc_rport_create() failed.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52809"
},
{
"id": "CVE-2023-52814",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix potential null pointer derefernce\n\nThe amdgpu_ras_get_context may return NULL if device\nnot support ras feature, so add check before using.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52814"
},
{
"id": "CVE-2023-52815",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/vkms: fix a possible null pointer dereference\n\nIn amdgpu_vkms_conn_get_modes(), the return value of drm_cvt_mode()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_cvt_mode(). Add a check to avoid null pointer\ndereference.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52815"
},
{
"id": "CVE-2023-52817",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL\n\nIn certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log:\n\n1. Navigate to the directory: /sys/kernel/debug/dri/0\n2. Execute command: cat amdgpu_regs_smc\n3. Exception Log::\n[4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[4005007.702562] #PF: supervisor instruction fetch in kernel mode\n[4005007.702567] #PF: error_code(0x0010) - not-present page\n[4005007.702570] PGD 0 P4D 0\n[4005007.702576] Oops: 0010 [#1] SMP NOPTI\n[4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G OE 5.15.0-43-generic #46-Ubunt u\n[4005007.702590] RIP: 0010:0x0\n[4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.\n[4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206\n[4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68\n[4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000\n[4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980\n[4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000\n[4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000\n[4005007.702622] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000\n[4005007.702626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0\n[4005007.702633] Call Trace:\n[4005007.702636] \n[4005007.702640] amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu]\n[4005007.703002] full_proxy_read+0x5c/0x80\n[4005007.703011] vfs_read+0x9f/0x1a0\n[4005007.703019] ksys_read+0x67/0xe0\n[4005007.703023] __x64_sys_read+0x19/0x20\n[4005007.703028] do_syscall_64+0x5c/0xc0\n[4005007.703034] ? do_user_addr_fault+0x1e3/0x670\n[4005007.703040] ? exit_to_user_mode_prepare+0x37/0xb0\n[4005007.703047] ? irqentry_exit_to_user_mode+0x9/0x20\n[4005007.703052] ? irqentry_exit+0x19/0x30\n[4005007.703057] ? exc_page_fault+0x89/0x160\n[4005007.703062] ? asm_exc_page_fault+0x8/0x30\n[4005007.703068] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[4005007.703075] RIP: 0033:0x7f5e07672992\n[4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e c 28 48 89 54 24\n[4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992\n[4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003\n[4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010\n[4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000\n[4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\n[4005007.703105] \n[4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_ iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v 2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca\n[4005007.703184] CR2: 0000000000000000\n[4005007.703188] ---[ en\n---truncated---",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52817"
},
{
"id": "CVE-2023-52821",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel: fix a possible null pointer dereference\n\nIn versatile_panel_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52821"
},
{
"id": "CVE-2023-52827",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix possible out-of-bound read in ath12k_htt_pull_ppdu_stats()\n\nlen is extracted from HTT message and could be an unexpected value in\ncase errors happen, so add validation before using to avoid possible\nout-of-bound read in the following message iteration and parsing.\n\nThe same issue also applies to ppdu_info->ppdu_stats.common.num_users,\nso validate it before using too.\n\nThese are found during code review.\n\nCompile test only.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52827"
},
{
"id": "CVE-2023-5345",
"summary": "A use-after-free vulnerability in the Linux kernel's fs/smb/client component can be exploited to achieve local privilege escalation.\n\nIn case of an error in smb3_fs_context_parse_param, ctx->password was freed but the field was not set to NULL which could lead to double free.\n\nWe recommend upgrading past commit e6e43b8aa7cd3c3af686caf0c2e11819a886d705.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5345",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc4"
},
{
"id": "CVE-2023-5633",
"summary": "The reference count changes made as part of the CVE-2023-33951 and CVE-2023-33952 fixes exposed a use-after-free flaw in the way memory objects were handled when they were being used to store a surface. When running inside a VMware guest with 3D acceleration enabled, a local, unprivileged user could potentially use this flaw to escalate their privileges.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5633",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc6"
},
{
"id": "CVE-2023-5717",
"summary": "A heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation.\n\nIf perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer.\n\nWe recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5717",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc7"
},
{
"id": "CVE-2023-5972",
"summary": "A null pointer dereference flaw was found in the nft_inner.c functionality of netfilter in the Linux kernel. This issue could allow a local user to crash the system or escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5972",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc7"
},
{
"id": "CVE-2023-6039",
"summary": "A use-after-free flaw was found in lan78xx_disconnect in drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx in the Linux Kernel. This flaw allows a local attacker to crash the system when the LAN78XX USB device detaches.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6039",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc5"
},
{
"id": "CVE-2023-6040",
"summary": "An out-of-bounds access vulnerability involving netfilter was reported and fixed as: f1082dd31fe4 (netfilter: nf_tables: Reject tables of unsupported family); While creating a new netfilter table, lack of a safeguard against invalid nf_tables family (pf) values within `nf_tables_newtable` function enables an attacker to achieve out-of-bounds access.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6040",
"detail": "fixed-version",
"description": "Fixed from version 5.18rc1"
},
{
"id": "CVE-2023-6111",
"summary": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nThe function nft_trans_gc_catchall did not remove the catchall set element from the catchall_list when the argument sync is true, making it possible to free a catchall set element many times.\n\nWe recommend upgrading past commit 93995bf4af2c5a99e2a87f0cd5ce547d31eb7630.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6111",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.3"
},
{
"id": "CVE-2023-6121",
"summary": "An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg).",
"scorev2": "0.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6121",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.4"
},
{
"id": "CVE-2023-6176",
"summary": "A null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm scatterwalk functionality. This issue occurs when a user constructs a malicious packet with specific socket configuration, which could allow a local user to crash the system or escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6176",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc2"
},
{
"id": "CVE-2023-6200",
"summary": "A race condition was found in the Linux Kernel. Under certain conditions, an unauthenticated attacker from an adjacent network could send an ICMPv6 router advertisement packet, causing arbitrary code execution.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6200",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.9"
},
{
"id": "CVE-2023-6238",
"summary": "A buffer overflow vulnerability was found in the NVM Express (NVMe) driver in the Linux kernel. Only privileged user could specify a small meta buffer and let the device perform larger Direct Memory Access (DMA) into the same buffer, overwriting unrelated kernel memory, causing random kernel crashes and memory corruption.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6238"
},
{
"id": "CVE-2023-6240",
"summary": "A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6240"
},
{
"id": "CVE-2023-6270",
"summary": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6270"
},
{
"id": "CVE-2023-6356",
"summary": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6356"
},
{
"id": "CVE-2023-6531",
"summary": "A use-after-free flaw was found in the Linux Kernel due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic() on the socket that the SKB is queued on.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6531",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.7"
},
{
"id": "CVE-2023-6535",
"summary": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6535"
},
{
"id": "CVE-2023-6536",
"summary": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6536"
},
{
"id": "CVE-2023-6546",
"summary": "A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6546",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc7"
},
{
"id": "CVE-2023-6560",
"summary": "An out-of-bounds memory access flaw was found in the io_uring SQ/CQ rings functionality in the Linux kernel. This issue could allow a local user to crash the system.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6560",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.5"
},
{
"id": "CVE-2023-6606",
"summary": "An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6606",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.9"
},
{
"id": "CVE-2023-6610",
"summary": "An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6610",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.13"
},
{
"id": "CVE-2023-6622",
"summary": "A null pointer dereference vulnerability was found in nft_dynset_init() in net/netfilter/nft_dynset.c in nf_tables in the Linux kernel. This issue may allow a local attacker with CAP_NET_ADMIN user privilege to trigger a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6622",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.7"
},
{
"id": "CVE-2023-6679",
"summary": "A null pointer dereference vulnerability was found in dpll_pin_parent_pin_set() in drivers/dpll/dpll_netlink.c in the Digital Phase Locked Loop (DPLL) subsystem in the Linux kernel. This issue could be exploited to trigger a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6679",
"detail": "fixed-version",
"description": "only affects 6.7rc1 onwards"
},
{
"id": "CVE-2023-6817",
"summary": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nThe function nft_pipapo_walk did not skip inactive elements during set walk which could lead double deactivations of PIPAPO (Pile Packet Policies) elements, leading to use-after-free.\n\nWe recommend upgrading past commit 317eb9685095678f2c9f5a8189de698c5354316a.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6817",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.7"
},
{
"id": "CVE-2023-6915",
"summary": "A Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel. This issue may allow an attacker using this library to cause a denial of service problem due to a missing check at a function return.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6915",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.13"
},
{
"id": "CVE-2023-6931",
"summary": "A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation.\n\nA perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group().\n\nWe recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b.\n\n",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6931",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.7"
},
{
"id": "CVE-2023-6932",
"summary": "A use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve local privilege escalation.\n\nA race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread.\n\nWe recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1.\n\n",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6932",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.5"
},
{
"id": "CVE-2023-7042",
"summary": "A null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. This issue could be exploited to trigger a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-7042"
},
{
"id": "CVE-2023-7192",
"summary": "A memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel. This issue may allow a local attacker with CAP_NET_ADMIN privileges to cause a denial of service (DoS) attack due to a refcount overflow.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-7192",
"detail": "fixed-version",
"description": "Fixed from version 6.3rc1"
},
{
"id": "CVE-2024-0193",
"summary": "A use-after-free flaw was found in the netfilter subsystem of the Linux kernel. If the catchall element is garbage-collected when the pipapo set is removed, the element can be deactivated twice. This can cause a use-after-free issue on an NFT_CHAIN object or NFT_OBJECT object, allowing a local unprivileged user with CAP_NET_ADMIN capability to escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0193",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.10"
},
{
"id": "CVE-2024-0340",
"summary": "A vulnerability was found in vhost_new_msg in drivers/vhost/vhost.c in the Linux kernel, which does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This issue can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0340",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc6"
},
{
"id": "CVE-2024-0443",
"summary": "A flaw was found in the blkgs destruction path in block/blk-cgroup.c in the Linux kernel, leading to a cgroup blkio memory leakage problem. When a cgroup is being destroyed, cgroup_rstat_flush() is only called at css_release_work_fn(), which is called when the blkcg reference count reaches 0. This circular dependency will prevent blkcg and some blkgs from being freed after they are made offline. This issue may allow an attacker with a local access to cause system instability, such as an out of memory error.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0443",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc7"
},
{
"id": "CVE-2024-0562",
"summary": "A use-after-free flaw was found in the Linux Kernel. When a disk is removed, bdi_unregister is called to stop further write-back and waits for associated delayed work to complete. However, wb_inode_writeback_end() may schedule bandwidth estimation work after this has completed, which can result in the timer attempting to access the recently freed bdi_writeback.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0562",
"detail": "fixed-version",
"description": "Fixed from version 6.0rc3"
},
{
"id": "CVE-2024-0564",
"summary": "A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is \"max page sharing=256\", it is possible for the attacker to time the unmap to merge with the victim's page. The unmapping time depends on whether it merges with the victim's page and additional physical pages are created beyond the KSM's \"max page share\". Through these operations, the attacker can leak the victim's page.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0564"
},
{
"id": "CVE-2024-0565",
"summary": "An out-of-bounds memory read flaw was found in receive_encrypted_standard in fs/smb/client/smb2ops.c in the SMB Client sub-component in the Linux Kernel. This issue occurs due to integer underflow on the memcpy length, leading to a denial of service.",
"scorev2": "0.0",
"scorev3": "7.4",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0565",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.8"
},
{
"id": "CVE-2024-0582",
"summary": "A memory leak flaw was found in the Linux kernel\u2019s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then frees it. This flaw allows a local user to crash or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0582",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.5"
},
{
"id": "CVE-2024-0607",
"summary": "A flaw was found in the Netfilter subsystem in the Linux kernel. The issue is in the nft_byteorder_eval() function, where the code iterates through a loop and writes to the `dst` array. On each iteration, 8 bytes are written, but `dst` is an array of u32, so each element only has space for 4 bytes. That means every iteration overwrites part of the previous element corrupting this array of u32. This flaw allows a local user to cause a denial of service or potentially break NetFilter functionality.",
"scorev2": "0.0",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0607",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.3"
},
{
"id": "CVE-2024-0639",
"summary": "A denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernel\u2019s SCTP subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0639",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc1"
},
{
"id": "CVE-2024-0641",
"summary": "A denial of service vulnerability was found in tipc_crypto_key_revoke in net/tipc/crypto.c in the Linux kernel\u2019s TIPC subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0641",
"detail": "fixed-version",
"description": "Fixed from version 6.6rc5"
},
{
"id": "CVE-2024-0646",
"summary": "An out-of-bounds memory write flaw was found in the Linux kernel\u2019s Transport Layer Security functionality in how a user calls a function splice with a ktls socket as the destination. This flaw allows a local user to crash or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0646",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.7"
},
{
"id": "CVE-2024-0775",
"summary": "A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This flaw allows a local user to cause an information leak problem while freeing the old quota file names before a potential failure, leading to a use-after-free.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0775",
"detail": "fixed-version",
"description": "Fixed from version 6.4rc2"
},
{
"id": "CVE-2024-0841",
"summary": "A null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0841"
},
{
"id": "CVE-2024-1085",
"summary": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nThe nft_setelem_catchall_deactivate() function checks whether the catch-all set element is active in the current generation instead of the next generation before freeing it, but only flags it inactive in the next generation, making it possible to free the element multiple times, leading to a double free vulnerability.\n\nWe recommend upgrading past commit b1db244ffd041a49ecc9618e8feb6b5c1afcdaa7.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1085",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2024-1086",
"summary": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nThe nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.\n\nWe recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1086",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.15"
},
{
"id": "CVE-2024-1151",
"summary": "A vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1151",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.18"
},
{
"id": "CVE-2024-1312",
"summary": "A use-after-free flaw was found in the Linux kernel's Memory Management subsystem when a user wins two races at the same time with a fail in the mas_prev_slot function. This issue could allow a local user to crash the system.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1312",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc4"
},
{
"id": "CVE-2024-21803",
"summary": "Use After Free vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (bluetooth modules) allows Local Execution of Code. This vulnerability is associated with program files https://gitee.Com/anolis/cloud-kernel/blob/devel-5.10/net/bluetooth/af_bluetooth.C.\n\nThis issue affects Linux kernel: from v2.6.12-rc2 before v6.8-rc1.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-21803"
},
{
"id": "CVE-2024-22099",
"summary": "NULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C.\n\nThis issue affects Linux kernel: v2.6.12-rc2.\n\n",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-22099"
},
{
"id": "CVE-2024-22386",
"summary": "A race condition was found in the Linux kernel's drm/exynos device driver in\u00a0exynos_drm_crtc_atomic_disable() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-22386"
},
{
"id": "CVE-2024-22705",
"summary": "An issue was discovered in ksmbd in the Linux kernel before 6.6.10. smb2_get_data_area_len in fs/smb/server/smb2misc.c can cause an smb_strndup_from_utf16 out-of-bounds access because the relationship between Name data and CreateContexts data is mishandled.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-22705",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.10"
},
{
"id": "CVE-2024-23196",
"summary": "A race condition was found in the Linux kernel's sound/hda device driver in snd_hdac_regmap_sync() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-23196"
},
{
"id": "CVE-2024-23307",
"summary": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-23307"
},
{
"id": "CVE-2024-23848",
"summary": "In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-23848"
},
{
"id": "CVE-2024-23849",
"summary": "In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-23849",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.15"
},
{
"id": "CVE-2024-23850",
"summary": "In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-23850",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.18"
},
{
"id": "CVE-2024-23851",
"summary": "copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-23851",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.18"
},
{
"id": "CVE-2024-24855",
"summary": "A race condition was found in the Linux kernel's scsi device driver in lpfc_unregister_fcf_rescan() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-24855",
"detail": "fixed-version",
"description": "Fixed from version 6.5rc2"
},
{
"id": "CVE-2024-24857",
"summary": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "6.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-24857"
},
{
"id": "CVE-2024-24858",
"summary": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-24858"
},
{
"id": "CVE-2024-24859",
"summary": "A race condition was found in the Linux kernel's net/bluetooth in sniff_{min,max}_interval_set() function. This can result in a bluetooth sniffing exception issue, possibly leading denial of service.\n\n\n\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "4.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-24859"
},
{
"id": "CVE-2024-24860",
"summary": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "ADJACENT_NETWORK",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-24860",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2024-24861",
"summary": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-24861"
},
{
"id": "CVE-2024-24864",
"summary": "A race condition was found in the Linux kernel's media/dvb-core in dvbdmx_write()\u00a0function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-24864"
},
{
"id": "CVE-2024-25739",
"summary": "create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-25739"
},
{
"id": "CVE-2024-25740",
"summary": "A memory leak flaw was found in the UBI driver in drivers/mtd/ubi/attach.c in the Linux kernel through 6.7.4 for UBI_IOCATT, because kobj->name is not released.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-25740"
},
{
"id": "CVE-2024-25744",
"summary": "In the Linux kernel before 6.6.7, an untrusted VMM can trigger int80 syscall handling at any given point. This is related to arch/x86/coco/tdx/tdx.c and arch/x86/mm/mem_encrypt_amd.c.",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-25744",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.7"
},
{
"id": "CVE-2024-26581",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: skip end interval element from gc\n\nrbtree lazy gc on insert might collect an end interval element that has\nbeen just added in this transactions, skip end interval elements that\nare not yet active.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26581",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.17"
},
{
"id": "CVE-2024-26582",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: fix use-after-free with partial reads and async decrypt\n\ntls_decrypt_sg doesn't take a reference on the pages from clear_skb,\nso the put_page() in tls_decrypt_done releases them, and we trigger\na use-after-free in process_rx_list when we try to read from the\npartially-read skb.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26582",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.18"
},
{
"id": "CVE-2024-26583",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix race between async notify and socket close\n\nThe submitting thread (one which called recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete()\nso any code past that point risks touching already freed data.\n\nTry to avoid the locking and extra flags altogether.\nHave the main thread hold an extra reference, this way\nwe can depend solely on the atomic ref counter for\nsynchronization.\n\nDon't futz with reiniting the completion, either, we are now\ntightly controlling when completion fires.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26583",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.18"
},
{
"id": "CVE-2024-26584",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: handle backlogging of crypto requests\n\nSince we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our\nrequests to the crypto API, crypto_aead_{encrypt,decrypt} can return\n -EBUSY instead of -EINPROGRESS in valid situations. For example, when\nthe cryptd queue for AESNI is full (easy to trigger with an\nartificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued\nto the backlog but still processed. In that case, the async callback\nwill also be called twice: first with err == -EINPROGRESS, which it\nseems we can just ignore, then with err == 0.\n\nCompared to Sabrina's original patch this version uses the new\ntls_*crypt_async_wait() helpers and converts the EBUSY to\nEINPROGRESS to avoid having to modify all the error handling\npaths. The handling is identical.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26584",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.18"
},
{
"id": "CVE-2024-26585",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix race between tx work scheduling and socket close\n\nSimilarly to previous commit, the submitting thread (recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete().\nReorder scheduling the work before calling complete().\nThis seems more logical in the first place, as it's\nthe inverse order of what the submitting thread will do.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26585",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.18"
},
{
"id": "CVE-2024-26586",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix stack corruption\n\nWhen tc filters are first added to a net device, the corresponding local\nport gets bound to an ACL group in the device. The group contains a list\nof ACLs. In turn, each ACL points to a different TCAM region where the\nfilters are stored. During forwarding, the ACLs are sequentially\nevaluated until a match is found.\n\nOne reason to place filters in different regions is when they are added\nwith decreasing priorities and in an alternating order so that two\nconsecutive filters can never fit in the same region because of their\nkey usage.\n\nIn Spectrum-2 and newer ASICs the firmware started to report that the\nmaximum number of ACLs in a group is more than 16, but the layout of the\nregister that configures ACL groups (PAGT) was not updated to account\nfor that. It is therefore possible to hit stack corruption [1] in the\nrare case where more than 16 ACLs in a group are required.\n\nFix by limiting the maximum ACL group size to the minimum between what\nthe firmware reports and the maximum ACLs that fit in the PAGT register.\n\nAdd a test case to make sure the machine does not crash when this\ncondition is hit.\n\n[1]\nKernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120\n[...]\n dump_stack_lvl+0x36/0x50\n panic+0x305/0x330\n __stack_chk_fail+0x15/0x20\n mlxsw_sp_acl_tcam_group_update+0x116/0x120\n mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110\n mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26586",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2024-26587",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: netdevsim: don't try to destroy PHC on VFs\n\nPHC gets initialized in nsim_init_netdevsim(), which\nis only called if (nsim_dev_port_is_pf()).\n\nCreate a counterpart of nsim_init_netdevsim() and\nmove the mock_phc_destroy() there.\n\nThis fixes a crash trying to destroy netdevsim with\nVFs instantiated, as caught by running the devlink.sh test:\n\n BUG: kernel NULL pointer dereference, address: 00000000000000b8\n RIP: 0010:mock_phc_destroy+0xd/0x30\n Call Trace:\n \n nsim_destroy+0x4a/0x70 [netdevsim]\n __nsim_dev_port_del+0x47/0x70 [netdevsim]\n nsim_dev_reload_destroy+0x105/0x120 [netdevsim]\n nsim_drv_remove+0x2f/0xb0 [netdevsim]\n device_release_driver_internal+0x1a1/0x210\n bus_remove_device+0xd5/0x120\n device_del+0x159/0x490\n device_unregister+0x12/0x30\n del_device_store+0x11a/0x1a0 [netdevsim]\n kernfs_fop_write_iter+0x130/0x1d0\n vfs_write+0x30b/0x4b0\n ksys_write+0x69/0xf0\n do_syscall_64+0xcc/0x1e0\n entry_SYSCALL_64_after_hwframe+0x6f/0x77",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26587",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2024-26588",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: BPF: Prevent out-of-bounds memory access\n\nThe test_tag test triggers an unhandled page fault:\n\n # ./test_tag\n [ 130.640218] CPU 0 Unable to handle kernel paging request at virtual address ffff80001b898004, era == 9000000003137f7c, ra == 9000000003139e70\n [ 130.640501] Oops[#3]:\n [ 130.640553] CPU: 0 PID: 1326 Comm: test_tag Tainted: G D O 6.7.0-rc4-loong-devel-gb62ab1a397cf #47 61985c1d94084daa2432f771daa45b56b10d8d2a\n [ 130.640764] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n [ 130.640874] pc 9000000003137f7c ra 9000000003139e70 tp 9000000104cb4000 sp 9000000104cb7a40\n [ 130.641001] a0 ffff80001b894000 a1 ffff80001b897ff8 a2 000000006ba210be a3 0000000000000000\n [ 130.641128] a4 000000006ba210be a5 00000000000000f1 a6 00000000000000b3 a7 0000000000000000\n [ 130.641256] t0 0000000000000000 t1 00000000000007f6 t2 0000000000000000 t3 9000000004091b70\n [ 130.641387] t4 000000006ba210be t5 0000000000000004 t6 fffffffffffffff0 t7 90000000040913e0\n [ 130.641512] t8 0000000000000005 u0 0000000000000dc0 s9 0000000000000009 s0 9000000104cb7ae0\n [ 130.641641] s1 00000000000007f6 s2 0000000000000009 s3 0000000000000095 s4 0000000000000000\n [ 130.641771] s5 ffff80001b894000 s6 ffff80001b897fb0 s7 9000000004090c50 s8 0000000000000000\n [ 130.641900] ra: 9000000003139e70 build_body+0x1fcc/0x4988\n [ 130.642007] ERA: 9000000003137f7c build_body+0xd8/0x4988\n [ 130.642112] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n [ 130.642261] PRMD: 00000004 (PPLV0 +PIE -PWE)\n [ 130.642353] EUEN: 00000003 (+FPE +SXE -ASXE -BTE)\n [ 130.642458] ECFG: 00071c1c (LIE=2-4,10-12 VS=7)\n [ 130.642554] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n [ 130.642658] BADV: ffff80001b898004\n [ 130.642719] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\n [ 130.642815] Modules linked in: [last unloaded: bpf_testmod(O)]\n [ 130.642924] Process test_tag (pid: 1326, threadinfo=00000000f7f4015f, task=000000006499f9fd)\n [ 130.643062] Stack : 0000000000000000 9000000003380724 0000000000000000 0000000104cb7be8\n [ 130.643213] 0000000000000000 25af8d9b6e600558 9000000106250ea0 9000000104cb7ae0\n [ 130.643378] 0000000000000000 0000000000000000 9000000104cb7be8 90000000049f6000\n [ 130.643538] 0000000000000090 9000000106250ea0 ffff80001b894000 ffff80001b894000\n [ 130.643685] 00007ffffb917790 900000000313ca94 0000000000000000 0000000000000000\n [ 130.643831] ffff80001b894000 0000000000000ff7 0000000000000000 9000000100468000\n [ 130.643983] 0000000000000000 0000000000000000 0000000000000040 25af8d9b6e600558\n [ 130.644131] 0000000000000bb7 ffff80001b894048 0000000000000000 0000000000000000\n [ 130.644276] 9000000104cb7be8 90000000049f6000 0000000000000090 9000000104cb7bdc\n [ 130.644423] ffff80001b894000 0000000000000000 00007ffffb917790 90000000032acfb0\n [ 130.644572] ...\n [ 130.644629] Call Trace:\n [ 130.644641] [<9000000003137f7c>] build_body+0xd8/0x4988\n [ 130.644785] [<900000000313ca94>] bpf_int_jit_compile+0x228/0x4ec\n [ 130.644891] [<90000000032acfb0>] bpf_prog_select_runtime+0x158/0x1b0\n [ 130.645003] [<90000000032b3504>] bpf_prog_load+0x760/0xb44\n [ 130.645089] [<90000000032b6744>] __sys_bpf+0xbb8/0x2588\n [ 130.645175] [<90000000032b8388>] sys_bpf+0x20/0x2c\n [ 130.645259] [<9000000003f6ab38>] do_syscall+0x7c/0x94\n [ 130.645369] [<9000000003121c5c>] handle_syscall+0xbc/0x158\n [ 130.645507]\n [ 130.645539] Code: 380839f6 380831f9 28412bae <24000ca6> 004081ad 0014cb50 004083e8 02bff34c 58008e91\n [ 130.645729]\n [ 130.646418] ---[ end trace 0000000000000000 ]---\n\nOn my machine, which has CONFIG_PAGE_SIZE_16KB=y, the test failed at\nloading a BPF prog with 2039 instructions:\n\n prog = (struct bpf_prog *)ffff80001b894000\n insn = (struct bpf_insn *)(prog->insnsi)fff\n---truncated---",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26588",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2024-26589",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject variable offset alu on PTR_TO_FLOW_KEYS\n\nFor PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off\nfor validation. However, variable offset ptr alu is not prohibited\nfor this ptr kind. So the variable offset is not checked.\n\nThe following prog is accepted:\n\n func#0 @0\n 0: R1=ctx() R10=fp0\n 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx()\n 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys()\n 2: (b7) r8 = 1024 ; R8_w=1024\n 3: (37) r8 /= 1 ; R8_w=scalar()\n 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0,\n smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400))\n 5: (0f) r7 += r8\n mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\n mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024\n mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1\n mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024\n 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off\n =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,\n var_off=(0x0; 0x400))\n 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar()\n 7: (95) exit\n\nThis prog loads flow_keys to r7, and adds the variable offset r8\nto r7, and finally causes out-of-bounds access:\n\n BUG: unable to handle page fault for address: ffffc90014c80038\n [...]\n Call Trace:\n \n bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]\n __bpf_prog_run include/linux/filter.h:651 [inline]\n bpf_prog_run include/linux/filter.h:658 [inline]\n bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]\n bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991\n bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359\n bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]\n __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475\n __do_sys_bpf kernel/bpf/syscall.c:5561 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5559 [inline]\n __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFix this by rejecting ptr alu with variable offset on flow_keys.\nApplying the patch rejects the program with \"R7 pointer arithmetic\non flow_keys prohibited\".",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26589",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2024-26590",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix inconsistent per-file compression format\n\nEROFS can select compression algorithms on a per-file basis, and each\nper-file compression algorithm needs to be marked in the on-disk\nsuperblock for initialization.\n\nHowever, syzkaller can generate inconsistent crafted images that use\nan unsupported algorithmtype for specific inodes, e.g. use MicroLZMA\nalgorithmtype even it's not set in `sbi->available_compr_algs`. This\ncan lead to an unexpected \"BUG: kernel NULL pointer dereference\" if\nthe corresponding decompressor isn't built-in.\n\nFix this by checking against `sbi->available_compr_algs` for each\nm_algorithmformat request. Incorrect !erofs_sb_has_compr_cfgs preset\nbitmap is now fixed together since it was harmless previously.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26590",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2024-26591",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix re-attachment branch in bpf_tracing_prog_attach\n\nThe following case can cause a crash due to missing attach_btf:\n\n1) load rawtp program\n2) load fentry program with rawtp as target_fd\n3) create tracing link for fentry program with target_fd = 0\n4) repeat 3\n\nIn the end we have:\n\n- prog->aux->dst_trampoline == NULL\n- tgt_prog == NULL (because we did not provide target_fd to link_create)\n- prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X)\n- the program was loaded for tgt_prog but we have no way to find out which one\n\n BUG: kernel NULL pointer dereference, address: 0000000000000058\n Call Trace:\n \n ? __die+0x20/0x70\n ? page_fault_oops+0x15b/0x430\n ? fixup_exception+0x22/0x330\n ? exc_page_fault+0x6f/0x170\n ? asm_exc_page_fault+0x22/0x30\n ? bpf_tracing_prog_attach+0x279/0x560\n ? btf_obj_id+0x5/0x10\n bpf_tracing_prog_attach+0x439/0x560\n __sys_bpf+0x1cf4/0x2de0\n __x64_sys_bpf+0x1c/0x30\n do_syscall_64+0x41/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nReturn -EINVAL in this situation.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26591",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2024-26592",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix UAF issue in ksmbd_tcp_new_connection()\n\nThe race is between the handling of a new TCP connection and\nits disconnection. It leads to UAF on `struct tcp_transport` in\nksmbd_tcp_new_connection() function.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26592",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2024-26593",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: i801: Fix block process call transactions\n\nAccording to the Intel datasheets, software must reset the block\nbuffer index twice for block process call transactions: once before\nwriting the outgoing data to the buffer, and once again before\nreading the incoming data from the buffer.\n\nThe driver is currently missing the second reset, causing the wrong\nportion of the block buffer to be read.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26593",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.18"
},
{
"id": "CVE-2024-26594",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate mech token in session setup\n\nIf client send invalid mech token in session setup request, ksmbd\nvalidate and make the error if it is invalid.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26594",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2024-26595",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\n\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\nfailing to attach the region to an ACL group, we hit a NULL pointer\ndereference upon 'region->group->tcam' [1].\n\nFix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\n[...]\nCall Trace:\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26595",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2024-26596",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events\n\nAfter the blamed commit, we started doing this dereference for every\nNETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system.\n\nstatic inline struct dsa_port *dsa_user_to_port(const struct net_device *dev)\n{\n\tstruct dsa_user_priv *p = netdev_priv(dev);\n\n\treturn p->dp;\n}\n\nWhich is obviously bogus, because not all net_devices have a netdev_priv()\nof type struct dsa_user_priv. But struct dsa_user_priv is fairly small,\nand p->dp means dereferencing 8 bytes starting with offset 16. Most\ndrivers allocate that much private memory anyway, making our access not\nfault, and we discard the bogus data quickly afterwards, so this wasn't\ncaught.\n\nBut the dummy interface is somewhat special in that it calls\nalloc_netdev() with a priv size of 0. So every netdev_priv() dereference\nis invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event\nwith a VLAN as its new upper:\n\n$ ip link add dummy1 type dummy\n$ ip link add link dummy1 name dummy1.100 type vlan id 100\n[ 43.309174] ==================================================================\n[ 43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8\n[ 43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374\n[ 43.330058]\n[ 43.342436] Call trace:\n[ 43.366542] dsa_user_prechangeupper+0x30/0xe8\n[ 43.371024] dsa_user_netdevice_event+0xb38/0xee8\n[ 43.375768] notifier_call_chain+0xa4/0x210\n[ 43.379985] raw_notifier_call_chain+0x24/0x38\n[ 43.384464] __netdev_upper_dev_link+0x3ec/0x5d8\n[ 43.389120] netdev_upper_dev_link+0x70/0xa8\n[ 43.393424] register_vlan_dev+0x1bc/0x310\n[ 43.397554] vlan_newlink+0x210/0x248\n[ 43.401247] rtnl_newlink+0x9fc/0xe30\n[ 43.404942] rtnetlink_rcv_msg+0x378/0x580\n\nAvoid the kernel oops by dereferencing after the type check, as customary.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26596"
},
{
"id": "CVE-2024-26597",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qualcomm: rmnet: fix global oob in rmnet_policy\n\nThe variable rmnet_link_ops assign a *bigger* maxtype which leads to a\nglobal out-of-bounds read when parsing the netlink attributes. See bug\ntrace below:\n\n==================================================================\nBUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]\nBUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\nRead of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207\n\nCPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G N 6.1.0 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x172/0x475 mm/kasan/report.c:395\n kasan_report+0xbb/0x1c0 mm/kasan/report.c:495\n validate_nla lib/nlattr.c:386 [inline]\n __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\n __nla_parse+0x3e/0x50 lib/nlattr.c:697\n nla_parse_nested_deprecated include/net/netlink.h:1248 [inline]\n __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485\n rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594\n rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091\n netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0x154/0x190 net/socket.c:734\n ____sys_sendmsg+0x6df/0x840 net/socket.c:2482\n ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536\n __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fdcf2072359\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359\nRDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003\nRBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000\n \n\nThe buggy address belongs to the variable:\n rmnet_policy+0x30/0xe0\n\nThe buggy address belongs to the physical page:\npage:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243\nflags: 0x200000000001000(reserved|node=0|zone=2)\nraw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000\nraw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07\n ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9\n>ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9\n ^\n ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9\n ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9\n\nAccording to the comment of `nla_parse_nested_deprecated`, the maxtype\nshould be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26597",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2024-26598",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache\n\nThere is a potential UAF scenario in the case of an LPI translation\ncache hit racing with an operation that invalidates the cache, such\nas a DISCARD ITS command. The root of the problem is that\nvgic_its_check_cache() does not elevate the refcount on the vgic_irq\nbefore dropping the lock that serializes refcount changes.\n\nHave vgic_its_check_cache() raise the refcount on the returned vgic_irq\nand add the corresponding decrement after queueing the interrupt.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26598",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2024-26599",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npwm: Fix out-of-bounds access in of_pwm_single_xlate()\n\nWith args->args_count == 2 args->args[2] is not defined. Actually the\nflags are contained in args->args[1].",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26599",
"detail": "cpe-stable-backport",
"description": "Backported in 6.6.14"
},
{
"id": "CVE-2024-26600",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP\n\nIf the external phy working together with phy-omap-usb2 does not implement\nsend_srp(), we may still attempt to call it. This can happen on an idle\nEthernet gadget triggering a wakeup for example:\n\nconfigfs-gadget.g1 gadget.0: ECM Suspend\nconfigfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup\n...\nUnable to handle kernel NULL pointer dereference at virtual address\n00000000 when execute\n...\nPC is at 0x0\nLR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc]\n...\nmusb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core]\nusb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether]\neth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c\ndev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4\nsch_direct_xmit from __dev_queue_xmit+0x334/0xd88\n__dev_queue_xmit from arp_solicit+0xf0/0x268\narp_solicit from neigh_probe+0x54/0x7c\nneigh_probe from __neigh_event_send+0x22c/0x47c\n__neigh_event_send from neigh_resolve_output+0x14c/0x1c0\nneigh_resolve_output from ip_finish_output2+0x1c8/0x628\nip_finish_output2 from ip_send_skb+0x40/0xd8\nip_send_skb from udp_send_skb+0x124/0x340\nudp_send_skb from udp_sendmsg+0x780/0x984\nudp_sendmsg from __sys_sendto+0xd8/0x158\n__sys_sendto from ret_fast_syscall+0x0/0x58\n\nLet's fix the issue by checking for send_srp() and set_vbus() before\ncalling them. For USB peripheral only cases these both could be NULL.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26600"
},
{
"id": "CVE-2024-26601",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: regenerate buddy after block freeing failed if under fc replay\n\nThis mostly reverts commit 6bd97bf273bd (\"ext4: remove redundant\nmb_regenerate_buddy()\") and reintroduces mb_regenerate_buddy(). Based on\ncode in mb_free_blocks(), fast commit replay can end up marking as free\nblocks that are already marked as such. This causes corruption of the\nbuddy bitmap so we need to regenerate it in that case.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26601"
},
{
"id": "CVE-2024-26602",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/membarrier: reduce the ability to hammer on sys_membarrier\n\nOn some systems, sys_membarrier can be very expensive, causing overall\nslowdowns for everything. So put a lock on the path in order to\nserialize the accesses to prevent the ability for this to be called at\ntoo high of a frequency and saturate the machine.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26602"
},
{
"id": "CVE-2024-26603",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Stop relying on userspace for info to fault in xsave buffer\n\nBefore this change, the expected size of the user space buffer was\ntaken from fx_sw->xstate_size. fx_sw->xstate_size can be changed\nfrom user-space, so it is possible construct a sigreturn frame where:\n\n * fx_sw->xstate_size is smaller than the size required by valid bits in\n fx_sw->xfeatures.\n * user-space unmaps parts of the sigrame fpu buffer so that not all of\n the buffer required by xrstor is accessible.\n\nIn this case, xrstor tries to restore and accesses the unmapped area\nwhich results in a fault. But fault_in_readable succeeds because buf +\nfx_sw->xstate_size is within the still mapped area, so it goes back and\ntries xrstor again. It will spin in this loop forever.\n\nInstead, fault in the maximum size which can be touched by XRSTOR (taken\nfrom fpstate->user_size).\n\n[ dhansen: tweak subject / changelog ]",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26603"
},
{
"id": "CVE-2024-26604",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"kobject: Remove redundant checks for whether ktype is NULL\"\n\nThis reverts commit 1b28cb81dab7c1eedc6034206f4e8d644046ad31.\n\nIt is reported to cause problems, so revert it for now until the root\ncause can be found.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26604"
},
{
"id": "CVE-2024-26605",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/ASPM: Fix deadlock when enabling ASPM\n\nA last minute revert in 6.7-final introduced a potential deadlock when\nenabling ASPM during probe of Qualcomm PCIe controllers as reported by\nlockdep:\n\n ============================================\n WARNING: possible recursive locking detected\n 6.7.0 #40 Not tainted\n --------------------------------------------\n kworker/u16:5/90 is trying to acquire lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc\n\n but task is already holding lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(pci_bus_sem);\n lock(pci_bus_sem);\n\n *** DEADLOCK ***\n\n Call trace:\n print_deadlock_bug+0x25c/0x348\n __lock_acquire+0x10a4/0x2064\n lock_acquire+0x1e8/0x318\n down_read+0x60/0x184\n pcie_aspm_pm_state_change+0x58/0xdc\n pci_set_full_power_state+0xa8/0x114\n pci_set_power_state+0xc4/0x120\n qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom]\n pci_walk_bus+0x64/0xbc\n qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom]\n\nThe deadlock can easily be reproduced on machines like the Lenovo ThinkPad\nX13s by adding a delay to increase the race window during asynchronous\nprobe where another thread can take a write lock.\n\nAdd a new pci_set_power_state_locked() and associated helper functions that\ncan be called with the PCI bus semaphore held to avoid taking the read lock\ntwice.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26605"
},
{
"id": "CVE-2024-26606",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: signal epoll threads of self-work\n\nIn (e)poll mode, threads often depend on I/O events to determine when\ndata is ready for consumption. Within binder, a thread may initiate a\ncommand via BINDER_WRITE_READ without a read buffer and then make use\nof epoll_wait() or similar to consume any responses afterwards.\n\nIt is then crucial that epoll threads are signaled via wakeup when they\nqueue their own work. Otherwise, they risk waiting indefinitely for an\nevent leaving their work unhandled. What is worse, subsequent commands\nwon't trigger a wakeup either as the thread has pending work.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26606"
},
{
"id": "CVE-2024-26881",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash when 1588 is received on HIP08 devices\n\nThe HIP08 devices does not register the ptp devices, so the\nhdev->ptp is NULL, but the hardware can receive 1588 messages,\nand set the HNS3_RXD_TS_VLD_B bit, so, if match this case, the\naccess of hdev->ptp->flags will cause a kernel crash:\n\n[ 5888.946472] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018\n[ 5888.946475] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018\n...\n[ 5889.266118] pc : hclge_ptp_get_rx_hwts+0x40/0x170 [hclge]\n[ 5889.272612] lr : hclge_ptp_get_rx_hwts+0x34/0x170 [hclge]\n[ 5889.279101] sp : ffff800012c3bc50\n[ 5889.283516] x29: ffff800012c3bc50 x28: ffff2040002be040\n[ 5889.289927] x27: ffff800009116484 x26: 0000000080007500\n[ 5889.296333] x25: 0000000000000000 x24: ffff204001c6f000\n[ 5889.302738] x23: ffff204144f53c00 x22: 0000000000000000\n[ 5889.309134] x21: 0000000000000000 x20: ffff204004220080\n[ 5889.315520] x19: ffff204144f53c00 x18: 0000000000000000\n[ 5889.321897] x17: 0000000000000000 x16: 0000000000000000\n[ 5889.328263] x15: 0000004000140ec8 x14: 0000000000000000\n[ 5889.334617] x13: 0000000000000000 x12: 00000000010011df\n[ 5889.340965] x11: bbfeff4d22000000 x10: 0000000000000000\n[ 5889.347303] x9 : ffff800009402124 x8 : 0200f78811dfbb4d\n[ 5889.353637] x7 : 2200000000191b01 x6 : ffff208002a7d480\n[ 5889.359959] x5 : 0000000000000000 x4 : 0000000000000000\n[ 5889.366271] x3 : 0000000000000000 x2 : 0000000000000000\n[ 5889.372567] x1 : 0000000000000000 x0 : ffff20400095c080\n[ 5889.378857] Call trace:\n[ 5889.382285] hclge_ptp_get_rx_hwts+0x40/0x170 [hclge]\n[ 5889.388304] hns3_handle_bdinfo+0x324/0x410 [hns3]\n[ 5889.394055] hns3_handle_rx_bd+0x60/0x150 [hns3]\n[ 5889.399624] hns3_clean_rx_ring+0x84/0x170 [hns3]\n[ 5889.405270] hns3_nic_common_poll+0xa8/0x220 [hns3]\n[ 5889.411084] napi_poll+0xcc/0x264\n[ 5889.415329] net_rx_action+0xd4/0x21c\n[ 5889.419911] __do_softirq+0x130/0x358\n[ 5889.424484] irq_exit+0x134/0x154\n[ 5889.428700] __handle_domain_irq+0x88/0xf0\n[ 5889.433684] gic_handle_irq+0x78/0x2c0\n[ 5889.438319] el1_irq+0xb8/0x140\n[ 5889.442354] arch_cpu_idle+0x18/0x40\n[ 5889.446816] default_idle_call+0x5c/0x1c0\n[ 5889.451714] cpuidle_idle_call+0x174/0x1b0\n[ 5889.456692] do_idle+0xc8/0x160\n[ 5889.460717] cpu_startup_entry+0x30/0xfc\n[ 5889.465523] secondary_start_kernel+0x158/0x1ec\n[ 5889.470936] Code: 97ffab78 f9411c14 91408294 f9457284 (f9400c80)\n[ 5889.477950] SMP: stopping secondary CPUs\n[ 5890.514626] SMP: failed to stop secondary CPUs 0-69,71-95\n[ 5890.522951] Starting crashdump kernel...",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26881"
},
{
"id": "CVE-2024-26882",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()\n\nApply the same fix than ones found in :\n\n8d975c15c0cd (\"ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\")\n1ca1ba465e55 (\"geneve: make sure to pull inner header in geneve_rx()\")\n\nWe have to save skb->network_header in a temporary variable\nin order to be able to recompute the network_header pointer\nafter a pskb_inet_may_pull() call.\n\npskb_inet_may_pull() makes sure the needed headers are in skb->head.\n\nsyzbot reported:\nBUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409\n __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409\n __ipgre_rcv+0x9bc/0xbc0 net/ipv4/ip_gre.c:389\n ipgre_rcv net/ipv4/ip_gre.c:411 [inline]\n gre_rcv+0x423/0x19f0 net/ipv4/ip_gre.c:447\n gre_rcv+0x2a4/0x390 net/ipv4/gre_demux.c:163\n ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254\n dst_input include/net/dst.h:461 [inline]\n ip_rcv_finish net/ipv4/ip_input.c:449 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core net/core/dev.c:5534 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648\n netif_receive_skb_internal net/core/dev.c:5734 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5793\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1556\n tun_get_user+0x53b9/0x66e0 drivers/net/tun.c:2009\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055\n call_write_iter include/linux/fs.h:2087 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb6b/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590\n alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133\n alloc_pages+0x1be/0x1e0 mm/mempolicy.c:2204\n skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2909\n tun_build_skb drivers/net/tun.c:1686 [inline]\n tun_get_user+0xe0a/0x66e0 drivers/net/tun.c:1826\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055\n call_write_iter include/linux/fs.h:2087 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb6b/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26882"
},
{
"id": "CVE-2024-26883",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix stackmap overflow check on 32-bit arches\n\nThe stackmap code relies on roundup_pow_of_two() to compute the number\nof hash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code.\n\nThe commit in the fixes tag actually attempted to fix this, but the fix\ndid not account for the UB, so the fix only works on CPUs where an\noverflow does result in a neat truncation to zero, which is not\nguaranteed. Checking the value before rounding does not have this\nproblem.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26883"
},
{
"id": "CVE-2024-26884",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix hashtab overflow check on 32-bit arches\n\nThe hashtab code relies on roundup_pow_of_two() to compute the number of\nhash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code. So apply the same\nfix to hashtab, by moving the overflow check to before the roundup.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26884"
},
{
"id": "CVE-2024-26885",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix DEVMAP_HASH overflow check on 32-bit arches\n\nThe devmap code allocates a number hash buckets equal to the next power\nof two of the max_entries value provided when creating the map. When\nrounding up to the next power of two, the 32-bit variable storing the\nnumber of buckets can overflow, and the code checks for overflow by\nchecking if the truncated 32-bit value is equal to 0. However, on 32-bit\narches the rounding up itself can overflow mid-way through, because it\nends up doing a left-shift of 32 bits on an unsigned long value. If the\nsize of an unsigned long is four bytes, this is undefined behaviour, so\nthere is no guarantee that we'll end up with a nice and tidy 0-value at\nthe end.\n\nSyzbot managed to turn this into a crash on arm32 by creating a\nDEVMAP_HASH with max_entries > 0x80000000 and then trying to update it.\nFix this by moving the overflow check to before the rounding up\noperation.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26885"
},
{
"id": "CVE-2024-26898",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: fix the potential use-after-free problem in aoecmd_cfg_pkts\n\nThis patch is against CVE-2023-6270. The description of cve is:\n\n A flaw was found in the ATA over Ethernet (AoE) driver in the Linux\n kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on\n `struct net_device`, and a use-after-free can be triggered by racing\n between the free on the struct and the access through the `skbtxq`\n global queue. This could lead to a denial of service condition or\n potential code execution.\n\nIn aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial\ncode is finished. But the net_device ifp will still be used in\nlater tx()->dev_queue_xmit() in kthread. Which means that the\ndev_put(ifp) should NOT be called in the success path of skb\ninitial code in aoecmd_cfg_pkts(). Otherwise tx() may run into\nuse-after-free because the net_device is freed.\n\nThis patch removed the dev_put(ifp) in the success path in\naoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26898"
},
{
"id": "CVE-2024-26899",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix deadlock between bd_link_disk_holder and partition scan\n\n'open_mutex' of gendisk is used to protect open/close block devices. But\nin bd_link_disk_holder(), it is used to protect the creation of symlink\nbetween holding disk and slave bdev, which introduces some issues.\n\nWhen bd_link_disk_holder() is called, the driver is usually in the process\nof initialization/modification and may suspend submitting io. At this\ntime, any io hold 'open_mutex', such as scanning partitions, can cause\ndeadlocks. For example, in raid:\n\nT1 T2\nbdev_open_by_dev\n lock open_mutex [1]\n ...\n efi_partition\n ...\n md_submit_bio\n\t\t\t\tmd_ioctl mddev_syspend\n\t\t\t\t -> suspend all io\n\t\t\t\t md_add_new_disk\n\t\t\t\t bind_rdev_to_array\n\t\t\t\t bd_link_disk_holder\n\t\t\t\t try lock open_mutex [2]\n md_handle_request\n -> wait mddev_resume\n\nT1 scan partition, T2 add a new device to raid. T1 waits for T2 to resume\nmddev, but T2 waits for open_mutex held by T1. Deadlock occurs.\n\nFix it by introducing a local mutex 'blk_holder_mutex' to replace\n'open_mutex'.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26899"
},
{
"id": "CVE-2024-26900",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix kmemleak of rdev->serial\n\nIf kobject_add() is fail in bind_rdev_to_array(), 'rdev->serial' will be\nalloc not be freed, and kmemleak occurs.\n\nunreferenced object 0xffff88815a350000 (size 49152):\n comm \"mdadm\", pid 789, jiffies 4294716910\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc f773277a):\n [<0000000058b0a453>] kmemleak_alloc+0x61/0xe0\n [<00000000366adf14>] __kmalloc_large_node+0x15e/0x270\n [<000000002e82961b>] __kmalloc_node.cold+0x11/0x7f\n [<00000000f206d60a>] kvmalloc_node+0x74/0x150\n [<0000000034bf3363>] rdev_init_serial+0x67/0x170\n [<0000000010e08fe9>] mddev_create_serial_pool+0x62/0x220\n [<00000000c3837bf0>] bind_rdev_to_array+0x2af/0x630\n [<0000000073c28560>] md_add_new_disk+0x400/0x9f0\n [<00000000770e30ff>] md_ioctl+0x15bf/0x1c10\n [<000000006cfab718>] blkdev_ioctl+0x191/0x3f0\n [<0000000085086a11>] vfs_ioctl+0x22/0x60\n [<0000000018b656fe>] __x64_sys_ioctl+0xba/0xe0\n [<00000000e54e675e>] do_syscall_64+0x71/0x150\n [<000000008b0ad622>] entry_SYSCALL_64_after_hwframe+0x6c/0x74",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26900"
},
{
"id": "CVE-2024-26901",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndo_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak\n\nsyzbot identified a kernel information leak vulnerability in\ndo_sys_name_to_handle() and issued the following report [1].\n\n[1]\n\"BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n do_sys_name_to_handle fs/fhandle.c:73 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\n\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n __do_kmalloc_node mm/slab_common.c:1006 [inline]\n __kmalloc+0x121/0x3c0 mm/slab_common.c:1020\n kmalloc include/linux/slab.h:604 [inline]\n do_sys_name_to_handle fs/fhandle.c:39 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\n\nBytes 18-19 of 20 are uninitialized\nMemory access of size 20 starts at ffff888128a46380\nData copied to user address 0000000020000240\"\n\nPer Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to\nsolve the problem.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26901"
},
{
"id": "CVE-2024-26902",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: RISCV: Fix panic on pmu overflow handler\n\n(1 << idx) of int is not desired when setting bits in unsigned long\noverflowed_ctrs, use BIT() instead. This panic happens when running\n'perf record -e branches' on sophgo sg2042.\n\n[ 273.311852] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098\n[ 273.320851] Oops [#1]\n[ 273.323179] Modules linked in:\n[ 273.326303] CPU: 0 PID: 1475 Comm: perf Not tainted 6.6.0-rc3+ #9\n[ 273.332521] Hardware name: Sophgo Mango (DT)\n[ 273.336878] epc : riscv_pmu_ctr_get_width_mask+0x8/0x62\n[ 273.342291] ra : pmu_sbi_ovf_handler+0x2e0/0x34e\n[ 273.347091] epc : ffffffff80aecd98 ra : ffffffff80aee056 sp : fffffff6e36928b0\n[ 273.354454] gp : ffffffff821f82d0 tp : ffffffd90c353200 t0 : 0000002ade4f9978\n[ 273.361815] t1 : 0000000000504d55 t2 : ffffffff8016cd8c s0 : fffffff6e3692a70\n[ 273.369180] s1 : 0000000000000020 a0 : 0000000000000000 a1 : 00001a8e81800000\n[ 273.376540] a2 : 0000003c00070198 a3 : 0000003c00db75a4 a4 : 0000000000000015\n[ 273.383901] a5 : ffffffd7ff8804b0 a6 : 0000000000000015 a7 : 000000000000002a\n[ 273.391327] s2 : 000000000000ffff s3 : 0000000000000000 s4 : ffffffd7ff8803b0\n[ 273.398773] s5 : 0000000000504d55 s6 : ffffffd905069800 s7 : ffffffff821fe210\n[ 273.406139] s8 : 000000007fffffff s9 : ffffffd7ff8803b0 s10: ffffffd903f29098\n[ 273.413660] s11: 0000000080000000 t3 : 0000000000000003 t4 : ffffffff8017a0ca\n[ 273.421022] t5 : ffffffff8023cfc2 t6 : ffffffd9040780e8\n[ 273.426437] status: 0000000200000100 badaddr: 0000000000000098 cause: 000000000000000d\n[ 273.434512] [] riscv_pmu_ctr_get_width_mask+0x8/0x62\n[ 273.441169] [] handle_percpu_devid_irq+0x98/0x1ee\n[ 273.447562] [] generic_handle_domain_irq+0x28/0x36\n[ 273.454151] [] riscv_intc_irq+0x36/0x4e\n[ 273.459659] [] handle_riscv_irq+0x4a/0x74\n[ 273.465442] [] do_irq+0x62/0x92\n[ 273.470360] Code: 0420 60a2 6402 5529 0141 8082 0013 0000 0013 0000 (6d5c) b783\n[ 273.477921] ---[ end trace 0000000000000000 ]---\n[ 273.482630] Kernel panic - not syncing: Fatal exception in interrupt",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26902"
},
{
"id": "CVE-2024-26903",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security\n\nDuring our fuzz testing of the connection and disconnection process at the\nRFCOMM layer, we discovered this bug. By comparing the packets from a\nnormal connection and disconnection process with the testcase that\ntriggered a KASAN report. We analyzed the cause of this bug as follows:\n\n1. In the packets captured during a normal connection, the host sends a\n`Read Encryption Key Size` type of `HCI_CMD` packet\n(Command Opcode: 0x1408) to the controller to inquire the length of\nencryption key.After receiving this packet, the controller immediately\nreplies with a Command Completepacket (Event Code: 0x0e) to return the\nEncryption Key Size.\n\n2. In our fuzz test case, the timing of the controller's response to this\npacket was delayed to an unexpected point: after the RFCOMM and L2CAP\nlayers had disconnected but before the HCI layer had disconnected.\n\n3. After receiving the Encryption Key Size Response at the time described\nin point 2, the host still called the rfcomm_check_security function.\nHowever, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;`\nhad already been released, and when the function executed\n`return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`,\nspecifically when accessing `conn->hcon`, a null-ptr-deref error occurred.\n\nTo fix this bug, check if `sk->sk_state` is BT_CLOSED before calling\nrfcomm_recv_frame in rfcomm_process_rx.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26903"
},
{
"id": "CVE-2024-26907",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix fortify source warning while accessing Eth segment\n\n ------------[ cut here ]------------\n memcpy: detected field-spanning write (size 56) of single field \"eseg->inline_hdr.start\" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2)\n WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy\n [last unloaded: mlx_compat(OE)]\n CPU: 0 PID: 293779 Comm: ssh Tainted: G OE 6.2.0-32-generic #32~22.04.1-Ubuntu\n Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7\n RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8\n R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80\n FS: 00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n ? show_regs+0x72/0x90\n ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n ? __warn+0x8d/0x160\n ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n ? report_bug+0x1bb/0x1d0\n ? handle_bug+0x46/0x90\n ? exc_invalid_op+0x19/0x80\n ? asm_exc_invalid_op+0x1b/0x20\n ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib]\n ipoib_send+0x2ec/0x770 [ib_ipoib]\n ipoib_start_xmit+0x5a0/0x770 [ib_ipoib]\n dev_hard_start_xmit+0x8e/0x1e0\n ? validate_xmit_skb_list+0x4d/0x80\n sch_direct_xmit+0x116/0x3a0\n __dev_xmit_skb+0x1fd/0x580\n __dev_queue_xmit+0x284/0x6b0\n ? _raw_spin_unlock_irq+0xe/0x50\n ? __flush_work.isra.0+0x20d/0x370\n ? push_pseudo_header+0x17/0x40 [ib_ipoib]\n neigh_connected_output+0xcd/0x110\n ip_finish_output2+0x179/0x480\n ? __smp_call_single_queue+0x61/0xa0\n __ip_finish_output+0xc3/0x190\n ip_finish_output+0x2e/0xf0\n ip_output+0x78/0x110\n ? __pfx_ip_finish_output+0x10/0x10\n ip_local_out+0x64/0x70\n __ip_queue_xmit+0x18a/0x460\n ip_queue_xmit+0x15/0x30\n __tcp_transmit_skb+0x914/0x9c0\n tcp_write_xmit+0x334/0x8d0\n tcp_push_one+0x3c/0x60\n tcp_sendmsg_locked+0x2e1/0xac0\n tcp_sendmsg+0x2d/0x50\n inet_sendmsg+0x43/0x90\n sock_sendmsg+0x68/0x80\n sock_write_iter+0x93/0x100\n vfs_write+0x326/0x3c0\n ksys_write+0xbd/0xf0\n ? do_syscall_64+0x69/0x90\n __x64_sys_write+0x19/0x30\n do_syscall_\n---truncated---",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26907"
},
{
"id": "CVE-2024-26909",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pmic_glink_altmode: fix drm bridge use-after-free\n\nA recent DRM series purporting to simplify support for \"transparent\nbridges\" and handling of probe deferrals ironically exposed a\nuse-after-free issue on pmic_glink_altmode probe deferral.\n\nThis has manifested itself as the display subsystem occasionally failing\nto initialise and NULL-pointer dereferences during boot of machines like\nthe Lenovo ThinkPad X13s.\n\nSpecifically, the dp-hpd bridge is currently registered before all\nresources have been acquired which means that it can also be\nderegistered on probe deferrals.\n\nIn the meantime there is a race window where the new aux bridge driver\n(or PHY driver previously) may have looked up the dp-hpd bridge and\nstored a (non-reference-counted) pointer to the bridge which is about to\nbe deallocated.\n\nWhen the display controller is later initialised, this triggers a\nuse-after-free when attaching the bridges:\n\n\tdp -> aux -> dp-hpd (freed)\n\nwhich may, for example, result in the freed bridge failing to attach:\n\n\t[drm:drm_bridge_attach [drm]] *ERROR* failed to attach bridge /soc@0/phy@88eb000 to encoder TMDS-31: -16\n\nor a NULL-pointer dereference:\n\n\tUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n\t...\n\tCall trace:\n\t drm_bridge_attach+0x70/0x1a8 [drm]\n\t drm_aux_bridge_attach+0x24/0x38 [aux_bridge]\n\t drm_bridge_attach+0x80/0x1a8 [drm]\n\t dp_bridge_init+0xa8/0x15c [msm]\n\t msm_dp_modeset_init+0x28/0xc4 [msm]\n\nThe DRM bridge implementation is clearly fragile and implicitly built on\nthe assumption that bridges may never go away. In this case, the fix is\nto move the bridge registration in the pmic_glink_altmode driver to\nafter all resources have been looked up.\n\nIncidentally, with the new dp-hpd bridge implementation, which registers\nchild devices, this is also a requirement due to a long-standing issue\nin driver core that can otherwise lead to a probe deferral loop (see\ncommit fbc35b45f9f6 (\"Add documentation on meaning of -EPROBE_DEFER\")).\n\n[DB: slightly fixed commit message by adding the word 'commit']",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26909"
},
{
"id": "CVE-2024-26910",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: fix performance regression in swap operation\n\nThe patch \"netfilter: ipset: fix race condition between swap/destroy\nand kernel side add/del/test\", commit 28628fa9 fixes a race condition.\nBut the synchronize_rcu() added to the swap function unnecessarily slows\nit down: it can safely be moved to destroy and use call_rcu() instead.\n\nEric Dumazet pointed out that simply calling the destroy functions as\nrcu callback does not work: sets with timeout use garbage collectors\nwhich need cancelling at destroy which can wait. Therefore the destroy\nfunctions are split into two: cancelling garbage collectors safely at\nexecuting the command received by netlink and moving the remaining\npart only into the rcu callback.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26910"
},
{
"id": "CVE-2024-26911",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/buddy: Fix alloc_range() error handling code\n\nFew users have observed display corruption when they boot\nthe machine to KDE Plasma or playing games. We have root\ncaused the problem that whenever alloc_range() couldn't\nfind the required memory blocks the function was returning\nSUCCESS in some of the corner cases.\n\nThe right approach would be if the total allocated size\nis less than the required size, the function should\nreturn -ENOSPC.",
"scorev2": "0.0",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26911"
},
{
"id": "CVE-2024-26912",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix several DMA buffer leaks\n\nNouveau manages GSP-RM DMA buffers with nvkm_gsp_mem objects. Several of\nthese buffers are never dealloced. Some of them can be deallocated\nright after GSP-RM is initialized, but the rest need to stay until the\ndriver unloads.\n\nAlso futher bullet-proof these objects by poisoning the buffer and\nclearing the nvkm_gsp_mem object when it is deallocated. Poisoning\nthe buffer should trigger an error (or crash) from GSP-RM if it tries\nto access the buffer after we've deallocated it, because we were wrong\nabout when it is safe to deallocate.\n\nFinally, change the mem->size field to a size_t because that's the same\ntype that dma_alloc_coherent expects.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26912"
},
{
"id": "CVE-2024-26913",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix dcn35 8k30 Underflow/Corruption Issue\n\n[why]\nodm calculation is missing for pipe split policy determination\nand cause Underflow/Corruption issue.\n\n[how]\nAdd the odm calculation.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26913"
},
{
"id": "CVE-2024-26929",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix double free of fcport\n\nThe server was crashing after LOGO because fcport was getting freed twice.\n\n -----------[ cut here ]-----------\n kernel BUG at mm/slub.c:371!\n invalid opcode: 0000 1 SMP PTI\n CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\n RIP: 0010:set_freepointer.part.57+0x0/0x10\n RSP: 0018:ffffb07107027d90 EFLAGS: 00010246\n RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400\n RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500\n RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009\n R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500\n R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58\n FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n kfree+0x238/0x250\n qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx]\n ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx]\n qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]\n ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]\n ? kernfs_fop_write+0x11e/0x1a0\n\nRemove one of the free calls and add check for valid fcport. Also use\nfunction qla2x00_free_fcport() instead of kfree().",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26929"
},
{
"id": "CVE-2024-26930",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix double free of the ha->vp_map pointer\n\nCoverity scan reported potential risk of double free of the pointer\nha->vp_map. ha->vp_map was freed in qla2x00_mem_alloc(), and again freed\nin function qla2x00_mem_free(ha).\n\nAssign NULL to vp_map and kfree take care of NULL.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26930"
},
{
"id": "CVE-2024-26932",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd()\n\nWhen unregister pd capabilitie in tcpm, KASAN will capture below double\n-free issue. The root cause is the same capabilitiy will be kfreed twice,\nthe first time is kfreed by pd_capabilities_release() and the second time\nis explicitly kfreed by tcpm_port_unregister_pd().\n\n[ 3.988059] BUG: KASAN: double-free in tcpm_port_unregister_pd+0x1a4/0x3dc\n[ 3.995001] Free of addr ffff0008164d3000 by task kworker/u16:0/10\n[ 4.001206]\n[ 4.002712] CPU: 2 PID: 10 Comm: kworker/u16:0 Not tainted 6.8.0-rc5-next-20240220-05616-g52728c567a55 #53\n[ 4.012402] Hardware name: Freescale i.MX8QXP MEK (DT)\n[ 4.017569] Workqueue: events_unbound deferred_probe_work_func\n[ 4.023456] Call trace:\n[ 4.025920] dump_backtrace+0x94/0xec\n[ 4.029629] show_stack+0x18/0x24\n[ 4.032974] dump_stack_lvl+0x78/0x90\n[ 4.036675] print_report+0xfc/0x5c0\n[ 4.040289] kasan_report_invalid_free+0xa0/0xc0\n[ 4.044937] __kasan_slab_free+0x124/0x154\n[ 4.049072] kfree+0xb4/0x1e8\n[ 4.052069] tcpm_port_unregister_pd+0x1a4/0x3dc\n[ 4.056725] tcpm_register_port+0x1dd0/0x2558\n[ 4.061121] tcpci_register_port+0x420/0x71c\n[ 4.065430] tcpci_probe+0x118/0x2e0\n\nTo fix the issue, this will remove kree() from tcpm_port_unregister_pd().",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26932"
},
{
"id": "CVE-2024-26933",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix deadlock in port \"disable\" sysfs attribute\n\nThe show and store callback routines for the \"disable\" sysfs attribute\nfile in port.c acquire the device lock for the port's parent hub\ndevice. This can cause problems if another process has locked the hub\nto remove it or change its configuration:\n\n\tRemoving the hub or changing its configuration requires the\n\thub interface to be removed, which requires the port device\n\tto be removed, and device_del() waits until all outstanding\n\tsysfs attribute callbacks for the ports have returned. The\n\tlock can't be released until then.\n\n\tBut the disable_show() or disable_store() routine can't return\n\tuntil after it has acquired the lock.\n\nThe resulting deadlock can be avoided by calling\nsysfs_break_active_protection(). This will cause the sysfs core not\nto wait for the attribute's callback routine to return, allowing the\nremoval to proceed. The disadvantage is that after making this call,\nthere is no guarantee that the hub structure won't be deallocated at\nany moment. To prevent this, we have to acquire a reference to it\nfirst by calling hub_get().",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26933"
},
{
"id": "CVE-2024-26934",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix deadlock in usb_deauthorize_interface()\n\nAmong the attribute file callback routines in\ndrivers/usb/core/sysfs.c, the interface_authorized_store() function is\nthe only one which acquires a device lock on an ancestor device: It\ncalls usb_deauthorize_interface(), which locks the interface's parent\nUSB device.\n\nThe will lead to deadlock if another process already owns that lock\nand tries to remove the interface, whether through a configuration\nchange or because the device has been disconnected. As part of the\nremoval procedure, device_del() waits for all ongoing sysfs attribute\ncallbacks to complete. But usb_deauthorize_interface() can't complete\nuntil the device lock has been released, and the lock won't be\nreleased until the removal has finished.\n\nThe mechanism provided by sysfs to prevent this kind of deadlock is\nto use the sysfs_break_active_protection() function, which tells sysfs\nnot to wait for the attribute callback.\n\nReported-and-tested by: Yue Sun \nReported by: xingwei lee ",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26934"
},
{
"id": "CVE-2024-26942",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: qcom: at803x: fix kernel panic with at8031_probe\n\nOn reworking and splitting the at803x driver, in splitting function of\nat803x PHYs it was added a NULL dereference bug where priv is referenced\nbefore it's actually allocated and then is tried to write to for the\nis_1000basex and is_fiber variables in the case of at8031, writing on\nthe wrong address.\n\nFix this by correctly setting priv local variable only after\nat803x_probe is called and actually allocates priv in the phydev struct.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26942"
},
{
"id": "CVE-2024-26949",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/pm: Fix NULL pointer dereference when get power limit\n\nBecause powerplay_table initialization is skipped under\nsriov case, We check and set default lower and upper OD\nvalue if powerplay_table is NULL.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26949"
},
{
"id": "CVE-2024-26952",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix potencial out-of-bounds when buffer offset is invalid\n\nI found potencial out-of-bounds when buffer offset fields of a few requests\nis invalid. This patch set the minimum value of buffer offset field to\n->Buffer offset to validate buffer length.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26952"
},
{
"id": "CVE-2024-26978",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: max310x: fix NULL pointer dereference in I2C instantiation\n\nWhen trying to instantiate a max14830 device from userspace:\n\n echo max14830 0x60 > /sys/bus/i2c/devices/i2c-2/new_device\n\nwe get the following error:\n\n Unable to handle kernel NULL pointer dereference at virtual address...\n ...\n Call trace:\n max310x_i2c_probe+0x48/0x170 [max310x]\n i2c_device_probe+0x150/0x2a0\n ...\n\nAdd check for validity of devtype to prevent the error, and abort probe\nwith a meaningful error message.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26978"
},
{
"id": "CVE-2024-26986",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix memory leak in create_process failure\n\nFix memory leak due to a leaked mmget reference on an error handling\ncode path that is triggered when attempting to create KFD processes\nwhile a GPU reset is in progress.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26986"
},
{
"id": "CVE-2024-26987",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled\n\nWhen I did hard offline test with hugetlb pages, below deadlock occurs:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.8.0-11409-gf6cef5f8c37f #1 Not tainted\n------------------------------------------------------\nbash/46904 is trying to acquire lock:\nffffffffabe68910 (cpu_hotplug_lock){++++}-{0:0}, at: static_key_slow_dec+0x16/0x60\n\nbut task is already holding lock:\nffffffffabf92ea8 (pcp_batch_high_lock){+.+.}-{3:3}, at: zone_pcp_disable+0x16/0x40\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (pcp_batch_high_lock){+.+.}-{3:3}:\n __mutex_lock+0x6c/0x770\n page_alloc_cpu_online+0x3c/0x70\n cpuhp_invoke_callback+0x397/0x5f0\n __cpuhp_invoke_callback_range+0x71/0xe0\n _cpu_up+0xeb/0x210\n cpu_up+0x91/0xe0\n cpuhp_bringup_mask+0x49/0xb0\n bringup_nonboot_cpus+0xb7/0xe0\n smp_init+0x25/0xa0\n kernel_init_freeable+0x15f/0x3e0\n kernel_init+0x15/0x1b0\n ret_from_fork+0x2f/0x50\n ret_from_fork_asm+0x1a/0x30\n\n-> #0 (cpu_hotplug_lock){++++}-{0:0}:\n __lock_acquire+0x1298/0x1cd0\n lock_acquire+0xc0/0x2b0\n cpus_read_lock+0x2a/0xc0\n static_key_slow_dec+0x16/0x60\n __hugetlb_vmemmap_restore_folio+0x1b9/0x200\n dissolve_free_huge_page+0x211/0x260\n __page_handle_poison+0x45/0xc0\n memory_failure+0x65e/0xc70\n hard_offline_page_store+0x55/0xa0\n kernfs_fop_write_iter+0x12c/0x1d0\n vfs_write+0x387/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xca/0x1e0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(pcp_batch_high_lock);\n lock(cpu_hotplug_lock);\n lock(pcp_batch_high_lock);\n rlock(cpu_hotplug_lock);\n\n *** DEADLOCK ***\n\n5 locks held by bash/46904:\n #0: ffff98f6c3bb23f0 (sb_writers#5){.+.+}-{0:0}, at: ksys_write+0x64/0xe0\n #1: ffff98f6c328e488 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0xf8/0x1d0\n #2: ffff98ef83b31890 (kn->active#113){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x100/0x1d0\n #3: ffffffffabf9db48 (mf_mutex){+.+.}-{3:3}, at: memory_failure+0x44/0xc70\n #4: ffffffffabf92ea8 (pcp_batch_high_lock){+.+.}-{3:3}, at: zone_pcp_disable+0x16/0x40\n\nstack backtrace:\nCPU: 10 PID: 46904 Comm: bash Kdump: loaded Not tainted 6.8.0-11409-gf6cef5f8c37f #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x68/0xa0\n check_noncircular+0x129/0x140\n __lock_acquire+0x1298/0x1cd0\n lock_acquire+0xc0/0x2b0\n cpus_read_lock+0x2a/0xc0\n static_key_slow_dec+0x16/0x60\n __hugetlb_vmemmap_restore_folio+0x1b9/0x200\n dissolve_free_huge_page+0x211/0x260\n __page_handle_poison+0x45/0xc0\n memory_failure+0x65e/0xc70\n hard_offline_page_store+0x55/0xa0\n kernfs_fop_write_iter+0x12c/0x1d0\n vfs_write+0x387/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xca/0x1e0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7fc862314887\nCode: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24\nRSP: 002b:00007fff19311268 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007fc862314887\nRDX: 000000000000000c RSI: 000056405645fe10 RDI: 0000000000000001\nRBP: 000056405645fe10 R08: 00007fc8623d1460 R09: 000000007fffffff\nR10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c\nR13: 00007fc86241b780 R14: 00007fc862417600 R15: 00007fc862416a00\n\nIn short, below scene breaks the \n---truncated---",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26987"
},
{
"id": "CVE-2024-27012",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: restore set elements when delete set fails\n\nFrom abort path, nft_mapelem_activate() needs to restore refcounters to\nthe original state. Currently, it uses the set->ops->walk() to iterate\nover these set elements. The existing set iterator skips inactive\nelements in the next generation, this does not work from the abort path\nto restore the original state since it has to skip active elements\ninstead (not inactive ones).\n\nThis patch moves the check for inactive elements to the set iterator\ncallback, then it reverses the logic for the .activate case which\nneeds to skip active elements.\n\nToggle next generation bit for elements when delete set command is\ninvoked and call nft_clear() from .activate (abort) path to restore the\nnext generation bit.\n\nThe splat below shows an object in mappings memleak:\n\n[43929.457523] ------------[ cut here ]------------\n[43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[...]\n[43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90\n[43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246\n[43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000\n[43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550\n[43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f\n[43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0\n[43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002\n[43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0\n[43929.458114] Call Trace:\n[43929.458118] \n[43929.458121] ? __warn+0x9f/0x1a0\n[43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458188] ? report_bug+0x1b1/0x1e0\n[43929.458196] ? handle_bug+0x3c/0x70\n[43929.458200] ? exc_invalid_op+0x17/0x40\n[43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables]\n[43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables]\n[43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables]\n[43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables]\n[43929.458512] ? rb_insert_color+0x2e/0x280\n[43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables]\n[43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables]\n[43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables]\n[43929.458701] ? __rcu_read_unlock+0x46/0x70\n[43929.458709] nft_delset+0xff/0x110 [nf_tables]\n[43929.458769] nft_flush_table+0x16f/0x460 [nf_tables]\n[43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27012"
},
{
"id": "CVE-2024-27013",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: limit printing rate when illegal packet received by tun dev\n\nvhost_worker will call tun call backs to receive packets. If too many\nillegal packets arrives, tun_do_read will keep dumping packet contents.\nWhen console is enabled, it will costs much more cpu time to dump\npacket and soft lockup will be detected.\n\nnet_ratelimit mechanism can be used to limit the dumping rate.\n\nPID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: \"vhost-32980\"\n #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253\n #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3\n #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e\n #3 [fffffe00003fced0] do_nmi at ffffffff8922660d\n #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663\n [exception RIP: io_serial_in+20]\n RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002\n RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000\n RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0\n RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f\n R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020\n R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #5 [ffffa655314979e8] io_serial_in at ffffffff89792594\n #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470\n #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6\n #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605\n #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558\n #10 [ffffa65531497ac8] console_unlock at ffffffff89316124\n #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07\n #12 [ffffa65531497b68] printk at ffffffff89318306\n #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765\n #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun]\n #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun]\n #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net]\n #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost]\n #18 [ffffa65531497f10] kthread at ffffffff892d2e72\n #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27013"
},
{
"id": "CVE-2024-27014",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Prevent deadlock while disabling aRFS\n\nWhen disabling aRFS under the `priv->state_lock`, any scheduled\naRFS works are canceled using the `cancel_work_sync` function,\nwhich waits for the work to end if it has already started.\nHowever, while waiting for the work handler, the handler will\ntry to acquire the `state_lock` which is already acquired.\n\nThe worker acquires the lock to delete the rules if the state\nis down, which is not the worker's responsibility since\ndisabling aRFS deletes the rules.\n\nAdd an aRFS state variable, which indicates whether the aRFS is\nenabled and prevent adding rules when the aRFS is disabled.\n\nKernel log:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G I\n------------------------------------------------------\nethtool/386089 is trying to acquire lock:\nffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0\n\nbut task is already holding lock:\nffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (&priv->state_lock){+.+.}-{3:3}:\n __mutex_lock+0x80/0xc90\n arfs_handle_work+0x4b/0x3b0 [mlx5_core]\n process_one_work+0x1dc/0x4a0\n worker_thread+0x1bf/0x3c0\n kthread+0xd7/0x100\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n\n-> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}:\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n __flush_work+0x7a/0x4e0\n __cancel_work_timer+0x131/0x1c0\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x1a1/0x270\n netlink_sendmsg+0x214/0x460\n __sock_sendmsg+0x38/0x60\n __sys_sendto+0x113/0x170\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\n\n *** DEADLOCK ***\n\n3 locks held by ethtool/386089:\n #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40\n #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240\n #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\n\nstack backtrace:\nCPU: 15 PID: 386089 Comm: ethtool Tainted: G I 6.7.0-rc4_net_next_mlx5_5483eb2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x60/0xa0\n check_noncircular+0x144/0x160\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n ? __flush_work+0x74/0x4e0\n ? save_trace+0x3e/0x360\n ? __flush_work+0x74/0x4e0\n __flush_work+0x7a/0x4e0\n ? __flush_work+0x74/0x4e0\n ? __lock_acquire+0xa78/0x2c80\n ? lock_acquire+0xd0/0x2b0\n ? mark_held_locks+0x49/0x70\n __cancel_work_timer+0x131/0x1c0\n ? mark_held_locks+0x49/0x70\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n ? ethn\n---truncated---",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27014"
},
{
"id": "CVE-2024-27015",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: incorrect pppoe tuple\n\npppoe traffic reaching ingress path does not match the flowtable entry\nbecause the pppoe header is expected to be at the network header offset.\nThis bug causes a mismatch in the flow table lookup, so pppoe packets\nenter the classical forwarding path.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27015"
},
{
"id": "CVE-2024-27016",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: validate pppoe header\n\nEnsure there is sufficient room to access the protocol field of the\nPPPoe header. Validate it once before the flowtable lookup, then use a\nhelper function to access protocol field.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27016"
},
{
"id": "CVE-2024-27017",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: walk over current view on netlink dump\n\nThe generation mask can be updated while netlink dump is in progress.\nThe pipapo set backend walk iterator cannot rely on it to infer what\nview of the datastructure is to be used. Add notation to specify if user\nwants to read/update the set.\n\nBased on patch from Florian Westphal.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27017"
},
{
"id": "CVE-2024-27018",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: skip conntrack input hook for promisc packets\n\nFor historical reasons, when bridge device is in promisc mode, packets\nthat are directed to the taps follow bridge input hook path. This patch\nadds a workaround to reset conntrack for these packets.\n\nJianbo Liu reports warning splats in their test infrastructure where\ncloned packets reach the br_netfilter input hook to confirm the\nconntrack object.\n\nScratch one bit from BR_INPUT_SKB_CB to annotate that this packet has\nreached the input hook because it is passed up to the bridge device to\nreach the taps.\n\n[ 57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core\n[ 57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ #19\n[ 57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 57.576662] RIP: 0010:br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1\n[ 57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202\n[ 57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000\n[ 57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000\n[ 57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003\n[ 57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000\n[ 57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800\n[ 57.582313] FS: 0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000\n[ 57.583040] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0\n[ 57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ 57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[ 57.585440] Call Trace:\n[ 57.585721] \n[ 57.585976] ? __warn+0x7d/0x130\n[ 57.586323] ? br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.586811] ? report_bug+0xf1/0x1c0\n[ 57.587177] ? handle_bug+0x3f/0x70\n[ 57.587539] ? exc_invalid_op+0x13/0x60\n[ 57.587929] ? asm_exc_invalid_op+0x16/0x20\n[ 57.588336] ? br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.588825] nf_hook_slow+0x3d/0xd0\n[ 57.589188] ? br_handle_vlan+0x4b/0x110\n[ 57.589579] br_pass_frame_up+0xfc/0x150\n[ 57.589970] ? br_port_flags_change+0x40/0x40\n[ 57.590396] br_handle_frame_finish+0x346/0x5e0\n[ 57.590837] ? ipt_do_table+0x32e/0x430\n[ 57.591221] ? br_handle_local_finish+0x20/0x20\n[ 57.591656] br_nf_hook_thresh+0x4b/0xf0 [br_netfilter]\n[ 57.592286] ? br_handle_local_finish+0x20/0x20\n[ 57.592802] br_nf_pre_routing_finish+0x178/0x480 [br_netfilter]\n[ 57.593348] ? br_handle_local_finish+0x20/0x20\n[ 57.593782] ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat]\n[ 57.594279] br_nf_pre_routing+0x24c/0x550 [br_netfilter]\n[ 57.594780] ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter]\n[ 57.595280] br_handle_frame+0x1f3/0x3d0\n[ 57.595676] ? br_handle_local_finish+0x20/0x20\n[ 57.596118] ? br_handle_frame_finish+0x5e0/0x5e0\n[ 57.596566] __netif_receive_skb_core+0x25b/0xfc0\n[ 57.597017] ? __napi_build_skb+0x37/0x40\n[ 57.597418] __netif_receive_skb_list_core+0xfb/0x220",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27018"
},
{
"id": "CVE-2024-27019",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()\n\nnft_unregister_obj() can concurrent with __nft_obj_type_get(),\nand there is not any protection when iterate over nf_tables_objects\nlist in __nft_obj_type_get(). Therefore, there is potential data-race\nof nf_tables_objects list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_objects\nlist in __nft_obj_type_get(), and use rcu_read_lock() in the caller\nnft_obj_type_get() to protect the entire type query process.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27019"
},
{
"id": "CVE-2024-27020",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()\n\nnft_unregister_expr() can concurrent with __nft_expr_type_get(),\nand there is not any protection when iterate over nf_tables_expressions\nlist in __nft_expr_type_get(). Therefore, there is potential data-race\nof nf_tables_expressions list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_expressions\nlist in __nft_expr_type_get(), and use rcu_read_lock() in the caller\nnft_expr_type_get() to protect the entire type query process.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27020"
},
{
"id": "CVE-2024-27021",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nr8169: fix LED-related deadlock on module removal\n\nBinding devm_led_classdev_register() to the netdev is problematic\nbecause on module removal we get a RTNL-related deadlock. Fix this\nby avoiding the device-managed LED functions.\n\nNote: We can safely call led_classdev_unregister() for a LED even\nif registering it failed, because led_classdev_unregister() detects\nthis and is a no-op in this case.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27021"
},
{
"id": "CVE-2024-27022",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfork: defer linking file vma until vma is fully initialized\n\nThorvald reported a WARNING [1]. And the root cause is below race:\n\n CPU 1\t\t\t\t\tCPU 2\n fork\t\t\t\t\thugetlbfs_fallocate\n dup_mmap\t\t\t\t hugetlbfs_punch_hole\n i_mmap_lock_write(mapping);\n vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree.\n i_mmap_unlock_write(mapping);\n hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem!\n\t\t\t\t\t i_mmap_lock_write(mapping);\n \t\t\t\t\t hugetlb_vmdelete_list\n\t\t\t\t\t vma_interval_tree_foreach\n\t\t\t\t\t hugetlb_vma_trylock_write -- Vma_lock is cleared.\n tmp->vm_ops->open -- Alloc new vma_lock outside i_mmap_rwsem!\n\t\t\t\t\t hugetlb_vma_unlock_write -- Vma_lock is assigned!!!\n\t\t\t\t\t i_mmap_unlock_write(mapping);\n\nhugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside\ni_mmap_rwsem lock while vma lock can be used in the same time. Fix this\nby deferring linking file vma until vma is fully initialized. Those vmas\nshould be initialized first before they can be used.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27022"
},
{
"id": "CVE-2024-35972",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix possible memory leak in bnxt_rdma_aux_device_init()\n\nIf ulp = kzalloc() fails, the allocated edev will leak because it is\nnot properly assigned and the cleanup path will not be able to free it.\nFix it by assigning it properly immediately after allocation.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35972"
},
{
"id": "CVE-2024-35978",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix memory leak in hci_req_sync_complete()\n\nIn 'hci_req_sync_complete()', always free the previous sync\nrequest state before assigning reference to a new one.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35978"
},
{
"id": "CVE-2024-35982",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: Avoid infinite loop trying to resize local TT\n\nIf the MTU of one of an attached interface becomes too small to transmit\nthe local translation table then it must be resized to fit inside all\nfragments (when enabled) or a single packet.\n\nBut if the MTU becomes too low to transmit even the header + the VLAN\nspecific part then the resizing of the local TT will never succeed. This\ncan for example happen when the usable space is 110 bytes and 11 VLANs are\non top of batman-adv. In this case, at least 116 byte would be needed.\nThere will just be an endless spam of\n\n batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)\n\nin the log but the function will never finish. Problem here is that the\ntimeout will be halved all the time and will then stagnate at 0 and\ntherefore never be able to reduce the table even more.\n\nThere are other scenarios possible with a similar result. The number of\nBATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too\nhigh to fit inside a packet. Such a scenario can therefore happen also with\nonly a single VLAN + 7 non-purgable addresses - requiring at least 120\nbytes.\n\nWhile this should be handled proactively when:\n\n* interface with too low MTU is added\n* VLAN is added\n* non-purgeable local mac is added\n* MTU of an attached interface is reduced\n* fragmentation setting gets disabled (which most likely requires dropping\n attached interfaces)\n\nnot all of these scenarios can be prevented because batman-adv is only\nconsuming events without the the possibility to prevent these actions\n(non-purgable MAC address added, MTU of an attached interface is reduced).\nIt is therefore necessary to also make sure that the code is able to handle\nalso the situations when there were already incompatible system\nconfiguration are present.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35982"
},
{
"id": "CVE-2024-35984",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: smbus: fix NULL function pointer dereference\n\nBaruch reported an OOPS when using the designware controller as target\nonly. Target-only modes break the assumption of one transfer function\nalways being available. Fix this by always checking the pointer in\n__i2c_transfer.\n\n[wsa: dropped the simplification in core-smbus to avoid theoretical regressions]",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35984"
},
{
"id": "CVE-2024-35990",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma: xilinx_dpdma: Fix locking\n\nThere are several places where either chan->lock or chan->vchan.lock was\nnot held. Add appropriate locking. This fixes lockdep warnings like\n\n[ 31.077578] ------------[ cut here ]------------\n[ 31.077831] WARNING: CPU: 2 PID: 40 at drivers/dma/xilinx/xilinx_dpdma.c:834 xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.077953] Modules linked in:\n[ 31.078019] CPU: 2 PID: 40 Comm: kworker/u12:1 Not tainted 6.6.20+ #98\n[ 31.078102] Hardware name: xlnx,zynqmp (DT)\n[ 31.078169] Workqueue: events_unbound deferred_probe_work_func\n[ 31.078272] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 31.078377] pc : xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.078473] lr : xilinx_dpdma_chan_queue_transfer+0x270/0x5e0\n[ 31.078550] sp : ffffffc083bb2e10\n[ 31.078590] x29: ffffffc083bb2e10 x28: 0000000000000000 x27: ffffff880165a168\n[ 31.078754] x26: ffffff880164e920 x25: ffffff880164eab8 x24: ffffff880164d480\n[ 31.078920] x23: ffffff880165a148 x22: ffffff880164e988 x21: 0000000000000000\n[ 31.079132] x20: ffffffc082aa3000 x19: ffffff880164e880 x18: 0000000000000000\n[ 31.079295] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 31.079453] x14: 0000000000000000 x13: ffffff8802263dc0 x12: 0000000000000001\n[ 31.079613] x11: 0001ffc083bb2e34 x10: 0001ff880164e98f x9 : 0001ffc082aa3def\n[ 31.079824] x8 : 0001ffc082aa3dec x7 : 0000000000000000 x6 : 0000000000000516\n[ 31.079982] x5 : ffffffc7f8d43000 x4 : ffffff88003c9c40 x3 : ffffffffffffffff\n[ 31.080147] x2 : ffffffc7f8d43000 x1 : 00000000000000c0 x0 : 0000000000000000\n[ 31.080307] Call trace:\n[ 31.080340] xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.080518] xilinx_dpdma_issue_pending+0x11c/0x120\n[ 31.080595] zynqmp_disp_layer_update+0x180/0x3ac\n[ 31.080712] zynqmp_dpsub_plane_atomic_update+0x11c/0x21c\n[ 31.080825] drm_atomic_helper_commit_planes+0x20c/0x684\n[ 31.080951] drm_atomic_helper_commit_tail+0x5c/0xb0\n[ 31.081139] commit_tail+0x234/0x294\n[ 31.081246] drm_atomic_helper_commit+0x1f8/0x210\n[ 31.081363] drm_atomic_commit+0x100/0x140\n[ 31.081477] drm_client_modeset_commit_atomic+0x318/0x384\n[ 31.081634] drm_client_modeset_commit_locked+0x8c/0x24c\n[ 31.081725] drm_client_modeset_commit+0x34/0x5c\n[ 31.081812] __drm_fb_helper_restore_fbdev_mode_unlocked+0x104/0x168\n[ 31.081899] drm_fb_helper_set_par+0x50/0x70\n[ 31.081971] fbcon_init+0x538/0xc48\n[ 31.082047] visual_init+0x16c/0x23c\n[ 31.082207] do_bind_con_driver.isra.0+0x2d0/0x634\n[ 31.082320] do_take_over_console+0x24c/0x33c\n[ 31.082429] do_fbcon_takeover+0xbc/0x1b0\n[ 31.082503] fbcon_fb_registered+0x2d0/0x34c\n[ 31.082663] register_framebuffer+0x27c/0x38c\n[ 31.082767] __drm_fb_helper_initial_config_and_unlock+0x5c0/0x91c\n[ 31.082939] drm_fb_helper_initial_config+0x50/0x74\n[ 31.083012] drm_fbdev_dma_client_hotplug+0xb8/0x108\n[ 31.083115] drm_client_register+0xa0/0xf4\n[ 31.083195] drm_fbdev_dma_setup+0xb0/0x1cc\n[ 31.083293] zynqmp_dpsub_drm_init+0x45c/0x4e0\n[ 31.083431] zynqmp_dpsub_probe+0x444/0x5e0\n[ 31.083616] platform_probe+0x8c/0x13c\n[ 31.083713] really_probe+0x258/0x59c\n[ 31.083793] __driver_probe_device+0xc4/0x224\n[ 31.083878] driver_probe_device+0x70/0x1c0\n[ 31.083961] __device_attach_driver+0x108/0x1e0\n[ 31.084052] bus_for_each_drv+0x9c/0x100\n[ 31.084125] __device_attach+0x100/0x298\n[ 31.084207] device_initial_probe+0x14/0x20\n[ 31.084292] bus_probe_device+0xd8/0xdc\n[ 31.084368] deferred_probe_work_func+0x11c/0x180\n[ 31.084451] process_one_work+0x3ac/0x988\n[ 31.084643] worker_thread+0x398/0x694\n[ 31.084752] kthread+0x1bc/0x1c0\n[ 31.084848] ret_from_fork+0x10/0x20\n[ 31.084932] irq event stamp: 64549\n[ 31.084970] hardirqs last enabled at (64548): [] _raw_spin_unlock_irqrestore+0x80/0x90\n[ 31.085157]\n---truncated---",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35990"
},
{
"id": "CVE-2024-35992",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: marvell: a3700-comphy: Fix out of bounds read\n\nThere is an out of bounds read access of 'gbe_phy_init_fix[fix_idx].addr'\nevery iteration after 'fix_idx' reaches 'ARRAY_SIZE(gbe_phy_init_fix)'.\n\nMake sure 'gbe_phy_init[addr]' is used when all elements of\n'gbe_phy_init_fix' array are handled.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35992"
},
{
"id": "CVE-2024-35997",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up\n\nThe flag I2C_HID_READ_PENDING is used to serialize I2C operations.\nHowever, this is not necessary, because I2C core already has its own\nlocking for that.\n\nMore importantly, this flag can cause a lock-up: if the flag is set in\ni2c_hid_xfer() and an interrupt happens, the interrupt handler\n(i2c_hid_irq) will check this flag and return immediately without doing\nanything, then the interrupt handler will be invoked again in an\ninfinite loop.\n\nSince interrupt handler is an RT task, it takes over the CPU and the\nflag-clearing task never gets scheduled, thus we have a lock-up.\n\nDelete this unnecessary flag.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35997"
},
{
"id": "CVE-2024-36008",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: check for NULL idev in ip_route_use_hint()\n\nsyzbot was able to trigger a NULL deref in fib_validate_source()\nin an old tree [1].\n\nIt appears the bug exists in latest trees.\n\nAll calls to __in_dev_get_rcu() must be checked for a NULL result.\n\n[1]\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425\nCode: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf\nRSP: 0018:ffffc900015fee40 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0\nRDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0\nRBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000\nR10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000\nFS: 00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231\n ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327\n ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline]\n ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638\n ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673\n __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline]\n __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620\n __netif_receive_skb_list net/core/dev.c:5672 [inline]\n netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764\n netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816\n xdp_recv_frames net/bpf/test_run.c:257 [inline]\n xdp_test_run_batch net/bpf/test_run.c:335 [inline]\n bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363\n bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376\n bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736\n __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115\n __do_sys_bpf kernel/bpf/syscall.c:5201 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5199 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36008"
},
{
"id": "CVE-2024-36023",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nJulia Lawall reported this null pointer dereference, this should fix it.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36023"
},
{
"id": "CVE-2024-36288",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix loop termination condition in gss_free_in_token_pages()\n\nThe in_token->pages[] array is not NULL terminated. This results in\nthe following KASAN splat:\n\n KASAN: maybe wild-memory-access in range [0x04a2013400000008-0x04a201340000000f]",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36288"
},
{
"id": "CVE-2024-36477",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm_tis_spi: Account for SPI header when allocating TPM SPI xfer buffer\n\nThe TPM SPI transfer mechanism uses MAX_SPI_FRAMESIZE for computing the\nmaximum transfer length and the size of the transfer buffer. As such, it\ndoes not account for the 4 bytes of header that prepends the SPI data\nframe. This can result in out-of-bounds accesses and was confirmed with\nKASAN.\n\nIntroduce SPI_HDRSIZE to account for the header and use to allocate the\ntransfer buffer.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36477"
},
{
"id": "CVE-2024-36481",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/probes: fix error check in parse_btf_field()\n\nbtf_find_struct_member() might return NULL or an error via the\nERR_PTR() macro. However, its caller in parse_btf_field() only checks\nfor the NULL condition. Fix this by using IS_ERR() and returning the\nerror up the stack.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36481"
},
{
"id": "CVE-2024-36884",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: Use the correct type in nvidia_smmu_context_fault()\n\nThis was missed because of the function pointer indirection.\n\nnvidia_smmu_context_fault() is also installed as a irq function, and the\n'void *' was changed to a struct arm_smmu_domain. Since the iommu_domain\nis embedded at a non-zero offset this causes nvidia_smmu_context_fault()\nto miscompute the offset. Fixup the types.\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000120\n Mem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=0000000107c9f000\n [0000000000000120] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 0000000096000004 [#1] SMP\n Modules linked in:\n CPU: 1 PID: 47 Comm: kworker/u25:0 Not tainted 6.9.0-0.rc7.58.eln136.aarch64 #1\n Hardware name: Unknown NVIDIA Jetson Orin NX/NVIDIA Jetson Orin NX, BIOS 3.1-32827747 03/19/2023\n Workqueue: events_unbound deferred_probe_work_func\n pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : nvidia_smmu_context_fault+0x1c/0x158\n lr : __free_irq+0x1d4/0x2e8\n sp : ffff80008044b6f0\n x29: ffff80008044b6f0 x28: ffff000080a60b18 x27: ffffd32b5172e970\n x26: 0000000000000000 x25: ffff0000802f5aac x24: ffff0000802f5a30\n x23: ffff0000802f5b60 x22: 0000000000000057 x21: 0000000000000000\n x20: ffff0000802f5a00 x19: ffff000087d4cd80 x18: ffffffffffffffff\n x17: 6234362066666666 x16: 6630303078302d30 x15: ffff00008156d888\n x14: 0000000000000000 x13: ffff0000801db910 x12: ffff00008156d6d0\n x11: 0000000000000003 x10: ffff0000801db918 x9 : ffffd32b50f94d9c\n x8 : 1fffe0001032fda1 x7 : ffff00008197ed00 x6 : 000000000000000f\n x5 : 000000000000010e x4 : 000000000000010e x3 : 0000000000000000\n x2 : ffffd32b51720cd8 x1 : ffff000087e6f700 x0 : 0000000000000057\n Call trace:\n nvidia_smmu_context_fault+0x1c/0x158\n __free_irq+0x1d4/0x2e8\n free_irq+0x3c/0x80\n devm_free_irq+0x64/0xa8\n arm_smmu_domain_free+0xc4/0x158\n iommu_domain_free+0x44/0xa0\n iommu_deinit_device+0xd0/0xf8\n __iommu_group_remove_device+0xcc/0xe0\n iommu_bus_notifier+0x64/0xa8\n notifier_call_chain+0x78/0x148\n blocking_notifier_call_chain+0x4c/0x90\n bus_notify+0x44/0x70\n device_del+0x264/0x3e8\n pci_remove_bus_device+0x84/0x120\n pci_remove_root_bus+0x5c/0xc0\n dw_pcie_host_deinit+0x38/0xe0\n tegra_pcie_config_rp+0xc0/0x1f0\n tegra_pcie_dw_probe+0x34c/0x700\n platform_probe+0x70/0xe8\n really_probe+0xc8/0x3a0\n __driver_probe_device+0x84/0x160\n driver_probe_device+0x44/0x130\n __device_attach_driver+0xc4/0x170\n bus_for_each_drv+0x90/0x100\n __device_attach+0xa8/0x1c8\n device_initial_probe+0x1c/0x30\n bus_probe_device+0xb0/0xc0\n deferred_probe_work_func+0xbc/0x120\n process_one_work+0x194/0x490\n worker_thread+0x284/0x3b0\n kthread+0xf4/0x108\n ret_from_fork+0x10/0x20\n Code: a9b97bfd 910003fd a9025bf5 f85a0035 (b94122a1)",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36884"
},
{
"id": "CVE-2024-36891",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmaple_tree: fix mas_empty_area_rev() null pointer dereference\n\nCurrently the code calls mas_start() followed by mas_data_end() if the\nmaple state is MA_START, but mas_start() may return with the maple state\nnode == NULL. This will lead to a null pointer dereference when checking\ninformation in the NULL node, which is done in mas_data_end().\n\nAvoid setting the offset if there is no node by waiting until after the\nmaple state is checked for an empty or single entry state.\n\nA user could trigger the events to cause a kernel oops by unmapping all\nvmas to produce an empty maple tree, then mapping a vma that would cause\nthe scenario described above.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36891"
},
{
"id": "CVE-2024-36893",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: Check for port partner validity before consuming it\n\ntypec_register_partner() does not guarantee partner registration\nto always succeed. In the event of failure, port->partner is set\nto the error value or NULL. Given that port->partner validity is\nnot checked, this results in the following crash:\n\nUnable to handle kernel NULL pointer dereference at virtual address xx\n pc : run_state_machine+0x1bc8/0x1c08\n lr : run_state_machine+0x1b90/0x1c08\n..\n Call trace:\n run_state_machine+0x1bc8/0x1c08\n tcpm_state_machine_work+0x94/0xe4\n kthread_worker_fn+0x118/0x328\n kthread+0x1d0/0x23c\n ret_from_fork+0x10/0x20\n\nTo prevent the crash, check for port->partner validity before\nderefencing it in all the call sites.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36893"
},
{
"id": "CVE-2024-36897",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Atom Integrated System Info v2_2 for DCN35\n\nNew request from KMD/VBIOS in order to support new UMA carveout\nmodel. This fixes a null dereference from accessing\nCtx->dc_bios->integrated_info while it was NULL.\n\nDAL parses through the BIOS and extracts the necessary\nintegrated_info but was missing a case for the new BIOS\nversion 2.3.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36897"
},
{
"id": "CVE-2024-36901",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent NULL dereference in ip6_output()\n\nAccording to syzbot, there is a chance that ip6_dst_idev()\nreturns NULL in ip6_output(). Most places in IPv6 stack\ndeal with a NULL idev just fine, but not here.\n\nsyzbot reported:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\nCPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237\nCode: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff\nRSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000\nRDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48\nRBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad\nR10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0\nR13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000\nFS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358\n sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248\n sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653\n sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783\n sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]\n sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212\n sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\n sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169\n sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73\n __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234\n sctp_connect net/sctp/socket.c:4819 [inline]\n sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n __sys_connect_file net/socket.c:2048 [inline]\n __sys_connect+0x2df/0x310 net/socket.c:2065\n __do_sys_connect net/socket.c:2075 [inline]\n __se_sys_connect net/socket.c:2072 [inline]\n __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36901"
},
{
"id": "CVE-2024-36902",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()\n\nsyzbot is able to trigger the following crash [1],\ncaused by unsafe ip6_dst_idev() use.\n\nIndeed ip6_dst_idev() can return NULL, and must always be checked.\n\n[1]\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline]\n RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267\nCode: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c\nRSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700\nRDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760\nRBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd\nR10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000\nR13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00\nFS: 00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317\n fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108\n ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline]\n ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649\n ip6_route_output include/net/ip6_route.h:93 [inline]\n ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120\n ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250\n sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326\n sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455\n sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662\n sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099\n __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197\n sctp_connect net/sctp/socket.c:4819 [inline]\n sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n __sys_connect_file net/socket.c:2048 [inline]\n __sys_connect+0x2df/0x310 net/socket.c:2065\n __do_sys_connect net/socket.c:2075 [inline]\n __se_sys_connect net/socket.c:2072 [inline]\n __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36902"
},
{
"id": "CVE-2024-36925",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nswiotlb: initialise restricted pool list_head when SWIOTLB_DYNAMIC=y\n\nUsing restricted DMA pools (CONFIG_DMA_RESTRICTED_POOL=y) in conjunction\nwith dynamic SWIOTLB (CONFIG_SWIOTLB_DYNAMIC=y) leads to the following\ncrash when initialising the restricted pools at boot-time:\n\n | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n | Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n | pc : rmem_swiotlb_device_init+0xfc/0x1ec\n | lr : rmem_swiotlb_device_init+0xf0/0x1ec\n | Call trace:\n | rmem_swiotlb_device_init+0xfc/0x1ec\n | of_reserved_mem_device_init_by_idx+0x18c/0x238\n | of_dma_configure_id+0x31c/0x33c\n | platform_dma_configure+0x34/0x80\n\nfaddr2line reveals that the crash is in the list validation code:\n\n include/linux/list.h:83\n include/linux/rculist.h:79\n include/linux/rculist.h:106\n kernel/dma/swiotlb.c:306\n kernel/dma/swiotlb.c:1695\n\nbecause add_mem_pool() is trying to list_add_rcu() to a NULL\n'mem->pools'.\n\nFix the crash by initialising the 'mem->pools' list_head in\nrmem_swiotlb_device_init() before calling add_mem_pool().",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36925"
},
{
"id": "CVE-2024-36926",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: LPAR panics during boot up with a frozen PE\n\nAt the time of LPAR boot up, partition firmware provides Open Firmware\nproperty ibm,dma-window for the PE. This property is provided on the PCI\nbus the PE is attached to.\n\nThere are execptions where the partition firmware might not provide this\nproperty for the PE at the time of LPAR boot up. One of the scenario is\nwhere the firmware has frozen the PE due to some error condition. This\nPE is frozen for 24 hours or unless the whole system is reinitialized.\n\nWithin this time frame, if the LPAR is booted, the frozen PE will be\npresented to the LPAR but ibm,dma-window property could be missing.\n\nToday, under these circumstances, the LPAR oopses with NULL pointer\ndereference, when configuring the PCI bus the PE is attached to.\n\n BUG: Kernel NULL pointer dereference on read at 0x000000c8\n Faulting instruction address: 0xc0000000001024c0\n Oops: Kernel access of bad area, sig: 7 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in:\n Supported: Yes\n CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.4.0-150600.9-default #1\n Hardware name: IBM,9043-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_023) hv:phyp pSeries\n NIP: c0000000001024c0 LR: c0000000001024b0 CTR: c000000000102450\n REGS: c0000000037db5c0 TRAP: 0300 Not tainted (6.4.0-150600.9-default)\n MSR: 8000000002009033 CR: 28000822 XER: 00000000\n CFAR: c00000000010254c DAR: 00000000000000c8 DSISR: 00080000 IRQMASK: 0\n ...\n NIP [c0000000001024c0] pci_dma_bus_setup_pSeriesLP+0x70/0x2a0\n LR [c0000000001024b0] pci_dma_bus_setup_pSeriesLP+0x60/0x2a0\n Call Trace:\n pci_dma_bus_setup_pSeriesLP+0x60/0x2a0 (unreliable)\n pcibios_setup_bus_self+0x1c0/0x370\n __of_scan_bus+0x2f8/0x330\n pcibios_scan_phb+0x280/0x3d0\n pcibios_init+0x88/0x12c\n do_one_initcall+0x60/0x320\n kernel_init_freeable+0x344/0x3e4\n kernel_init+0x34/0x1d0\n ret_from_kernel_user_thread+0x14/0x1c",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36926"
},
{
"id": "CVE-2024-36930",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix null pointer dereference within spi_sync\n\nIf spi_sync() is called with the non-empty queue and the same spi_message\nis then reused, the complete callback for the message remains set while\nthe context is cleared, leading to a null pointer dereference when the\ncallback is invoked from spi_finalize_current_message().\n\nWith function inlining disabled, the call stack might look like this:\n\n _raw_spin_lock_irqsave from complete_with_flags+0x18/0x58\n complete_with_flags from spi_complete+0x8/0xc\n spi_complete from spi_finalize_current_message+0xec/0x184\n spi_finalize_current_message from spi_transfer_one_message+0x2a8/0x474\n spi_transfer_one_message from __spi_pump_transfer_message+0x104/0x230\n __spi_pump_transfer_message from __spi_transfer_message_noqueue+0x30/0xc4\n __spi_transfer_message_noqueue from __spi_sync+0x204/0x248\n __spi_sync from spi_sync+0x24/0x3c\n spi_sync from mcp251xfd_regmap_crc_read+0x124/0x28c [mcp251xfd]\n mcp251xfd_regmap_crc_read [mcp251xfd] from _regmap_raw_read+0xf8/0x154\n _regmap_raw_read from _regmap_bus_read+0x44/0x70\n _regmap_bus_read from _regmap_read+0x60/0xd8\n _regmap_read from regmap_read+0x3c/0x5c\n regmap_read from mcp251xfd_alloc_can_err_skb+0x1c/0x54 [mcp251xfd]\n mcp251xfd_alloc_can_err_skb [mcp251xfd] from mcp251xfd_irq+0x194/0xe70 [mcp251xfd]\n mcp251xfd_irq [mcp251xfd] from irq_thread_fn+0x1c/0x78\n irq_thread_fn from irq_thread+0x118/0x1f4\n irq_thread from kthread+0xd8/0xf4\n kthread from ret_from_fork+0x14/0x28\n\nFix this by also setting message->complete to NULL when the transfer is\ncomplete.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36930"
},
{
"id": "CVE-2024-36932",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/debugfs: Prevent use-after-free from occurring after cdev removal\n\nSince thermal_debug_cdev_remove() does not run under cdev->lock, it can\nrun in parallel with thermal_debug_cdev_state_update() and it may free\nthe struct thermal_debugfs object used by the latter after it has been\nchecked against NULL.\n\nIf that happens, thermal_debug_cdev_state_update() will access memory\nthat has been freed already causing the kernel to crash.\n\nAddress this by using cdev->lock in thermal_debug_cdev_remove() around\nthe cdev->debugfs value check (in case the same cdev is removed at the\nsame time in two different threads) and its reset to NULL.\n\nCc :6.8+ # 6.8+",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36932"
},
{
"id": "CVE-2024-36938",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue\n\nFix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which\nsyzbot reported [1].\n\n[1]\nBUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue\n\nwrite to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1:\n sk_psock_stop_verdict net/core/skmsg.c:1257 [inline]\n sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843\n sk_psock_put include/linux/skmsg.h:459 [inline]\n sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648\n unix_release+0x4b/0x80 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0x68/0x150 net/socket.c:1421\n __fput+0x2c1/0x660 fs/file_table.c:422\n __fput_sync+0x44/0x60 fs/file_table.c:507\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close+0x101/0x1b0 fs/open.c:1541\n __x64_sys_close+0x1f/0x30 fs/open.c:1541\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nread to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0:\n sk_psock_data_ready include/linux/skmsg.h:464 [inline]\n sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555\n sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606\n sk_psock_verdict_apply net/core/skmsg.c:1008 [inline]\n sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202\n unix_read_skb net/unix/af_unix.c:2546 [inline]\n unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682\n sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223\n unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x140/0x180 net/socket.c:745\n ____sys_sendmsg+0x312/0x410 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x1e9/0x280 net/socket.c:2667\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nvalue changed: 0xffffffff83d7feb0 -> 0x0000000000000000\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\n\nPrior to this, commit 4cd12c6065df (\"bpf, sockmap: Fix NULL pointer\ndereference in sk_psock_verdict_data_ready()\") fixed one NULL pointer\nsimilarly due to no protection of saved_data_ready. Here is another\ndifferent caller causing the same issue because of the same reason. So\nwe should protect it with sk_callback_lock read lock because the writer\nside in the sk_psock_drop() uses \"write_lock_bh(&sk->sk_callback_lock);\".\n\nTo avoid errors that could happen in future, I move those two pairs of\nlock into the sk_psock_data_ready(), which is suggested by John Fastabend.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36938"
},
{
"id": "CVE-2024-36971",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix __dst_negative_advice() race\n\n__dst_negative_advice() does not enforce proper RCU rules when\nsk->dst_cache must be cleared, leading to possible UAF.\n\nRCU rules are that we must first clear sk->sk_dst_cache,\nthen call dst_release(old_dst).\n\nNote that sk_dst_reset(sk) is implementing this protocol correctly,\nwhile __dst_negative_advice() uses the wrong order.\n\nGiven that ip6_negative_advice() has special logic\nagainst RTF_CACHE, this means each of the three ->negative_advice()\nexisting methods must perform the sk_dst_reset() themselves.\n\nNote the check against NULL dst is centralized in\n__dst_negative_advice(), there is no need to duplicate\nit in various callbacks.\n\nMany thanks to Clement Lecigne for tracking this issue.\n\nThis old bug became visible after the blamed commit, using UDP sockets.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36971"
},
{
"id": "CVE-2024-38662",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Allow delete from sockmap/sockhash only if update is allowed\n\nWe have seen an influx of syzkaller reports where a BPF program attached to\na tracepoint triggers a locking rule violation by performing a map_delete\non a sockmap/sockhash.\n\nWe don't intend to support this artificial use scenario. Extend the\nexisting verifier allowed-program-type check for updating sockmap/sockhash\nto also cover deleting from a map.\n\nFrom now on only BPF programs which were previously allowed to update\nsockmap/sockhash can delete from these map types.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38662"
},
{
"id": "CVE-2024-38664",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: zynqmp_dpsub: Always register bridge\n\nWe must always register the DRM bridge, since zynqmp_dp_hpd_work_func\ncalls drm_bridge_hpd_notify, which in turn expects hpd_mutex to be\ninitialized. We do this before zynqmp_dpsub_drm_init since that calls\ndrm_bridge_attach. This fixes the following lockdep warning:\n\n[ 19.217084] ------------[ cut here ]------------\n[ 19.227530] DEBUG_LOCKS_WARN_ON(lock->magic != lock)\n[ 19.227768] WARNING: CPU: 0 PID: 140 at kernel/locking/mutex.c:582 __mutex_lock+0x4bc/0x550\n[ 19.241696] Modules linked in:\n[ 19.244937] CPU: 0 PID: 140 Comm: kworker/0:4 Not tainted 6.6.20+ #96\n[ 19.252046] Hardware name: xlnx,zynqmp (DT)\n[ 19.256421] Workqueue: events zynqmp_dp_hpd_work_func\n[ 19.261795] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 19.269104] pc : __mutex_lock+0x4bc/0x550\n[ 19.273364] lr : __mutex_lock+0x4bc/0x550\n[ 19.277592] sp : ffffffc085c5bbe0\n[ 19.281066] x29: ffffffc085c5bbe0 x28: 0000000000000000 x27: ffffff88009417f8\n[ 19.288624] x26: ffffff8800941788 x25: ffffff8800020008 x24: ffffffc082aa3000\n[ 19.296227] x23: ffffffc080d90e3c x22: 0000000000000002 x21: 0000000000000000\n[ 19.303744] x20: 0000000000000000 x19: ffffff88002f5210 x18: 0000000000000000\n[ 19.311295] x17: 6c707369642e3030 x16: 3030613464662072 x15: 0720072007200720\n[ 19.318922] x14: 0000000000000000 x13: 284e4f5f4e524157 x12: 0000000000000001\n[ 19.326442] x11: 0001ffc085c5b940 x10: 0001ff88003f388b x9 : 0001ff88003f3888\n[ 19.334003] x8 : 0001ff88003f3888 x7 : 0000000000000000 x6 : 0000000000000000\n[ 19.341537] x5 : 0000000000000000 x4 : 0000000000001668 x3 : 0000000000000000\n[ 19.349054] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffff88003f3880\n[ 19.356581] Call trace:\n[ 19.359160] __mutex_lock+0x4bc/0x550\n[ 19.363032] mutex_lock_nested+0x24/0x30\n[ 19.367187] drm_bridge_hpd_notify+0x2c/0x6c\n[ 19.371698] zynqmp_dp_hpd_work_func+0x44/0x54\n[ 19.376364] process_one_work+0x3ac/0x988\n[ 19.380660] worker_thread+0x398/0x694\n[ 19.384736] kthread+0x1bc/0x1c0\n[ 19.388241] ret_from_fork+0x10/0x20\n[ 19.392031] irq event stamp: 183\n[ 19.395450] hardirqs last enabled at (183): [] finish_task_switch.isra.0+0xa8/0x2d4\n[ 19.405140] hardirqs last disabled at (182): [] __schedule+0x714/0xd04\n[ 19.413612] softirqs last enabled at (114): [] srcu_invoke_callbacks+0x158/0x23c\n[ 19.423128] softirqs last disabled at (110): [] srcu_invoke_callbacks+0x158/0x23c\n[ 19.432614] ---[ end trace 0000000000000000 ]---\n\n(cherry picked from commit 61ba791c4a7a09a370c45b70a81b8c7d4cf6b2ae)",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38664"
},
{
"id": "CVE-2024-38667",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: prevent pt_regs corruption for secondary idle threads\n\nTop of the kernel thread stack should be reserved for pt_regs. However\nthis is not the case for the idle threads of the secondary boot harts.\nTheir stacks overlap with their pt_regs, so both may get corrupted.\n\nSimilar issue has been fixed for the primary hart, see c7cdd96eca28\n(\"riscv: prevent stack corruption by reserving task_pt_regs(p) early\").\nHowever that fix was not propagated to the secondary harts. The problem\nhas been noticed in some CPU hotplug tests with V enabled. The function\nsmp_callin stored several registers on stack, corrupting top of pt_regs\nstructure including status field. As a result, kernel attempted to save\nor restore inexistent V context.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38667"
},
{
"id": "CVE-2024-38780",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf/sw-sync: don't enable IRQ from sync_print_obj()\n\nSince commit a6aa8fca4d79 (\"dma-buf/sw-sync: Reduce irqsave/irqrestore from\nknown context\") by error replaced spin_unlock_irqrestore() with\nspin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite\nsync_print_obj() is called from sync_debugfs_show(), lockdep complains\ninconsistent lock state warning.\n\nUse plain spin_{lock,unlock}() for sync_print_obj(), for\nsync_debugfs_show() is already using spin_{lock,unlock}_irq().",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38780"
},
{
"id": "CVE-2024-39277",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-mapping: benchmark: handle NUMA_NO_NODE correctly\n\ncpumask_of_node() can be called for NUMA_NO_NODE inside do_map_benchmark()\nresulting in the following sanitizer report:\n\nUBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28\nindex -1 is out of range for type 'cpumask [64][1]'\nCPU: 1 PID: 990 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #29\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:117)\nubsan_epilogue (lib/ubsan.c:232)\n__ubsan_handle_out_of_bounds (lib/ubsan.c:429)\ncpumask_of_node (arch/x86/include/asm/topology.h:72) [inline]\ndo_map_benchmark (kernel/dma/map_benchmark.c:104)\nmap_benchmark_ioctl (kernel/dma/map_benchmark.c:246)\nfull_proxy_unlocked_ioctl (fs/debugfs/file.c:333)\n__x64_sys_ioctl (fs/ioctl.c:890)\ndo_syscall_64 (arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nUse cpumask_of_node() in place when binding a kernel thread to a cpuset\nof a particular node.\n\nNote that the provided node id is checked inside map_benchmark_ioctl().\nIt's just a NUMA_NO_NODE case which is not handled properly later.\n\nFound by Linux Verification Center (linuxtesting.org).",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39277"
},
{
"id": "CVE-2024-39291",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix buffer size in gfx_v9_4_3_init_ cp_compute_microcode() and rlc_microcode()\n\nThe function gfx_v9_4_3_init_microcode in gfx_v9_4_3.c was generating\nabout potential truncation of output when using the snprintf function.\nThe issue was due to the size of the buffer 'ucode_prefix' being too\nsmall to accommodate the maximum possible length of the string being\nwritten into it.\n\nThe string being written is \"amdgpu/%s_mec.bin\" or \"amdgpu/%s_rlc.bin\",\nwhere %s is replaced by the value of 'chip_name'. The length of this\nstring without the %s is 16 characters. The warning message indicated\nthat 'chip_name' could be up to 29 characters long, resulting in a total\nof 45 characters, which exceeds the buffer size of 30 characters.\n\nTo resolve this issue, the size of the 'ucode_prefix' buffer has been\nreduced from 30 to 15. This ensures that the maximum possible length of\nthe string being written into the buffer will not exceed its size, thus\npreventing potential buffer overflow and truncation issues.\n\nFixes the below with gcc W=1:\ndrivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c: In function \u2018gfx_v9_4_3_early_init\u2019:\ndrivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:52: warning: \u2018%s\u2019 directive output may be truncated writing up to 29 bytes into a region of size 23 [-Wformat-truncation=]\n 379 | snprintf(fw_name, sizeof(fw_name), \"amdgpu/%s_rlc.bin\", chip_name);\n | ^~\n......\n 439 | r = gfx_v9_4_3_init_rlc_microcode(adev, ucode_prefix);\n | ~~~~~~~~~~~~\ndrivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:9: note: \u2018snprintf\u2019 output between 16 and 45 bytes into a destination of size 30\n 379 | snprintf(fw_name, sizeof(fw_name), \"amdgpu/%s_rlc.bin\", chip_name);\n | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ndrivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:52: warning: \u2018%s\u2019 directive output may be truncated writing up to 29 bytes into a region of size 23 [-Wformat-truncation=]\n 413 | snprintf(fw_name, sizeof(fw_name), \"amdgpu/%s_mec.bin\", chip_name);\n | ^~\n......\n 443 | r = gfx_v9_4_3_init_cp_compute_microcode(adev, ucode_prefix);\n | ~~~~~~~~~~~~\ndrivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:9: note: \u2018snprintf\u2019 output between 16 and 45 bytes into a destination of size 30\n 413 | snprintf(fw_name, sizeof(fw_name), \"amdgpu/%s_mec.bin\", chip_name);\n | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39291"
},
{
"id": "CVE-2024-39292",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\num: Add winch to winch_handlers before registering winch IRQ\n\nRegistering a winch IRQ is racy, an interrupt may occur before the winch is\nadded to the winch_handlers list.\n\nIf that happens, register_winch_irq() adds to that list a winch that is\nscheduled to be (or has already been) freed, causing a panic later in\nwinch_cleanup().\n\nAvoid the race by adding the winch to the winch_handlers list before\nregistering the IRQ, and rolling back if um_request_irq() fails.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39292"
},
{
"id": "CVE-2024-39472",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix log recovery buffer allocation for the legacy h_size fixup\n\nCommit a70f9fe52daa (\"xfs: detect and handle invalid iclog size set by\nmkfs\") added a fixup for incorrect h_size values used for the initial\numount record in old xfsprogs versions. Later commit 0c771b99d6c9\n(\"xfs: clean up calculation of LR header blocks\") cleaned up the log\nreover buffer calculation, but stoped using the fixed up h_size value\nto size the log recovery buffer, which can lead to an out of bounds\naccess when the incorrect h_size does not come from the old mkfs\ntool, but a fuzzer.\n\nFix this by open coding xlog_logrec_hblks and taking the fixed h_size\ninto account for this calculation.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39472"
},
{
"id": "CVE-2024-39473",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc4-topology: Fix input format query of process modules without base extension\n\nIf a process module does not have base config extension then the same\nformat applies to all of it's inputs and the process->base_config_ext is\nNULL, causing NULL dereference when specifically crafted topology and\nsequences used.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39473"
},
{
"id": "CVE-2024-39474",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL\n\ncommit a421ef303008 (\"mm: allow !GFP_KERNEL allocations for kvmalloc\")\nincludes support for __GFP_NOFAIL, but it presents a conflict with commit\ndd544141b9eb (\"vmalloc: back off when the current task is OOM-killed\"). A\npossible scenario is as follows:\n\nprocess-a\n__vmalloc_node_range(GFP_KERNEL | __GFP_NOFAIL)\n __vmalloc_area_node()\n vm_area_alloc_pages()\n\t\t--> oom-killer send SIGKILL to process-a\n if (fatal_signal_pending(current)) break;\n--> return NULL;\n\nTo fix this, do not check fatal_signal_pending() in vm_area_alloc_pages()\nif __GFP_NOFAIL set.\n\nThis issue occurred during OPLUS KASAN TEST. Below is part of the log\n-> oom-killer sends signal to process\n[65731.222840] [ T1308] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/apps/uid_10198,task=gs.intelligence,pid=32454,uid=10198\n\n[65731.259685] [T32454] Call trace:\n[65731.259698] [T32454] dump_backtrace+0xf4/0x118\n[65731.259734] [T32454] show_stack+0x18/0x24\n[65731.259756] [T32454] dump_stack_lvl+0x60/0x7c\n[65731.259781] [T32454] dump_stack+0x18/0x38\n[65731.259800] [T32454] mrdump_common_die+0x250/0x39c [mrdump]\n[65731.259936] [T32454] ipanic_die+0x20/0x34 [mrdump]\n[65731.260019] [T32454] atomic_notifier_call_chain+0xb4/0xfc\n[65731.260047] [T32454] notify_die+0x114/0x198\n[65731.260073] [T32454] die+0xf4/0x5b4\n[65731.260098] [T32454] die_kernel_fault+0x80/0x98\n[65731.260124] [T32454] __do_kernel_fault+0x160/0x2a8\n[65731.260146] [T32454] do_bad_area+0x68/0x148\n[65731.260174] [T32454] do_mem_abort+0x151c/0x1b34\n[65731.260204] [T32454] el1_abort+0x3c/0x5c\n[65731.260227] [T32454] el1h_64_sync_handler+0x54/0x90\n[65731.260248] [T32454] el1h_64_sync+0x68/0x6c\n\n[65731.260269] [T32454] z_erofs_decompress_queue+0x7f0/0x2258\n--> be->decompressed_pages = kvcalloc(be->nr_pages, sizeof(struct page *), GFP_KERNEL | __GFP_NOFAIL);\n\tkernel panic by NULL pointer dereference.\n\terofs assume kvmalloc with __GFP_NOFAIL never return NULL.\n[65731.260293] [T32454] z_erofs_runqueue+0xf30/0x104c\n[65731.260314] [T32454] z_erofs_readahead+0x4f0/0x968\n[65731.260339] [T32454] read_pages+0x170/0xadc\n[65731.260364] [T32454] page_cache_ra_unbounded+0x874/0xf30\n[65731.260388] [T32454] page_cache_ra_order+0x24c/0x714\n[65731.260411] [T32454] filemap_fault+0xbf0/0x1a74\n[65731.260437] [T32454] __do_fault+0xd0/0x33c\n[65731.260462] [T32454] handle_mm_fault+0xf74/0x3fe0\n[65731.260486] [T32454] do_mem_abort+0x54c/0x1b34\n[65731.260509] [T32454] el0_da+0x44/0x94\n[65731.260531] [T32454] el0t_64_sync_handler+0x98/0xb4\n[65731.260553] [T32454] el0t_64_sync+0x198/0x19c",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39474"
},
{
"id": "CVE-2024-39475",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: savage: Handle err return when savagefb_check_var failed\n\nThe commit 04e5eac8f3ab(\"fbdev: savage: Error out if pixclock equals zero\")\nchecks the value of pixclock to avoid divide-by-zero error. However\nthe function savagefb_probe doesn't handle the error return of\nsavagefb_check_var. When pixclock is 0, it will cause divide-by-zero error.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39475"
},
{
"id": "CVE-2024-39476",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING\n\nXiao reported that lvm2 test lvconvert-raid-takeover.sh can hang with\nsmall possibility, the root cause is exactly the same as commit\nbed9e27baf52 (\"Revert \"md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d\"\")\n\nHowever, Dan reported another hang after that, and junxiao investigated\nthe problem and found out that this is caused by plugged bio can't issue\nfrom raid5d().\n\nCurrent implementation in raid5d() has a weird dependence:\n\n1) md_check_recovery() from raid5d() must hold 'reconfig_mutex' to clear\n MD_SB_CHANGE_PENDING;\n2) raid5d() handles IO in a deadloop, until all IO are issued;\n3) IO from raid5d() must wait for MD_SB_CHANGE_PENDING to be cleared;\n\nThis behaviour is introduce before v2.6, and for consequence, if other\ncontext hold 'reconfig_mutex', and md_check_recovery() can't update\nsuper_block, then raid5d() will waste one cpu 100% by the deadloop, until\n'reconfig_mutex' is released.\n\nRefer to the implementation from raid1 and raid10, fix this problem by\nskipping issue IO if MD_SB_CHANGE_PENDING is still set after\nmd_check_recovery(), daemon thread will be woken up when 'reconfig_mutex'\nis released. Meanwhile, the hang problem will be fixed as well.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39476"
},
{
"id": "CVE-2024-39477",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: do not call vma_add_reservation upon ENOMEM\n\nsysbot reported a splat [1] on __unmap_hugepage_range(). This is because\nvma_needs_reservation() can return -ENOMEM if\nallocate_file_region_entries() fails to allocate the file_region struct\nfor the reservation.\n\nCheck for that and do not call vma_add_reservation() if that is the case,\notherwise region_abort() and region_del() will see that we do not have any\nfile_regions.\n\nIf we detect that vma_needs_reservation() returned -ENOMEM, we clear the\nhugetlb_restore_reserve flag as if this reservation was still consumed, so\nfree_huge_folio() will not increment the resv count.\n\n[1] https://lore.kernel.org/linux-mm/0000000000004096100617c58d54@google.com/T/#ma5983bc1ab18a54910da83416b3f89f3c7ee43aa",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39477"
},
{
"id": "CVE-2024-39478",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: starfive - Do not free stack buffer\n\nRSA text data uses variable length buffer allocated in software stack.\nCalling kfree on it causes undefined behaviour in subsequent operations.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39478"
},
{
"id": "CVE-2024-39479",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/hwmon: Get rid of devm\n\nWhen both hwmon and hwmon drvdata (on which hwmon depends) are device\nmanaged resources, the expectation, on device unbind, is that hwmon will be\nreleased before drvdata. However, in i915 there are two separate code\npaths, which both release either drvdata or hwmon and either can be\nreleased before the other. These code paths (for device unbind) are as\nfollows (see also the bug referenced below):\n\nCall Trace:\nrelease_nodes+0x11/0x70\ndevres_release_group+0xb2/0x110\ncomponent_unbind_all+0x8d/0xa0\ncomponent_del+0xa5/0x140\nintel_pxp_tee_component_fini+0x29/0x40 [i915]\nintel_pxp_fini+0x33/0x80 [i915]\ni915_driver_remove+0x4c/0x120 [i915]\ni915_pci_remove+0x19/0x30 [i915]\npci_device_remove+0x32/0xa0\ndevice_release_driver_internal+0x19c/0x200\nunbind_store+0x9c/0xb0\n\nand\n\nCall Trace:\nrelease_nodes+0x11/0x70\ndevres_release_all+0x8a/0xc0\ndevice_unbind_cleanup+0x9/0x70\ndevice_release_driver_internal+0x1c1/0x200\nunbind_store+0x9c/0xb0\n\nThis means that in i915, if use devm, we cannot gurantee that hwmon will\nalways be released before drvdata. Which means that we have a uaf if hwmon\nsysfs is accessed when drvdata has been released but hwmon hasn't.\n\nThe only way out of this seems to be do get rid of devm_ and release/free\neverything explicitly during device unbind.\n\nv2: Change commit message and other minor code changes\nv3: Cleanup from i915_hwmon_register on error (Armin Wolf)\nv4: Eliminate potential static analyzer warning (Rodrigo)\n Eliminate fetch_and_zero (Jani)\nv5: Restore previous logic for ddat_gt->hwmon_dev error return (Andi)",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39479"
},
{
"id": "CVE-2024-39480",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkdb: Fix buffer overflow during tab-complete\n\nCurrently, when the user attempts symbol completion with the Tab key, kdb\nwill use strncpy() to insert the completed symbol into the command buffer.\nUnfortunately it passes the size of the source buffer rather than the\ndestination to strncpy() with predictably horrible results. Most obviously\nif the command buffer is already full but cp, the cursor position, is in\nthe middle of the buffer, then we will write past the end of the supplied\nbuffer.\n\nFix this by replacing the dubious strncpy() calls with memmove()/memcpy()\ncalls plus explicit boundary checks to make sure we have enough space\nbefore we start moving characters around.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39480"
},
{
"id": "CVE-2024-39481",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mc: Fix graph walk in media_pipeline_start\n\nThe graph walk tries to follow all links, even if they are not between\npads. This causes a crash with, e.g. a MEDIA_LNK_FL_ANCILLARY_LINK link.\n\nFix this by allowing the walk to proceed only for MEDIA_LNK_FL_DATA_LINK\nlinks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39481"
},
{
"id": "CVE-2024-39482",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix variable length array abuse in btree_iter\n\nbtree_iter is used in two ways: either allocated on the stack with a\nfixed size MAX_BSETS, or from a mempool with a dynamic size based on the\nspecific cache set. Previously, the struct had a fixed-length array of\nsize MAX_BSETS which was indexed out-of-bounds for the dynamically-sized\niterators, which causes UBSAN to complain.\n\nThis patch uses the same approach as in bcachefs's sort_iter and splits\nthe iterator into a btree_iter with a flexible array member and a\nbtree_iter_stack which embeds a btree_iter as well as a fixed-length\ndata array.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39482"
},
{
"id": "CVE-2024-39483",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked\n\nWhen requesting an NMI window, WARN on vNMI support being enabled if and\nonly if NMIs are actually masked, i.e. if the vCPU is already handling an\nNMI. KVM's ABI for NMIs that arrive simultanesouly (from KVM's point of\nview) is to inject one NMI and pend the other. When using vNMI, KVM pends\nthe second NMI simply by setting V_NMI_PENDING, and lets the CPU do the\nrest (hardware automatically sets V_NMI_BLOCKING when an NMI is injected).\n\nHowever, if KVM can't immediately inject an NMI, e.g. because the vCPU is\nin an STI shadow or is running with GIF=0, then KVM will request an NMI\nwindow and trigger the WARN (but still function correctly).\n\nWhether or not the GIF=0 case makes sense is debatable, as the intent of\nKVM's behavior is to provide functionality that is as close to real\nhardware as possible. E.g. if two NMIs are sent in quick succession, the\nprobability of both NMIs arriving in an STI shadow is infinitesimally low\non real hardware, but significantly larger in a virtual environment, e.g.\nif the vCPU is preempted in the STI shadow. For GIF=0, the argument isn't\nas clear cut, because the window where two NMIs can collide is much larger\nin bare metal (though still small).\n\nThat said, KVM should not have divergent behavior for the GIF=0 case based\non whether or not vNMI support is enabled. And KVM has allowed\nsimultaneous NMIs with GIF=0 for over a decade, since commit 7460fb4a3400\n(\"KVM: Fix simultaneous NMIs\"). I.e. KVM's GIF=0 handling shouldn't be\nmodified without a *really* good reason to do so, and if KVM's behavior\nwere to be modified, it should be done irrespective of vNMI support.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39483"
},
{
"id": "CVE-2024-39484",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: davinci: Don't strip remove function when driver is builtin\n\nUsing __exit for the remove function results in the remove callback being\ndiscarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g.\nusing sysfs or hotplug), the driver is just removed without the cleanup\nbeing performed. This results in resource leaks. Fix it by compiling in the\nremove callback unconditionally.\n\nThis also fixes a W=1 modpost warning:\n\nWARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in\nreference: davinci_mmcsd_driver+0x10 (section: .data) ->\ndavinci_mmcsd_remove (section: .exit.text)",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39484"
},
{
"id": "CVE-2024-39485",
"summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l: async: Properly re-initialise notifier entry in unregister\n\nThe notifier_entry of a notifier is not re-initialised after unregistering\nthe notifier. This leads to dangling pointers being left there so use\nlist_del_init() to return the notifier_entry an empty list.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39485"
}
]
},
{
"name": "lksctp-tools",
"layer": "meta-networking",
"version": "1.0.19+git",
"products": [
{
"product": "lksctp-tools",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "lsb-release",
"layer": "meta",
"version": "1.4",
"products": [
{
"product": "lsb-release",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "lsof",
"layer": "meta",
"version": "4.99.3",
"products": [
{
"product": "lsof",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "lttng-modules",
"layer": "meta",
"version": "2.13.12",
"products": [
{
"product": "lttng-modules",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "lttng-tools",
"layer": "meta",
"version": "2.13.13",
"products": [
{
"product": "lttng-tools",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "lttng-ust",
"layer": "meta",
"version": "2_2.13.7",
"products": [
{
"product": "ust",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2010-3386",
"summary": "usttrace in LTTng Userspace Tracer (aka UST) 0.7 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3386"
}
]
},
{
"name": "lua",
"layer": "meta",
"version": "5.4.6",
"products": [
{
"product": "lua",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2014-5461",
"summary": "Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5461"
},
{
"id": "CVE-2019-6706",
"summary": "Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6706"
},
{
"id": "CVE-2020-15888",
"summary": "Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15888"
},
{
"id": "CVE-2020-15889",
"summary": "Lua 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15889"
},
{
"id": "CVE-2020-15945",
"summary": "Lua through 5.4.0 has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15945"
},
{
"id": "CVE-2020-24342",
"summary": "Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24342"
},
{
"id": "CVE-2020-24369",
"summary": "ldebug.c in Lua 5.4.0 attempts to access debug information via the line hook of a stripped function, leading to a NULL pointer dereference.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24369"
},
{
"id": "CVE-2020-24370",
"summary": "ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24370"
},
{
"id": "CVE-2020-24371",
"summary": "lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24371"
},
{
"id": "CVE-2021-43519",
"summary": "Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allows attackers to perform a Denial of Service via a crafted script file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43519"
},
{
"id": "CVE-2021-44647",
"summary": "Lua v5.4.3 and above are affected by SEGV by type confusion in funcnamefromcode function in ldebug.c which can cause a local denial of service.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-44647"
},
{
"id": "CVE-2021-44964",
"summary": "Use after free in garbage collector and finalizer of lgc.c in Lua interpreter 5.4.0~5.4.3 allows attackers to perform Sandbox Escape via a crafted script file.",
"scorev2": "4.3",
"scorev3": "6.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-44964"
},
{
"id": "CVE-2021-45985",
"summary": "In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45985"
},
{
"id": "CVE-2022-28805",
"summary": "singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-28805"
},
{
"id": "CVE-2022-33099",
"summary": "An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33099"
}
]
},
{
"name": "lua-native",
"layer": "meta",
"version": "5.4.6",
"products": [
{
"product": "lua",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2014-5461",
"summary": "Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5461"
},
{
"id": "CVE-2019-6706",
"summary": "Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6706"
},
{
"id": "CVE-2020-15888",
"summary": "Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15888"
},
{
"id": "CVE-2020-15889",
"summary": "Lua 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15889"
},
{
"id": "CVE-2020-15945",
"summary": "Lua through 5.4.0 has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15945"
},
{
"id": "CVE-2020-24342",
"summary": "Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24342"
},
{
"id": "CVE-2020-24369",
"summary": "ldebug.c in Lua 5.4.0 attempts to access debug information via the line hook of a stripped function, leading to a NULL pointer dereference.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24369"
},
{
"id": "CVE-2020-24370",
"summary": "ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24370"
},
{
"id": "CVE-2020-24371",
"summary": "lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24371"
},
{
"id": "CVE-2021-43519",
"summary": "Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allows attackers to perform a Denial of Service via a crafted script file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43519"
},
{
"id": "CVE-2021-44647",
"summary": "Lua v5.4.3 and above are affected by SEGV by type confusion in funcnamefromcode function in ldebug.c which can cause a local denial of service.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-44647"
},
{
"id": "CVE-2021-44964",
"summary": "Use after free in garbage collector and finalizer of lgc.c in Lua interpreter 5.4.0~5.4.3 allows attackers to perform Sandbox Escape via a crafted script file.",
"scorev2": "4.3",
"scorev3": "6.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-44964"
},
{
"id": "CVE-2021-45985",
"summary": "In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45985"
},
{
"id": "CVE-2022-28805",
"summary": "singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-28805"
},
{
"id": "CVE-2022-33099",
"summary": "An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33099"
}
]
},
{
"name": "lvm2",
"layer": "meta-oe",
"version": "2.03.22",
"products": [
{
"product": "lvm2",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2010-2526",
"summary": "The cluster logical volume manager daemon (clvmd) in lvm2-cluster in LVM2 before 2.02.72, as used in Red Hat Global File System (GFS) and other products, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service (daemon exit or logical-volume change) or possibly have unspecified other impact via crafted control commands.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2526"
},
{
"id": "CVE-2020-8991",
"summary": "vg_lookup in daemons/lvmetad/lvmetad-core.c in LVM2 2.02 mismanages memory, leading to an lvmetad memory leak, as demonstrated by running pvs. NOTE: RedHat disputes CVE-2020-8991 as not being a vulnerability since there\u2019s no apparent route to either privilege escalation or to denial of service through the bug",
"scorev2": "2.1",
"scorev3": "2.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8991"
}
]
},
{
"name": "lz4-native",
"layer": "meta",
"version": "1_1.9.4",
"products": [
{
"product": "lz4",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2014-4715",
"summary": "Yann Collet LZ4 before r119, when used on certain 32-bit platforms that allocate memory beyond 0x80000000, does not properly detect integer overflows, which allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted Literal Run, a different vulnerability than CVE-2014-4611.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4715",
"detail": "fixed-version",
"description": "Fixed in r118, which is larger than the current version."
},
{
"id": "CVE-2019-17543",
"summary": "LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17543"
},
{
"id": "CVE-2021-3520",
"summary": "There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3520"
}
]
},
{
"name": "lzlib",
"layer": "meta",
"version": "1.14",
"products": [
{
"product": "lzlib",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "lzlib-native",
"layer": "meta",
"version": "1.14",
"products": [
{
"product": "lzlib",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "m4",
"layer": "meta",
"version": "1.4.19",
"products": [
{
"product": "m4",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2008-1687",
"summary": "The (1) maketemp and (2) mkstemp builtin functions in GNU m4 before 1.4.11 do not quote their output when a file is created, which might allow context-dependent attackers to trigger a macro expansion, leading to unspecified use of an incorrect filename.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1687"
},
{
"id": "CVE-2008-1688",
"summary": "Unspecified vulnerability in GNU m4 before 1.4.11 might allow context-dependent attackers to execute arbitrary code, related to improper handling of filenames specified with the -F option. NOTE: it is not clear when this issue crosses privilege boundaries.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1688"
}
]
},
{
"name": "m4-native",
"layer": "meta",
"version": "1.4.19",
"products": [
{
"product": "m4",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2008-1687",
"summary": "The (1) maketemp and (2) mkstemp builtin functions in GNU m4 before 1.4.11 do not quote their output when a file is created, which might allow context-dependent attackers to trigger a macro expansion, leading to unspecified use of an incorrect filename.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1687"
},
{
"id": "CVE-2008-1688",
"summary": "Unspecified vulnerability in GNU m4 before 1.4.11 might allow context-dependent attackers to execute arbitrary code, related to improper handling of filenames specified with the -F option. NOTE: it is not clear when this issue crosses privilege boundaries.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1688"
}
]
},
{
"name": "make",
"layer": "meta",
"version": "4.4.1",
"products": [
{
"product": "make",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2000-0151",
"summary": "GNU make follows symlinks when it reads a Makefile from stdin, which allows other local users to execute commands.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0151"
}
]
},
{
"name": "make-mod-scripts",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "make-mod-scripts",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "make-native",
"layer": "meta",
"version": "4.4.1",
"products": [
{
"product": "make",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2000-0151",
"summary": "GNU make follows symlinks when it reads a Makefile from stdin, which allows other local users to execute commands.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0151"
}
]
},
{
"name": "makedepend-native",
"layer": "meta",
"version": "1_1.0.9",
"products": [
{
"product": "makedepend",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "makedevs-native",
"layer": "meta",
"version": "1.0.1",
"products": [
{
"product": "makedevs",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "mc",
"layer": "meta",
"version": "4.8.31",
"products": [
{
"product": "mc",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "mediaplayer",
"layer": "meta-agl-demo",
"version": "2.0+git",
"products": [
{
"product": "mediaplayer",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2008-0619",
"summary": "Buffer overflow in NeroMediaPlayer.exe in Nero Media Player 1.4.0.35 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (persistent crash) via a long URI in a .M3U file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0619"
}
]
},
{
"name": "mesa",
"layer": "meta",
"version": "2_24.0.3",
"products": [
{
"product": "mesa",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2001-0474",
"summary": "Utah-glx in Mesa before 3.3-14 on Mandrake Linux 7.2 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/glxmemory file.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0474"
},
{
"id": "CVE-2013-1872",
"summary": "The Intel drivers in Mesa 8.0.x and 9.0.x allow context-dependent attackers to cause a denial of service (reachable assertion and crash) and possibly execute arbitrary code via vectors involving 3d graphics that trigger an out-of-bounds array access, related to the fs_visitor::remove_dead_constants function. NOTE: this issue might be related to CVE-2013-0796.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1872"
},
{
"id": "CVE-2013-1993",
"summary": "Multiple integer overflows in X.org libGLX in Mesa 9.1.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XF86DRIOpenConnection and (2) XF86DRIGetClientDriverName functions.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1993"
},
{
"id": "CVE-2019-5068",
"summary": "An exploitable shared memory permissions vulnerability exists in the functionality of X11 Mesa 3D Graphics Library 19.1.2. An attacker can access the shared memory without any specific permissions to trigger this vulnerability.",
"scorev2": "3.6",
"scorev3": "5.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5068"
}
]
},
{
"name": "meson-native",
"layer": "meta",
"version": "1.3.1",
"products": [
{
"product": "meson",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "messaging",
"layer": "meta-agl-demo",
"version": "1.0+git",
"products": [
{
"product": "messaging",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2005-2668",
"summary": "Multiple buffer overflows in Computer Associates (CA) Message Queuing (CAM / CAFT) 1.05, 1.07 before Build 220_13, and 1.11 before Build 29_13 allow remote attackers to execute arbitrary code via unknown vectors.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2668"
},
{
"id": "CVE-2005-2669",
"summary": "Computer Associates (CA) Message Queuing (CAM / CAFT) 1.05, 1.07 before Build 220_13, and 1.11 before Build 29_13 allows remote attackers to execute arbitrary commands via spoofed CAFT packets.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2669"
},
{
"id": "CVE-2006-0529",
"summary": "Computer Associates (CA) Message Queuing (CAM / CAFT) before 1.07 Build 220_16 and 1.11 Build 29_20, as used in multiple CA products, allows remote attackers to cause a denial of service via a crafted message to TCP port 4105.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0529"
},
{
"id": "CVE-2006-0530",
"summary": "Computer Associates (CA) Message Queuing (CAM / CAFT) before 1.07 Build 220_16 and 1.11 Build 29_20, as used in multiple CA products, allows remote attackers to cause a denial of service via spoofed CAM control messages.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0530"
},
{
"id": "CVE-2011-1066",
"summary": "Cross-site scripting (XSS) vulnerability in the Messaging module 6.x-2.x before 6.x-2.4 and 6.x-4.x before 6.x-4.0-beta8 for Drupal allows remote attackers with administer messaging permissions to inject arbitrary web script or HTML via unspecified vectors.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1066"
}
]
},
{
"name": "meta-environment-qemuarm64",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "meta-environment-qemuarm64",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "mobile-broadband-provider-info",
"layer": "meta",
"version": "1_20230416",
"products": [
{
"product": "mobile-broadband-provider-info",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "mozjs-115",
"layer": "meta-oe",
"version": "115.8.0",
"products": [
{
"product": "mozjs-115",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "mpc",
"layer": "meta-multimedia",
"version": "0.34",
"products": [
{
"product": "mpc",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "mpd",
"layer": "meta-multimedia",
"version": "0.23.14",
"products": [
{
"product": "mpd",
"cvesInRecord": "No"
}
],
"issue": [
{
"id": "CVE-2020-7465",
"summary": "The L2TP implementation of MPD before 5.9 allows a remote attacker who can send specifically crafted L2TP control packet with AVP Q.931 Cause Code to execute arbitrary code or cause a denial of service (memory corruption).",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-7465",
"detail": "cpe-incorrect",
"description": "The recipe used in the meta-openembedded is a different mpd package compared to the one which has the CVE issue."
},
{
"id": "CVE-2020-7466",
"summary": "The PPP implementation of MPD before 5.9 allows a remote attacker who can send specifically crafted PPP authentication message to cause the daemon to read beyond allocated memory buffer, which would result in a denial of service condition.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-7466",
"detail": "cpe-incorrect",
"description": "The recipe used in the meta-openembedded is a different mpd package compared to the one which has the CVE issue."
}
]
},
{
"name": "mpfr",
"layer": "meta",
"version": "4.2.1",
"products": [
{
"product": "mpfr",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "mpfr-native",
"layer": "meta",
"version": "4.2.1",
"products": [
{
"product": "mpfr",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "mpg123",
"layer": "meta",
"version": "1.32.6",
"products": [
{
"product": "mpg123",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2003-0577",
"summary": "mpg123 0.59r allows remote attackers to cause a denial of service and possibly execute arbitrary code via an MP3 file with a zero bitrate, which creates a negative frame size.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0577"
},
{
"id": "CVE-2003-0865",
"summary": "Heap-based buffer overflow in readstring of httpget.c for mpg123 0.59r and 0.59s allows remote attackers to execute arbitrary code via a long request.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0865"
},
{
"id": "CVE-2004-0805",
"summary": "Buffer overflow in layer2.c in mpg123 0.59r and possibly mpg123 0.59s allows remote attackers to execute arbitrary code via a certain (1) mp3 or (2) mp2 file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0805"
},
{
"id": "CVE-2004-0982",
"summary": "Buffer overflow in the getauthfromURL function in httpget.c in mpg123 pre0.59s and mpg123 0.59r could allow remote attackers or local users to execute arbitrary code via an mp3 file that contains a long string before the @ (at sign) in a URL.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0982"
},
{
"id": "CVE-2004-0991",
"summary": "Buffer overflow in mpg123 before 0.59s-r9 allows remote attackers to execute arbitrary code via frame headers in MP2 or MP3 files.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0991"
},
{
"id": "CVE-2004-1284",
"summary": "Buffer overflow in the find_next_file function in playlist.c for mpg123 0.59r allows remote attackers to execute arbitrary code via a crafted MP3 playlist.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1284"
},
{
"id": "CVE-2006-1655",
"summary": "Multiple buffer overflows in mpg123 0.59r allow user-assisted attackers to trigger a segmentation fault and possibly have other impacts via a certain MP3 file, as demonstrated by mpg1DoS3. NOTE: this issue might be related to CVE-2004-0991, but it is not clear.",
"scorev2": "6.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1655"
},
{
"id": "CVE-2006-3355",
"summary": "Heap-based buffer overflow in httpdget.c in mpg123 before 0.59s-rll allows remote attackers to execute arbitrary code via a long URL, which is not properly terminated before being used with the strncpy function. NOTE: This appears to be the result of an incomplete patch for CVE-2004-0982.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3355"
},
{
"id": "CVE-2007-0578",
"summary": "The http_open function in httpget.c in mpg123 before 0.64 allows remote attackers to cause a denial of service (infinite loop) by closing the HTTP connection early.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0578"
},
{
"id": "CVE-2007-4397",
"summary": "Multiple CRLF injection vulnerabilities in (1) xmms-thing 1.0, (2) XMMS Remote Control Script 1.07, (3) Disrok 1.0, (4) a2x 0.0.1, (5) Another xmms-info script 1.0, (6) XChat-XMMS 0.8.1, and other unspecified scripts for XChat allow user-assisted remote attackers to execute arbitrary IRC commands via CRLF sequences in the name of the song in a .mp3 file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4397"
},
{
"id": "CVE-2009-1301",
"summary": "Integer signedness error in the store_id3_text function in the ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause a denial of service (out-of-bounds memory access) and possibly execute arbitrary code via an ID3 tag with a negative encoding value. NOTE: some of these details are obtained from third party information.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1301"
},
{
"id": "CVE-2014-9497",
"summary": "Buffer overflow in mpg123 before 1.18.0.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9497"
},
{
"id": "CVE-2017-10683",
"summary": "In mpg123 1.25.0, there is a heap-based buffer over-read in the convert_latin1 function in libmpg123/id3.c. A crafted input will lead to a remote denial of service attack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10683"
},
{
"id": "CVE-2017-11126",
"summary": "The III_i_stereo function in libmpg123/layer3.c in mpg123 through 1.25.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file that is mishandled in the code for the \"block_type != 2\" case, a similar issue to CVE-2017-9870.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11126"
},
{
"id": "CVE-2017-12797",
"summary": "Integer overflow in the INT123_parse_new_id3 function in the ID3 parser in mpg123 before 1.25.5 on 32-bit platforms allows remote attackers to cause a denial of service via a crafted file, which triggers a heap-based buffer overflow.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12797"
},
{
"id": "CVE-2017-12839",
"summary": "A heap-based buffer over-read in the getbits function in src/libmpg123/getbits.h in mpg123 through 1.25.5 allows remote attackers to cause a possible denial-of-service (out-of-bounds read) or possibly have unspecified other impact via a crafted mp3 file.",
"scorev2": "6.8",
"scorev3": "8.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12839"
},
{
"id": "CVE-2017-9545",
"summary": "The next_text function in src/libmpg123/id3.c in mpg123 1.24.0 allows remote attackers to cause a denial of service (buffer over-read) via a crafted mp3 file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9545"
}
]
},
{
"name": "mtdev",
"layer": "meta",
"version": "1.1.6",
"products": [
{
"product": "mtdev",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "multipath-tools",
"layer": "meta-oe",
"version": "0.9.8",
"products": [
{
"product": "multipath-tools",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2009-0115",
"summary": "The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0.4.8, as used in SUSE openSUSE, SUSE Linux Enterprise Server (SLES), Fedora, and possibly other operating systems, uses world-writable permissions for the socket file (aka /var/run/multipathd.sock), which allows local users to send arbitrary commands to the multipath daemon.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0115"
},
{
"id": "CVE-2022-41973",
"summary": "multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41973"
},
{
"id": "CVE-2022-41974",
"summary": "multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41974"
}
]
},
{
"name": "nativesdk-abseil-cpp",
"layer": "meta-oe",
"version": "20240116.2",
"products": [
{
"product": "abseil-cpp",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-adwaita-icon-theme",
"layer": "meta",
"version": "45.0",
"products": [
{
"product": "adwaita-icon-theme",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-at-spi2-core",
"layer": "meta",
"version": "2.50.1",
"products": [
{
"product": "at-spi2-core",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-attr",
"layer": "meta",
"version": "2.5.1",
"products": [
{
"product": "attr",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-autoconf",
"layer": "meta",
"version": "2.72e",
"products": [
{
"product": "autoconf",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-automake",
"layer": "meta",
"version": "1.16.5",
"products": [
{
"product": "automake",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2009-4029",
"summary": "The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4029"
},
{
"id": "CVE-2012-3386",
"summary": "The \"make distcheck\" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3386"
}
]
},
{
"name": "nativesdk-bash",
"layer": "meta",
"version": "5.2.21",
"products": [
{
"product": "bash",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-0491",
"summary": "The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0491"
},
{
"id": "CVE-1999-1383",
"summary": "(1) bash before 1.14.7, and (2) tcsh 6.05 allow local users to gain privileges via directory names that contain shell metacharacters (` back-tick), which can cause the commands enclosed in the directory name to be executed when the shell expands filenames using the \\w option in the PS1 variable.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1383"
},
{
"id": "CVE-2010-0002",
"summary": "The /etc/profile.d/60alias.sh script in the Mandriva bash package for Bash 2.05b, 3.0, 3.2, 3.2.48, and 4.0 enables the --show-control-chars option in LS_OPTIONS, which allows local users to send escape sequences to terminal emulators, or hide the existence of a file, via a crafted filename.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0002"
},
{
"id": "CVE-2012-3410",
"summary": "Stack-based buffer overflow in lib/sh/eaccess.c in GNU Bash before 4.2 patch 33 might allow local users to bypass intended restricted shell access via a long filename in /dev/fd, which is not properly handled when expanding the /dev/fd prefix.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3410"
},
{
"id": "CVE-2012-6711",
"summary": "A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the \"echo -e\" built-in function, may use this flaw to crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv().",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6711"
},
{
"id": "CVE-2014-6271",
"summary": "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka \"ShellShock.\" NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-6271"
},
{
"id": "CVE-2014-6277",
"summary": "GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-6277"
},
{
"id": "CVE-2014-6278",
"summary": "GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-6278"
},
{
"id": "CVE-2014-7169",
"summary": "GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7169"
},
{
"id": "CVE-2014-7186",
"summary": "The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the \"redir_stack\" issue.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7186"
},
{
"id": "CVE-2014-7187",
"summary": "Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the \"word_lineno\" issue.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7187"
},
{
"id": "CVE-2016-0634",
"summary": "The expansion of '\\h' in the prompt string in bash 4.3 allows remote authenticated users to execute arbitrary code via shell metacharacters placed in 'hostname' of a machine.",
"scorev2": "6.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0634"
},
{
"id": "CVE-2016-7543",
"summary": "Bash before 4.4 allows local users to execute arbitrary commands with root privileges via crafted SHELLOPTS and PS4 environment variables.",
"scorev2": "7.2",
"scorev3": "8.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7543"
},
{
"id": "CVE-2016-9401",
"summary": "popd in bash might allow local users to bypass the restricted shell and cause a use-after-free via a crafted address.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9401"
},
{
"id": "CVE-2017-5932",
"summary": "The path autocompletion feature in Bash 4.4 allows local users to gain privileges via a crafted filename starting with a \" (double quote) character and a command substitution metacharacter.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5932"
},
{
"id": "CVE-2019-18276",
"summary": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18276"
},
{
"id": "CVE-2019-9924",
"summary": "rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9924"
},
{
"id": "CVE-2022-3715",
"summary": "A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3715"
}
]
},
{
"name": "nativesdk-bash-completion",
"layer": "meta",
"version": "2.12.0",
"products": [
{
"product": "bash-completion",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-bison",
"layer": "meta",
"version": "3.8.2",
"products": [
{
"product": "bison",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2020-14150",
"summary": "GNU Bison before 3.5.4 allows attackers to cause a denial of service (application crash). NOTE: there is a risk only if Bison is used with untrusted input, and an observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug reports were intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated by Bison.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14150"
},
{
"id": "CVE-2020-24240",
"summary": "GNU Bison before 3.7.1 has a use-after-free in _obstack_free in lib/obstack.c (called from gram_lex) when a '\\0' byte is encountered. NOTE: there is a risk only if Bison is used with untrusted input, and the observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug report was intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated by Bison.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24240"
}
]
},
{
"name": "nativesdk-bzip2",
"layer": "meta",
"version": "1.0.8",
"products": [
{
"product": "bzip2",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2002-0759",
"summary": "bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1, and possibly other operating systems, does not use the O_EXCL flag to create files during decompression and does not warn the user if an existing file would be overwritten, which could allow attackers to overwrite files via a bzip2 archive.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0759"
},
{
"id": "CVE-2002-0760",
"summary": "Race condition in bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1, and possibly other operating systems, decompresses files with world-readable permissions before setting the permissions to what is specified in the bzip2 archive, which could allow local users to read the files as they are being decompressed.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0760"
},
{
"id": "CVE-2002-0761",
"summary": "bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1, and possibly systems, uses the permissions of symbolic links instead of the actual files when creating an archive, which could cause the files to be extracted with less restrictive permissions than intended.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0761"
},
{
"id": "CVE-2005-0953",
"summary": "Race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0953"
},
{
"id": "CVE-2005-1260",
"summary": "bzip2 allows remote attackers to cause a denial of service (hard drive consumption) via a crafted bzip2 file that causes an infinite loop (a.k.a \"decompression bomb\").",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1260"
},
{
"id": "CVE-2008-1372",
"summary": "bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite for Archive Formats.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1372"
},
{
"id": "CVE-2010-0405",
"summary": "Integer overflow in the BZ2_decompress function in decompress.c in bzip2 and libbzip2 before 1.0.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted compressed file.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0405"
},
{
"id": "CVE-2011-4089",
"summary": "The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4089"
},
{
"id": "CVE-2016-3189",
"summary": "Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3189"
},
{
"id": "CVE-2019-12900",
"summary": "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12900"
},
{
"id": "CVE-2023-22895",
"summary": "The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. NOTE: this is unrelated to the https://crates.io/crates/bzip2-rs product.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-22895"
}
]
},
{
"name": "nativesdk-c-ares",
"layer": "meta-oe",
"version": "1.27.0",
"products": [
{
"product": "c-ares",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-3152",
"summary": "c-ares before 1.4.0 uses a predictable seed for the random number generator for the DNS Transaction ID field, which might allow remote attackers to spoof DNS responses by guessing the field value.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3152"
},
{
"id": "CVE-2007-3153",
"summary": "The ares_init:randomize_key function in c-ares, on platforms other than Windows, uses a weak facility for producing a random number sequence (Unix rand), which makes it easier for remote attackers to spoof DNS responses by guessing certain values.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3153"
},
{
"id": "CVE-2016-5180",
"summary": "Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5180"
},
{
"id": "CVE-2017-1000381",
"summary": "The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000381"
},
{
"id": "CVE-2020-14354",
"summary": "A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14354"
},
{
"id": "CVE-2020-22217",
"summary": "Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-22217"
},
{
"id": "CVE-2020-8277",
"summary": "A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8277"
},
{
"id": "CVE-2021-3672",
"summary": "A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.",
"scorev2": "6.8",
"scorev3": "5.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3672"
},
{
"id": "CVE-2022-4904",
"summary": "A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.",
"scorev2": "0.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4904"
},
{
"id": "CVE-2023-31124",
"summary": "c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.\n",
"scorev2": "0.0",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31124"
},
{
"id": "CVE-2023-31130",
"summary": "c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular \"0::00:00:00/2\" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.\n",
"scorev2": "0.0",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31130"
},
{
"id": "CVE-2023-31147",
"summary": "c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31147"
},
{
"id": "CVE-2023-32067",
"summary": "c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32067"
}
]
},
{
"name": "nativesdk-ca-certificates",
"layer": "meta",
"version": "20211016",
"products": [
{
"product": "ca-certificates",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-cairo",
"layer": "meta",
"version": "1.18.0",
"products": [
{
"product": "cairo",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-5503",
"summary": "Multiple integer overflows in Cairo before 1.4.12 might allow remote attackers to execute arbitrary code, as demonstrated using a crafted PNG image with large width and height values, which is not properly handled by the read_png function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5503"
},
{
"id": "CVE-2014-5116",
"summary": "The cairo_image_surface_get_data function in Cairo 1.10.2, as used in GTK+ and Wireshark, allows context-dependent attackers to cause a denial of service (NULL pointer dereference) via a large string.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5116"
},
{
"id": "CVE-2016-3190",
"summary": "The fill_xrgb32_lerp_opaque_spans function in cairo-image-compositor.c in cairo before 1.14.2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a negative span length.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3190"
},
{
"id": "CVE-2016-9082",
"summary": "Integer overflow in the write_png function in cairo 1.14.6 allows remote attackers to cause a denial of service (invalid pointer dereference) via a large svg file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9082"
},
{
"id": "CVE-2017-7475",
"summary": "Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7475"
},
{
"id": "CVE-2017-9814",
"summary": "cairo-truetype-subset.c in cairo 1.15.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) because of mishandling of an unexpected malloc(0) call.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9814"
},
{
"id": "CVE-2018-18064",
"summary": "cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function).",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18064"
},
{
"id": "CVE-2018-19876",
"summary": "cairo 1.16.0, in cairo_ft_apply_variations() in cairo-ft-font.c, would free memory using a free function incompatible with WebKit's fastMalloc, leading to an application crash with a \"free(): invalid pointer\" error.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19876"
},
{
"id": "CVE-2019-6461",
"summary": "An issue was discovered in cairo 1.16.0. There is an assertion problem in the function _cairo_arc_in_direction in the file cairo-arc.c.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6461"
},
{
"id": "CVE-2019-6462",
"summary": "An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6462"
},
{
"id": "CVE-2020-35492",
"summary": "A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35492"
}
]
},
{
"name": "nativesdk-cmake",
"layer": "meta",
"version": "3.28.3",
"products": [
{
"product": "cmake",
"cvesInRecord": "No"
}
],
"issue": [
{
"id": "CVE-2016-10642",
"summary": "cmake installs the cmake x86 linux binaries. cmake downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.",
"scorev2": "9.3",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10642",
"detail": "cpe-incorrect",
"description": "This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded"
}
]
},
{
"name": "nativesdk-curl",
"layer": "meta",
"version": "8.7.1",
"products": [
{
"product": "curl",
"cvesInRecord": "Yes"
},
{
"product": "libcurl",
"cvesInRecord": "Yes"
},
{
"product": "curl",
"cvesInRecord": "Yes"
},
{
"product": "libcurl",
"cvesInRecord": "Yes"
},
{
"product": "libcurl",
"cvesInRecord": "Yes"
},
{
"product": "curl",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2000-0973",
"summary": "Buffer overflow in curl earlier than 6.0-1.1, and curl-ssl earlier than 6.0-1.2, allows remote attackers to execute arbitrary commands by forcing a long error message to be generated.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0973"
},
{
"id": "CVE-2003-1605",
"summary": "curl 7.x before 7.10.7 sends CONNECT proxy credentials to the remote server.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-1605"
},
{
"id": "CVE-2005-0490",
"summary": "Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication.",
"scorev2": "5.1",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0490"
},
{
"id": "CVE-2005-3185",
"summary": "Stack-based buffer overflow in the ntlm_output function in http-ntlm.c for (1) wget 1.10, (2) curl 7.13.2, and (3) libcurl 7.13.2, and other products that use libcurl, when NTLM authentication is enabled, allows remote servers to execute arbitrary code via a long NTLM username.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3185"
},
{
"id": "CVE-2005-4077",
"summary": "Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a \"?\" separator in the hostname portion, which causes a \"/\" to be prepended to the resulting string.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4077"
},
{
"id": "CVE-2006-1061",
"summary": "Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows remote attackers to execute arbitrary commands via a TFTP URL (tftp://) with a valid hostname and a long path.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1061"
},
{
"id": "CVE-2007-3564",
"summary": "libcurl 7.14.0 through 7.16.3, when built with GnuTLS support, does not check SSL/TLS certificate expiration or activation dates, which allows remote attackers to bypass certain access restrictions.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3564"
},
{
"id": "CVE-2009-0037",
"summary": "The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0037"
},
{
"id": "CVE-2009-2417",
"summary": "lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2417"
},
{
"id": "CVE-2010-0734",
"summary": "content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0734"
},
{
"id": "CVE-2010-3842",
"summary": "Absolute path traversal vulnerability in curl 7.20.0 through 7.21.1, when the --remote-header-name or -J option is used, allows remote servers to create or overwrite arbitrary files by using \\ (backslash) as a separator of path components within the Content-disposition HTTP header.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3842"
},
{
"id": "CVE-2011-2192",
"summary": "The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2192"
},
{
"id": "CVE-2011-3389",
"summary": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3389"
},
{
"id": "CVE-2012-0036",
"summary": "curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0036"
},
{
"id": "CVE-2013-0249",
"summary": "Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0249"
},
{
"id": "CVE-2013-1944",
"summary": "The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1944"
},
{
"id": "CVE-2013-2174",
"summary": "Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a \"%\" (percent) character.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2174"
},
{
"id": "CVE-2013-4545",
"summary": "cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4545"
},
{
"id": "CVE-2013-6422",
"summary": "The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6422"
},
{
"id": "CVE-2014-0015",
"summary": "cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0015"
},
{
"id": "CVE-2014-0138",
"summary": "The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0138"
},
{
"id": "CVE-2014-0139",
"summary": "cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0139"
},
{
"id": "CVE-2014-2522",
"summary": "curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2522"
},
{
"id": "CVE-2014-3613",
"summary": "cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3613"
},
{
"id": "CVE-2014-3620",
"summary": "cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3620"
},
{
"id": "CVE-2014-3707",
"summary": "The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3707"
},
{
"id": "CVE-2014-8150",
"summary": "CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8150"
},
{
"id": "CVE-2014-8151",
"summary": "The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8151"
},
{
"id": "CVE-2015-3143",
"summary": "cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3143"
},
{
"id": "CVE-2015-3144",
"summary": "The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by \"http://:80\" and \":80.\"",
"scorev2": "9.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3144"
},
{
"id": "CVE-2015-3145",
"summary": "The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly have other unspecified impact via a cookie path containing only a double-quote character.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3145"
},
{
"id": "CVE-2015-3148",
"summary": "cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3148"
},
{
"id": "CVE-2015-3153",
"summary": "The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3153"
},
{
"id": "CVE-2015-3236",
"summary": "cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same host name, which allows remote attackers to obtain sensitive information via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3236"
},
{
"id": "CVE-2015-3237",
"summary": "The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers to obtain sensitive information from memory or cause a denial of service (out-of-bounds read and crash) via crafted length and offset values.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3237"
},
{
"id": "CVE-2016-0754",
"summary": "cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0754"
},
{
"id": "CVE-2016-0755",
"summary": "The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.",
"scorev2": "5.0",
"scorev3": "7.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0755"
},
{
"id": "CVE-2016-3739",
"summary": "The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.",
"scorev2": "2.6",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3739"
},
{
"id": "CVE-2016-4606",
"summary": "Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4606"
},
{
"id": "CVE-2016-4802",
"summary": "Multiple untrusted search path vulnerabilities in cURL and libcurl before 7.49.1, when built with SSPI or telnet is enabled, allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) security.dll, (2) secur32.dll, or (3) ws2_32.dll in the application or current working directory.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4802"
},
{
"id": "CVE-2016-5419",
"summary": "curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5419"
},
{
"id": "CVE-2016-5420",
"summary": "curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5420"
},
{
"id": "CVE-2016-5421",
"summary": "Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5421"
},
{
"id": "CVE-2016-7141",
"summary": "curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7141"
},
{
"id": "CVE-2016-7167",
"summary": "Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7167"
},
{
"id": "CVE-2016-8615",
"summary": "A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8615"
},
{
"id": "CVE-2016-8616",
"summary": "A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8616"
},
{
"id": "CVE-2016-8617",
"summary": "The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8617"
},
{
"id": "CVE-2016-8618",
"summary": "The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8618"
},
{
"id": "CVE-2016-8619",
"summary": "The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8619"
},
{
"id": "CVE-2016-8620",
"summary": "The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and out-of-bounds read via user controlled input.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8620"
},
{
"id": "CVE-2016-8621",
"summary": "The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8621"
},
{
"id": "CVE-2016-8622",
"summary": "The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8622"
},
{
"id": "CVE-2016-8623",
"summary": "A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8623"
},
{
"id": "CVE-2016-8624",
"summary": "curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8624"
},
{
"id": "CVE-2016-8625",
"summary": "curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8625"
},
{
"id": "CVE-2016-9586",
"summary": "curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9586"
},
{
"id": "CVE-2016-9594",
"summary": "curl before version 7.52.1 is vulnerable to an uninitialized random in libcurl's internal function that returns a good 32bit random value. Having a weak or virtually non-existent random value makes the operations that use it vulnerable.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9594"
},
{
"id": "CVE-2016-9952",
"summary": "The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted wildcard SAN in a server certificate, as demonstrated by \"*.com.\"",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9952"
},
{
"id": "CVE-2016-9953",
"summary": "The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly have unspecified other impact via a wildcard certificate name, which triggers an out-of-bounds read.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9953"
},
{
"id": "CVE-2017-1000099",
"summary": "When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000099"
},
{
"id": "CVE-2017-1000100",
"summary": "When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000100"
},
{
"id": "CVE-2017-1000101",
"summary": "curl supports \"globbing\" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be `http://ur%20[0-60000000000000000000`.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000101"
},
{
"id": "CVE-2017-1000254",
"summary": "libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000254"
},
{
"id": "CVE-2017-1000257",
"summary": "An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000257"
},
{
"id": "CVE-2017-2628",
"summary": "curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2628"
},
{
"id": "CVE-2017-2629",
"summary": "curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status).",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2629"
},
{
"id": "CVE-2017-7407",
"summary": "The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.",
"scorev2": "2.1",
"scorev3": "2.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7407"
},
{
"id": "CVE-2017-7468",
"summary": "In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7468"
},
{
"id": "CVE-2017-8816",
"summary": "The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8816"
},
{
"id": "CVE-2017-8817",
"summary": "The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8817"
},
{
"id": "CVE-2017-8818",
"summary": "curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact because too little memory is allocated for interfacing to an SSL library.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8818"
},
{
"id": "CVE-2017-9502",
"summary": "In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given \"URL\" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string \"file://\").",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9502"
},
{
"id": "CVE-2018-0500",
"summary": "Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that might be exploitable by an attacker who can control the data that curl transmits over SMTP with certain settings (i.e., use of a nonstandard --limit-rate argument or CURLOPT_BUFFERSIZE value).",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0500"
},
{
"id": "CVE-2018-1000005",
"summary": "libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000005"
},
{
"id": "CVE-2018-1000007",
"summary": "libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequent hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.",
"scorev2": "5.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000007"
},
{
"id": "CVE-2018-1000120",
"summary": "A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000120"
},
{
"id": "CVE-2018-1000121",
"summary": "A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in the LDAP code that allows an attacker to cause a denial of service",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000121"
},
{
"id": "CVE-2018-1000122",
"summary": "A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000122"
},
{
"id": "CVE-2018-1000300",
"summary": "curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.. This vulnerability appears to have been fixed in curl < 7.54.1 and curl >= 7.60.0.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000300"
},
{
"id": "CVE-2018-1000301",
"summary": "curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000301"
},
{
"id": "CVE-2018-14618",
"summary": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14618"
},
{
"id": "CVE-2018-16839",
"summary": "Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16839"
},
{
"id": "CVE-2018-16840",
"summary": "A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16840"
},
{
"id": "CVE-2018-16842",
"summary": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16842"
},
{
"id": "CVE-2018-16890",
"summary": "libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.",
"scorev2": "5.0",
"scorev3": "5.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16890"
},
{
"id": "CVE-2019-3822",
"summary": "libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.",
"scorev2": "7.5",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3822"
},
{
"id": "CVE-2019-3823",
"summary": "libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3823"
},
{
"id": "CVE-2019-5435",
"summary": "An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5435"
},
{
"id": "CVE-2019-5436",
"summary": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5436"
},
{
"id": "CVE-2019-5443",
"summary": "A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl \"engine\") on invocation. If that curl is invoked by a privileged user it can do anything it wants.",
"scorev2": "4.4",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5443"
},
{
"id": "CVE-2019-5481",
"summary": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5481"
},
{
"id": "CVE-2019-5482",
"summary": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5482"
},
{
"id": "CVE-2020-19909",
"summary": "Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large value as the retry delay. NOTE: many parties report that this has no direct security impact on the curl user; however, it may (in theory) cause a denial of service to associated systems or networks if, for example, --retry-delay is misinterpreted as a value much smaller than what was intended. This is not especially plausible because the overflow only happens if the user was trying to specify that curl should wait weeks (or longer) before trying to recover from a transient error.",
"scorev2": "0.0",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19909"
},
{
"id": "CVE-2020-8169",
"summary": "curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8169"
},
{
"id": "CVE-2020-8177",
"summary": "curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8177"
},
{
"id": "CVE-2020-8231",
"summary": "Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8231"
},
{
"id": "CVE-2020-8284",
"summary": "A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8284"
},
{
"id": "CVE-2020-8285",
"summary": "curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8285"
},
{
"id": "CVE-2020-8286",
"summary": "curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8286"
},
{
"id": "CVE-2021-22876",
"summary": "curl 7.1.1 to and including 7.75.0 is vulnerable to an \"Exposure of Private Personal Information to an Unauthorized Actor\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22876"
},
{
"id": "CVE-2021-22890",
"summary": "curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly \"short-cut\" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22890"
},
{
"id": "CVE-2021-22897",
"summary": "curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single \"static\" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.",
"scorev2": "4.3",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22897"
},
{
"id": "CVE-2021-22898",
"summary": "curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.",
"scorev2": "2.6",
"scorev3": "3.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22898"
},
{
"id": "CVE-2021-22901",
"summary": "curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22901"
},
{
"id": "CVE-2021-22922",
"summary": "When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22922"
},
{
"id": "CVE-2021-22923",
"summary": "When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.",
"scorev2": "2.6",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22923"
},
{
"id": "CVE-2021-22924",
"summary": "libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22924"
},
{
"id": "CVE-2021-22925",
"summary": "curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22925"
},
{
"id": "CVE-2021-22926",
"summary": "libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert` with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.If the appliction runs with a current working directory that is writable by other users (like `/tmp`), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22926"
},
{
"id": "CVE-2021-22945",
"summary": "When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*.",
"scorev2": "5.8",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22945"
},
{
"id": "CVE-2021-22946",
"summary": "A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22946"
},
{
"id": "CVE-2021-22947",
"summary": "When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22947"
},
{
"id": "CVE-2022-22576",
"summary": "An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).",
"scorev2": "5.5",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22576"
},
{
"id": "CVE-2022-27774",
"summary": "An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.",
"scorev2": "3.5",
"scorev3": "5.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27774"
},
{
"id": "CVE-2022-27775",
"summary": "An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27775"
},
{
"id": "CVE-2022-27776",
"summary": "A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27776"
},
{
"id": "CVE-2022-27778",
"summary": "A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.",
"scorev2": "5.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27778"
},
{
"id": "CVE-2022-27779",
"summary": "libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's \"cookie engine\" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27779"
},
{
"id": "CVE-2022-27780",
"summary": "The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27780"
},
{
"id": "CVE-2022-27781",
"summary": "libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27781"
},
{
"id": "CVE-2022-27782",
"summary": "libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27782"
},
{
"id": "CVE-2022-30115",
"summary": "Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.",
"scorev2": "4.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-30115"
},
{
"id": "CVE-2022-32205",
"summary": "A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a \"sister server\" to effectively cause a denial of service for a sibling site on the same second level domain using this method.",
"scorev2": "4.3",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32205"
},
{
"id": "CVE-2022-32206",
"summary": "curl < 7.84.0 supports \"chained\" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable \"links\" in this \"decompression chain\" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a \"malloc bomb\", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32206"
},
{
"id": "CVE-2022-32207",
"summary": "When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32207"
},
{
"id": "CVE-2022-32208",
"summary": "When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32208"
},
{
"id": "CVE-2022-32221",
"summary": "When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32221"
},
{
"id": "CVE-2022-35252",
"summary": "When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a\"sister site\" to deny service to all siblings.",
"scorev2": "0.0",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-35252"
},
{
"id": "CVE-2022-35260",
"summary": "curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-35260"
},
{
"id": "CVE-2022-42915",
"summary": "curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42915"
},
{
"id": "CVE-2022-42916",
"summary": "In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42916"
},
{
"id": "CVE-2022-43551",
"summary": "A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43551"
},
{
"id": "CVE-2022-43552",
"summary": "A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43552"
},
{
"id": "CVE-2023-23914",
"summary": "A cleartext transmission of sensitive information vulnerability exists in curl = 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12049"
},
{
"id": "CVE-2020-35512",
"summary": "A use-after-free flaw was found in D-Bus Development branch <= 1.13.16, dbus-1.12.x stable branch <= 1.12.18, and dbus-1.10.x and older branches <= 1.10.30 when a system has multiple usernames sharing the same UID. When a set of policy rules references these usernames, D-Bus may free some memory in the heap, which is still used by data structures necessary for the other usernames sharing the UID, possibly leading to a crash or other undefined behaviors",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35512"
},
{
"id": "CVE-2022-42010",
"summary": "An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42010"
},
{
"id": "CVE-2022-42011",
"summary": "An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42011"
},
{
"id": "CVE-2022-42012",
"summary": "An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42012"
},
{
"id": "CVE-2023-34969",
"summary": "D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34969"
}
]
},
{
"name": "nativesdk-debugedit",
"layer": "meta",
"version": "5.0",
"products": [
{
"product": "debugedit",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-diffutils",
"layer": "meta",
"version": "3.10",
"products": [
{
"product": "diffutils",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-dtc",
"layer": "meta",
"version": "1.7.0",
"products": [
{
"product": "dtc",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-elfutils",
"layer": "meta",
"version": "0.191",
"products": [
{
"product": "elfutils",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2014-0172",
"summary": "Integer overflow in the check_section function in dwarf_begin_elf.c in the libdw library, as used in elfutils 0.153 and possibly through 0.158 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed compressed debug section in an ELF file, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0172"
},
{
"id": "CVE-2014-9447",
"summary": "Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9447"
},
{
"id": "CVE-2016-10254",
"summary": "The allocate_elf function in common.h in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted ELF file, which triggers a memory allocation failure.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10254"
},
{
"id": "CVE-2016-10255",
"summary": "The __libelf_set_rawdata_wrlock function in elf_getdata.c in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted (1) sh_off or (2) sh_size ELF header value, which triggers a memory allocation failure.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10255"
},
{
"id": "CVE-2017-7607",
"summary": "The handle_gnu_hash function in readelf.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7607"
},
{
"id": "CVE-2017-7608",
"summary": "The ebl_object_note_type_name function in eblobjnotetypename.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7608"
},
{
"id": "CVE-2017-7609",
"summary": "elf_compress.c in elfutils 0.168 does not validate the zlib compression factor, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7609"
},
{
"id": "CVE-2017-7610",
"summary": "The check_group function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7610"
},
{
"id": "CVE-2017-7611",
"summary": "The check_symtab_shndx function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7611"
},
{
"id": "CVE-2017-7612",
"summary": "The check_sysv_hash function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7612"
},
{
"id": "CVE-2017-7613",
"summary": "elflint.c in elfutils 0.168 does not validate the number of sections and the number of segments, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7613"
},
{
"id": "CVE-2018-16062",
"summary": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16062"
},
{
"id": "CVE-2018-16402",
"summary": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16402"
},
{
"id": "CVE-2018-16403",
"summary": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16403"
},
{
"id": "CVE-2018-18310",
"summary": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18310"
},
{
"id": "CVE-2018-18520",
"summary": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18520"
},
{
"id": "CVE-2018-18521",
"summary": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18521"
},
{
"id": "CVE-2018-8769",
"summary": "elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8769"
},
{
"id": "CVE-2019-7146",
"summary": "In elfutils 0.175, there is a buffer over-read in the ebl_object_note function in eblobjnote.c in libebl. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted elf file, as demonstrated by eu-readelf.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7146"
},
{
"id": "CVE-2019-7148",
"summary": "An attempted excessive memory allocation was discovered in the function read_long_names in elf_begin.c in libelf in elfutils 0.174. Remote attackers could leverage this vulnerability to cause a denial-of-service via crafted elf input, which leads to an out-of-memory exception. NOTE: The maintainers believe this is not a real issue, but instead a \"warning caused by ASAN because the allocation is big. By setting ASAN_OPTIONS=allocator_may_return_null=1 and running the reproducer, nothing happens.\"",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7148"
},
{
"id": "CVE-2019-7149",
"summary": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7149"
},
{
"id": "CVE-2019-7150",
"summary": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7150"
},
{
"id": "CVE-2019-7664",
"summary": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7664"
},
{
"id": "CVE-2019-7665",
"summary": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7665"
},
{
"id": "CVE-2020-21047",
"summary": "The libcpu component which is used by libasm of elfutils version 0.177 (git 47780c9e), suffers from denial-of-service vulnerability caused by application crashes due to out-of-bounds write (CWE-787), off-by-one error (CWE-193) and reachable assertion (CWE-617); to exploit the vulnerability, the attackers need to craft certain ELF files which bypass the missing bound checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-21047"
},
{
"id": "CVE-2021-33294",
"summary": "In elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c .Which allows attackers to cause a denial of service (infinite loop) via crafted file.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33294"
}
]
},
{
"name": "nativesdk-expat",
"layer": "meta",
"version": "2.6.2",
"products": [
{
"product": "expat",
"cvesInRecord": "No"
},
{
"product": "libexpat",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2009-3560",
"summary": "The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3560"
},
{
"id": "CVE-2009-3720",
"summary": "The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3720"
},
{
"id": "CVE-2012-0876",
"summary": "The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0876"
},
{
"id": "CVE-2012-1147",
"summary": "readfilemap.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (file descriptor consumption) via a large number of crafted XML files.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1147"
},
{
"id": "CVE-2012-1148",
"summary": "Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures when expanding entities.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1148"
},
{
"id": "CVE-2012-6702",
"summary": "Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6702"
},
{
"id": "CVE-2013-0340",
"summary": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0340"
},
{
"id": "CVE-2015-1283",
"summary": "Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1283"
},
{
"id": "CVE-2016-0718",
"summary": "Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0718"
},
{
"id": "CVE-2016-4472",
"summary": "The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4472"
},
{
"id": "CVE-2016-5300",
"summary": "The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5300"
},
{
"id": "CVE-2017-11742",
"summary": "The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local users to gain privileges via a Trojan horse ADVAPI32.DLL in the current working directory because of an untrusted search path, aka DLL hijacking.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11742"
},
{
"id": "CVE-2017-9233",
"summary": "XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9233"
},
{
"id": "CVE-2018-20843",
"summary": "In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20843"
},
{
"id": "CVE-2019-15903",
"summary": "In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15903"
},
{
"id": "CVE-2021-45960",
"summary": "In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).",
"scorev2": "9.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45960"
},
{
"id": "CVE-2021-46143",
"summary": "In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46143"
},
{
"id": "CVE-2022-22822",
"summary": "addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22822"
},
{
"id": "CVE-2022-22823",
"summary": "build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22823"
},
{
"id": "CVE-2022-22824",
"summary": "defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22824"
},
{
"id": "CVE-2022-22825",
"summary": "lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22825"
},
{
"id": "CVE-2022-22826",
"summary": "nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22826"
},
{
"id": "CVE-2022-22827",
"summary": "storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22827"
},
{
"id": "CVE-2022-23852",
"summary": "Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23852"
},
{
"id": "CVE-2022-23990",
"summary": "Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23990"
},
{
"id": "CVE-2022-25235",
"summary": "xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25235"
},
{
"id": "CVE-2022-25236",
"summary": "xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25236"
},
{
"id": "CVE-2022-25313",
"summary": "In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25313"
},
{
"id": "CVE-2022-25314",
"summary": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25314"
},
{
"id": "CVE-2022-25315",
"summary": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25315"
},
{
"id": "CVE-2022-40674",
"summary": "libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40674"
},
{
"id": "CVE-2022-43680",
"summary": "In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43680"
},
{
"id": "CVE-2023-52425",
"summary": "libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52425"
},
{
"id": "CVE-2023-52426",
"summary": "libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52426"
}
]
},
{
"name": "nativesdk-file",
"layer": "meta",
"version": "5.45",
"products": [
{
"product": "file",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2003-0102",
"summary": "Buffer overflow in tryelf() in readelf.c of the file command allows attackers to execute arbitrary code as the user running file, possibly via a large entity size value in an ELF header (elfhdr.e_shentsize).",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0102"
},
{
"id": "CVE-2004-1304",
"summary": "Stack-based buffer overflow in the ELF header parsing code in file before 4.12 allows attackers to execute arbitrary code via a crafted ELF file.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1304"
},
{
"id": "CVE-2007-1536",
"summary": "Integer underflow in the file_printf function in the \"file\" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1536"
},
{
"id": "CVE-2007-2026",
"summary": "The gnu regular expression code in file 4.20 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted document with a large number of line feed characters, which is not well handled by OS/2 REXX regular expressions that use wildcards, as originally reported for AMaViS.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2026"
},
{
"id": "CVE-2007-2799",
"summary": "Integer overflow in the \"file\" program 4.20, when running on 32-bit systems, as used in products including The Sleuth Kit, might allow user-assisted attackers to execute arbitrary code via a large file that triggers an overflow that bypasses an assert() statement. NOTE: this issue is due to an incorrect patch for CVE-2007-1536.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2799"
},
{
"id": "CVE-2009-1515",
"summary": "Heap-based buffer overflow in the cdf_read_sat function in src/cdf.c in Christos Zoulas file 5.00 allows user-assisted remote attackers to execute arbitrary code via a crafted compound document file, as demonstrated by a .msi, .doc, or .mpp file. NOTE: some of these details are obtained from third party information.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1515"
},
{
"id": "CVE-2009-3930",
"summary": "Multiple integer overflows in Christos Zoulas file before 5.02 allow user-assisted remote attackers to have an unspecified impact via a malformed compound document (aka cdf) file that triggers a buffer overflow.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3930"
},
{
"id": "CVE-2012-1571",
"summary": "file before 5.11 and libmagic allow remote attackers to cause a denial of service (crash) via a crafted Composite Document File (CDF) file that triggers (1) an out-of-bounds read or (2) an invalid pointer dereference.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1571"
},
{
"id": "CVE-2013-7345",
"summary": "The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7345"
},
{
"id": "CVE-2014-0207",
"summary": "The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0207"
},
{
"id": "CVE-2014-2270",
"summary": "softmagic.c in file before 5.17 and libmagic allows context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2270"
},
{
"id": "CVE-2014-3478",
"summary": "Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3478"
},
{
"id": "CVE-2014-3479",
"summary": "The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3479"
},
{
"id": "CVE-2014-3480",
"summary": "The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3480"
},
{
"id": "CVE-2014-3487",
"summary": "The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3487"
},
{
"id": "CVE-2014-3538",
"summary": "file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7345.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3538"
},
{
"id": "CVE-2014-3587",
"summary": "Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3587"
},
{
"id": "CVE-2014-8116",
"summary": "The ELF parser (readelf.c) in file before 5.21 allows remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8116"
},
{
"id": "CVE-2014-8117",
"summary": "softmagic.c in file before 5.21 does not properly limit recursion, which allows remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8117"
},
{
"id": "CVE-2014-9620",
"summary": "The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9620"
},
{
"id": "CVE-2014-9621",
"summary": "The ELF parser in file 5.16 through 5.21 allows remote attackers to cause a denial of service via a long string.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9621"
},
{
"id": "CVE-2014-9652",
"summary": "The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9652"
},
{
"id": "CVE-2014-9653",
"summary": "readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9653"
},
{
"id": "CVE-2017-1000249",
"summary": "An issue in file() was introduced in commit 9611f31313a93aa036389c5f3b15eea53510d4d1 (Oct 2016) lets an attacker overwrite a fixed 20 bytes stack buffer with a specially crafted .notes section in an ELF binary. This was fixed in commit 35c94dc6acc418f1ad7f6241a6680e5327495793 (Aug 2017).",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000249"
},
{
"id": "CVE-2018-10360",
"summary": "The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10360"
},
{
"id": "CVE-2019-18218",
"summary": "cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18218"
},
{
"id": "CVE-2019-8904",
"summary": "do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8904"
},
{
"id": "CVE-2019-8905",
"summary": "do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360.",
"scorev2": "3.6",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8905"
},
{
"id": "CVE-2019-8906",
"summary": "do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read because memcpy is misused.",
"scorev2": "3.6",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8906"
},
{
"id": "CVE-2019-8907",
"summary": "do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8907"
},
{
"id": "CVE-2022-48554",
"summary": "File before 5.43 has an stack-based buffer over-read in file_copystr in funcs.c. NOTE: \"File\" is the name of an Open Source project.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48554"
}
]
},
{
"name": "nativesdk-flex",
"layer": "meta",
"version": "2.6.4",
"products": [
{
"product": "flex",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-fontconfig",
"layer": "meta",
"version": "2.15.0",
"products": [
{
"product": "fontconfig",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2016-5384",
"summary": "fontconfig before 2.12.1 does not validate offsets, which allows local users to trigger arbitrary free calls and consequently conduct double free attacks and execute arbitrary code via a crafted cache file.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5384"
}
]
},
{
"name": "nativesdk-freetype",
"layer": "meta",
"version": "2.13.2",
"products": [
{
"product": "freetype",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2006-0747",
"summary": "Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0747"
},
{
"id": "CVE-2006-1861",
"summary": "Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. NOTE: item 4 was originally identified by CVE-2006-2493.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1861"
},
{
"id": "CVE-2006-2661",
"summary": "ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers a null dereference.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2661"
},
{
"id": "CVE-2006-3467",
"summary": "Integer overflow in FreeType before 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PCF file, as demonstrated by the Red Hat bad1.pcf test file, due to a partial fix of CVE-2006-1861.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3467"
},
{
"id": "CVE-2007-2754",
"summary": "Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2754"
},
{
"id": "CVE-2007-3506",
"summary": "The ft_bitmap_assure_buffer function in src/base/ftbimap.c in FreeType 2.3.3 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors involving bitmap fonts, related to a \"memory buffer overwrite bug.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3506"
},
{
"id": "CVE-2008-1806",
"summary": "Integer overflow in FreeType2 before 2.3.6 allows context-dependent attackers to execute arbitrary code via a crafted set of 16-bit length values within the Private dictionary table in a Printer Font Binary (PFB) file, which triggers a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1806"
},
{
"id": "CVE-2008-1807",
"summary": "FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via an invalid \"number of axes\" field in a Printer Font Binary (PFB) file, which triggers a free of arbitrary memory locations, leading to memory corruption.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1807"
},
{
"id": "CVE-2008-1808",
"summary": "Multiple off-by-one errors in FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via (1) a crafted table in a Printer Font Binary (PFB) file or (2) a crafted SHC instruction in a TrueType Font (TTF) file, which triggers a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1808"
},
{
"id": "CVE-2009-0946",
"summary": "Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0946"
},
{
"id": "CVE-2010-2497",
"summary": "Integer underflow in glyph handling in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2497"
},
{
"id": "CVE-2010-2498",
"summary": "The psh_glyph_find_strong_points function in pshinter/pshalgo.c in FreeType before 2.4.0 does not properly implement hinting masks, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted font file that triggers an invalid free operation.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2498"
},
{
"id": "CVE-2010-2499",
"summary": "Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted LaserWriter PS font file with an embedded PFB fragment.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2499"
},
{
"id": "CVE-2010-2500",
"summary": "Integer overflow in the gray_render_span function in smooth/ftgrays.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2500"
},
{
"id": "CVE-2010-2519",
"summary": "Heap-based buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted length value in a POST fragment header in a font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2519"
},
{
"id": "CVE-2010-2520",
"summary": "Heap-based buffer overflow in the Ins_IUP function in truetype/ttinterp.c in FreeType before 2.4.0, when TrueType bytecode support is enabled, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2520"
},
{
"id": "CVE-2010-2527",
"summary": "Multiple buffer overflows in demo programs in FreeType before 2.4.0 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2527"
},
{
"id": "CVE-2010-2541",
"summary": "Buffer overflow in ftmulti.c in the ftmulti demo program in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2541"
},
{
"id": "CVE-2010-2805",
"summary": "The FT_Stream_EnterFrame function in base/ftstream.c in FreeType before 2.4.2 does not properly validate certain position values, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2805"
},
{
"id": "CVE-2010-2806",
"summary": "Array index error in the t42_parse_sfnts function in type42/t42parse.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via negative size values for certain strings in FontType42 font files, leading to a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2806"
},
{
"id": "CVE-2010-2807",
"summary": "FreeType before 2.4.2 uses incorrect integer data types during bounds checking, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2807"
},
{
"id": "CVE-2010-2808",
"summary": "Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Adobe Type 1 Mac Font File (aka LWFN) font.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2808"
},
{
"id": "CVE-2010-3053",
"summary": "bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) via a crafted BDF font file, related to an attempted modification of a value in a static string.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3053"
},
{
"id": "CVE-2010-3054",
"summary": "Unspecified vulnerability in FreeType 2.3.9, and other versions before 2.4.2, allows remote attackers to cause a denial of service via vectors involving nested Standard Encoding Accented Character (aka seac) calls, related to psaux.h, cffgload.c, cffgload.h, and t1decode.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3054"
},
{
"id": "CVE-2010-3311",
"summary": "Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in FreeType before 2.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Compact Font Format (CFF) font file that triggers a heap-based buffer overflow, related to an \"input stream position error\" issue, a different vulnerability than CVE-2010-1797.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3311"
},
{
"id": "CVE-2010-3814",
"summary": "Heap-based buffer overflow in the Ins_SHZ function in ttinterp.c in FreeType 2.4.3 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted SHZ bytecode instruction, related to TrueType opcodes, as demonstrated by a PDF document with a crafted embedded font.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3814"
},
{
"id": "CVE-2010-3855",
"summary": "Buffer overflow in the ft_var_readpackedpoints function in truetype/ttgxvar.c in FreeType 2.4.3 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TrueType GX font.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3855"
},
{
"id": "CVE-2011-0226",
"summary": "Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0226"
},
{
"id": "CVE-2011-2895",
"summary": "The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2895"
},
{
"id": "CVE-2012-1126",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a BDF font.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1126"
},
{
"id": "CVE-2012-1127",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1127"
},
{
"id": "CVE-2012-1128",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (NULL pointer dereference and memory corruption) or possibly execute arbitrary code via a crafted TrueType font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1128"
},
{
"id": "CVE-2012-1129",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted SFNT string in a Type 42 font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1129"
},
{
"id": "CVE-2012-1130",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a PCF font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1130"
},
{
"id": "CVE-2012-1131",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, on 64-bit platforms allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors related to the cell table of a font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1131"
},
{
"id": "CVE-2012-1132",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted dictionary data in a Type 1 font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1132"
},
{
"id": "CVE-2012-1133",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1133"
},
{
"id": "CVE-2012-1134",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted private-dictionary data in a Type 1 font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1134"
},
{
"id": "CVE-2012-1135",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the NPUSHB and NPUSHW instructions in a TrueType font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1135"
},
{
"id": "CVE-2012-1136",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font that lacks an ENCODING field.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1136"
},
{
"id": "CVE-2012-1137",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted header in a BDF font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1137"
},
{
"id": "CVE-2012-1138",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the MIRP instruction in a TrueType font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1138"
},
{
"id": "CVE-2012-1139",
"summary": "Array index error in FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid stack read operation and memory corruption) or possibly execute arbitrary code via crafted glyph data in a BDF font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1139"
},
{
"id": "CVE-2012-1140",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted PostScript font object.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1140"
},
{
"id": "CVE-2012-1141",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted ASCII string in a BDF font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1141"
},
{
"id": "CVE-2012-1142",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph-outline data in a font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1142"
},
{
"id": "CVE-2012-1143",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted font.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1143"
},
{
"id": "CVE-2012-1144",
"summary": "FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via a crafted TrueType font.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1144"
},
{
"id": "CVE-2012-5668",
"summary": "FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to BDF fonts and the improper handling of an \"allocation error\" in the bdf_free_font function.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5668"
},
{
"id": "CVE-2012-5669",
"summary": "The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to BDF fonts and an incorrect calculation that triggers an out-of-bounds read.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5669"
},
{
"id": "CVE-2012-5670",
"summary": "The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) via vectors related to BDF fonts and an ENCODING field with a negative value.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5670"
},
{
"id": "CVE-2014-2240",
"summary": "Stack-based buffer overflow in the cf2_hintmap_build function in cff/cf2hints.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of stem hints in a font file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2240"
},
{
"id": "CVE-2014-2241",
"summary": "The (1) cf2_initLocalRegionBuffer and (2) cf2_initGlobalRegionBuffer functions in cff/cf2ft.c in FreeType before 2.5.3 do not properly check if a subroutine exists, which allows remote attackers to cause a denial of service (assertion failure), as demonstrated by a crafted ttf file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2241"
},
{
"id": "CVE-2014-9656",
"summary": "The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType before 2.5.4 does not properly check for an integer overflow, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted OpenType font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9656"
},
{
"id": "CVE-2014-9657",
"summary": "The tt_face_load_hdmx function in truetype/ttpload.c in FreeType before 2.5.4 does not establish a minimum record size, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9657"
},
{
"id": "CVE-2014-9658",
"summary": "The tt_face_load_kern function in sfnt/ttkern.c in FreeType before 2.5.4 enforces an incorrect minimum table length, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9658"
},
{
"id": "CVE-2014-9659",
"summary": "cff/cf2intrp.c in the CFF CharString interpreter in FreeType before 2.5.4 proceeds with additional hints after the hint mask has been computed, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted OpenType font. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2240.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9659"
},
{
"id": "CVE-2014-9660",
"summary": "The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before 2.5.4 does not properly handle a missing ENDCHAR record, which allows remote attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted BDF font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9660"
},
{
"id": "CVE-2014-9661",
"summary": "type42/t42parse.c in FreeType before 2.5.4 does not consider that scanning can be incomplete without triggering an error, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted Type42 font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9661"
},
{
"id": "CVE-2014-9662",
"summary": "cff/cf2ft.c in FreeType before 2.5.4 does not validate the return values of point-allocation functions, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted OTF font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9662"
},
{
"id": "CVE-2014-9663",
"summary": "The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before 2.5.4 validates a certain length field before that field's value is completely calculated, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted cmap SFNT table.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9663"
},
{
"id": "CVE-2014-9664",
"summary": "FreeType before 2.5.4 does not check for the end of the data during certain parsing actions, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted Type42 font, related to type42/t42parse.c and type1/t1load.c.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9664"
},
{
"id": "CVE-2014-9665",
"summary": "The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 does not restrict the rows and pitch values of PNG data, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact by embedding a PNG file in a .ttf font file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9665"
},
{
"id": "CVE-2014-9666",
"summary": "The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before 2.5.4 proceeds with a count-to-size association without restricting the count value, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted embedded bitmap.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9666"
},
{
"id": "CVE-2014-9667",
"summary": "sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting the values, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted SFNT table.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9667"
},
{
"id": "CVE-2014-9668",
"summary": "The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting length values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Web Open Font Format (WOFF) file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9668"
},
{
"id": "CVE-2014-9669",
"summary": "Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (out-of-bounds read or memory corruption) or possibly have unspecified other impact via a crafted cmap SFNT table.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9669"
},
{
"id": "CVE-2014-9670",
"summary": "Multiple integer signedness errors in the pcf_get_encodings function in pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (integer overflow, NULL pointer dereference, and application crash) via a crafted PCF file that specifies negative values for the first column and first row.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9670"
},
{
"id": "CVE-2014-9671",
"summary": "Off-by-one error in the pcf_get_properties function in pcf/pcfread.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PCF file with a 0xffffffff size value that is improperly incremented.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9671"
},
{
"id": "CVE-2014-9672",
"summary": "Array index error in the parse_fond function in base/ftmac.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information from process memory via a crafted FOND resource in a Mac font file.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9672"
},
{
"id": "CVE-2014-9673",
"summary": "Integer signedness error in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9673"
},
{
"id": "CVE-2014-9674",
"summary": "The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 proceeds with adding to length values without validating the original values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9674"
},
{
"id": "CVE-2014-9675",
"summary": "bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only verifying that an initial substring is present, which allows remote attackers to discover heap pointer values and bypass the ASLR protection mechanism via a crafted BDF font.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9675"
},
{
"id": "CVE-2014-9745",
"summary": "The parse_encoding function in type1/t1load.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (infinite loop) via a \"broken number-with-base\" in a Postscript stream, as demonstrated by 8#garbage.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9745"
},
{
"id": "CVE-2014-9746",
"summary": "The (1) t1_parse_font_matrix function in type1/t1load.c, (2) cid_parse_font_matrix function in cid/cidload.c, (3) t42_parse_font_matrix function in type42/t42parse.c, and (4) ps_parser_load_field function in psaux/psobjs.c in FreeType before 2.5.4 do not check return values, which allows remote attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted font.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9746"
},
{
"id": "CVE-2014-9747",
"summary": "The t42_parse_encoding function in type42/t42parse.c in FreeType before 2.5.4 does not properly update the current position for immediates-only mode, which allows remote attackers to cause a denial of service (infinite loop) via a Type42 font.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9747"
},
{
"id": "CVE-2015-9290",
"summary": "In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c on function T1_Get_Private_Dict where there is no check that the new values of cur and limit are sensible before going to Again.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9290"
},
{
"id": "CVE-2015-9381",
"summary": "FreeType before 2.6.1 has a heap-based buffer over-read in T1_Get_Private_Dict in type1/t1parse.c.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9381"
},
{
"id": "CVE-2015-9382",
"summary": "FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9382"
},
{
"id": "CVE-2015-9383",
"summary": "FreeType before 2.6.2 has a heap-based buffer over-read in tt_cmap14_validate in sfnt/ttcmap.c.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9383"
},
{
"id": "CVE-2016-10244",
"summary": "The parse_charstrings function in type1/t1load.c in FreeType 2 before 2.7 does not ensure that a font contains a glyph name, which allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10244"
},
{
"id": "CVE-2016-10328",
"summary": "FreeType 2 before 2016-12-16 has an out-of-bounds write caused by a heap-based buffer overflow related to the cff_parser_run function in cff/cffparse.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10328"
},
{
"id": "CVE-2017-7857",
"summary": "FreeType 2 before 2017-03-08 has an out-of-bounds write caused by a heap-based buffer overflow related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7857"
},
{
"id": "CVE-2017-7858",
"summary": "FreeType 2 before 2017-03-07 has an out-of-bounds write related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7858"
},
{
"id": "CVE-2017-7864",
"summary": "FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a heap-based buffer overflow related to the tt_size_reset function in truetype/ttobjs.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7864"
},
{
"id": "CVE-2017-8105",
"summary": "FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8105"
},
{
"id": "CVE-2017-8287",
"summary": "FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_contour function in psaux/psobjs.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8287"
},
{
"id": "CVE-2018-6942",
"summary": "An issue was discovered in FreeType 2 through 2.9. A NULL pointer dereference in the Ins_GETVARIATION() function within ttinterp.c could lead to DoS via a crafted font file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6942"
},
{
"id": "CVE-2020-15999",
"summary": "Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15999"
},
{
"id": "CVE-2022-27404",
"summary": "FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27404"
},
{
"id": "CVE-2022-27405",
"summary": "FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27405"
},
{
"id": "CVE-2022-27406",
"summary": "FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27406"
}
]
},
{
"name": "nativesdk-fribidi",
"layer": "meta",
"version": "1.0.13",
"products": [
{
"product": "gnu_fribidi",
"cvesInRecord": "Yes"
},
{
"product": "fribidi",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2010-3444",
"summary": "Buffer overflow in the log2vis_utf8 function in pyfribidi.c in GNU FriBidi 0.19.1, 0.19.2, and possibly other versions, as used in PyFriBidi 0.10.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted Arabic UTF-8 string that causes original 2-byte UTF-8 sequences to be transformed into 3-byte sequences.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3444"
},
{
"id": "CVE-2019-18397",
"summary": "A buffer overflow in the fribidi_get_par_embedding_levels_ex() function in lib/fribidi-bidi.c of GNU FriBidi through 1.0.7 allows an attacker to cause a denial of service or possibly execute arbitrary code by delivering crafted text content to a user, when this content is then rendered by an application that uses FriBidi for text layout calculations. Examples include any GNOME or GTK+ based application that uses Pango for text layout, as this internally uses FriBidi for bidirectional text layout. For example, the attacker can construct a crafted text file to be opened in GEdit, or a crafted IRC message to be viewed in HexChat.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18397"
},
{
"id": "CVE-2022-25308",
"summary": "A stack-based buffer overflow flaw was found in the Fribidi package. This flaw allows an attacker to pass a specially crafted file to the Fribidi application, which leads to a possible memory leak or a denial of service.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25308"
},
{
"id": "CVE-2022-25309",
"summary": "A heap-based buffer overflow flaw was found in the Fribidi package and affects the fribidi_cap_rtl_to_unicode() function of the fribidi-char-sets-cap-rtl.c file. This flaw allows an attacker to pass a specially crafted file to the Fribidi application with the '--caprtl' option, leading to a crash and causing a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25309"
},
{
"id": "CVE-2022-25310",
"summary": "A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bidi_marks() function of the lib/fribidi.c file. This flaw allows an attacker to pass a specially crafted file to Fribidi, leading to a crash and causing a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25310"
}
]
},
{
"name": "nativesdk-gcc-runtime",
"layer": "meta",
"version": "13.2.0",
"products": [
{
"product": "gcc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-1439",
"summary": "gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1439"
},
{
"id": "CVE-2000-1219",
"summary": "The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-1219"
},
{
"id": "CVE-2002-2439",
"summary": "Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-2439"
},
{
"id": "CVE-2006-1902",
"summary": "fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is \"not correctly interpreting an offset to a pointer as a signed value.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1902"
},
{
"id": "CVE-2008-1367",
"summary": "gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1367"
},
{
"id": "CVE-2008-1685",
"summary": "gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999)",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1685"
},
{
"id": "CVE-2013-4598",
"summary": "The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4598"
},
{
"id": "CVE-2015-5276",
"summary": "The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5276"
},
{
"id": "CVE-2017-11671",
"summary": "Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11671"
},
{
"id": "CVE-2018-12886",
"summary": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12886"
},
{
"id": "CVE-2019-15847",
"summary": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847"
},
{
"id": "CVE-2021-37322",
"summary": "GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37322",
"detail": "cpe-incorrect",
"description": "Is a binutils 2.26 issue, not gcc"
},
{
"id": "CVE-2021-3826",
"summary": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826"
},
{
"id": "CVE-2021-46195",
"summary": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195"
},
{
"id": "CVE-2022-27943",
"summary": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943"
},
{
"id": "CVE-2023-4039",
"summary": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "4.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039",
"detail": "fixed-version",
"description": "Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source"
}
]
},
{
"name": "nativesdk-gdbm",
"layer": "meta",
"version": "1.23",
"products": [
{
"product": "gdbm",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-gdk-pixbuf",
"layer": "meta",
"version": "2.42.10",
"products": [
{
"product": "gdk-pixbuf",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2011-2485",
"summary": "The gdk_pixbuf__gif_image_load function in gdk-pixbuf/io-gif.c in gdk-pixbuf before 2.23.5 does not properly handle certain return values, which allows remote attackers to cause a denial of service (memory consumption) via a crafted GIF image file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2485"
},
{
"id": "CVE-2011-2897",
"summary": "gdk-pixbuf through 2.31.1 has GIF loader buffer overflow when initializing decompression tables due to an input validation flaw",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2897"
},
{
"id": "CVE-2012-2370",
"summary": "Multiple integer overflows in the read_bitmap_file_data function in io-xbm.c in gdk-pixbuf before 2.26.1 allow remote attackers to cause a denial of service (application crash) via a negative (1) height or (2) width in an XBM file, which triggers a heap-based buffer overflow.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2370"
},
{
"id": "CVE-2015-4491",
"summary": "Integer overflow in the make_filter_table function in pixops/pixops.c in gdk-pixbuf before 2.31.5, as used in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 on Linux, Google Chrome on Linux, and other products, allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow and application crash) via crafted bitmap dimensions that are mishandled during scaling.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4491"
},
{
"id": "CVE-2015-7673",
"summary": "io-tga.c in gdk-pixbuf before 2.32.0 uses heap memory after its allocation failed, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) and possibly execute arbitrary code via a crafted Truevision TGA (TARGA) file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7673"
},
{
"id": "CVE-2015-7674",
"summary": "Integer overflow in the pixops_scale_nearest function in pixops/pixops.c in gdk-pixbuf before 2.32.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted GIF image file, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7674"
},
{
"id": "CVE-2015-8875",
"summary": "Multiple integer overflows in the (1) pixops_composite_nearest, (2) pixops_composite_color_nearest, and (3) pixops_process functions in pixops/pixops.c in gdk-pixbuf before 2.33.1 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted image, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8875"
},
{
"id": "CVE-2016-6352",
"summary": "The OneLine32 function in io-ico.c in gdk-pixbuf before 2.35.3 allows remote attackers to cause a denial of service (out-of-bounds write and crash) via crafted dimensions in an ICO file.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6352"
},
{
"id": "CVE-2017-1000422",
"summary": "Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer overflow in the gif_get_lzw function resulting in memory corruption and potential code execution",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000422"
},
{
"id": "CVE-2017-12447",
"summary": "GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus 3.14.3 on Ubuntu 16.04, allows attackers to cause a denial of service (stack corruption) or possibly have unspecified other impact via a crafted file folder.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12447"
},
{
"id": "CVE-2017-2862",
"summary": "An exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2862"
},
{
"id": "CVE-2017-2870",
"summary": "An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2870"
},
{
"id": "CVE-2017-6311",
"summary": "gdk-pixbuf-thumbnailer.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to printing an error message.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6311"
},
{
"id": "CVE-2017-6312",
"summary": "Integer overflow in io-ico.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (segmentation fault and application crash) via a crafted image entry offset in an ICO file, which triggers an out-of-bounds read, related to compiler optimizations.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6312"
},
{
"id": "CVE-2017-6313",
"summary": "Integer underflow in the load_resources function in io-icns.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (out-of-bounds read and program crash) via a crafted image entry size in an ICO file.",
"scorev2": "5.8",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6313"
},
{
"id": "CVE-2017-6314",
"summary": "The make_available_at_least function in io-tiff.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (infinite loop) via a large TIFF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6314"
},
{
"id": "CVE-2020-29385",
"summary": "GNOME gdk-pixbuf (aka GdkPixbuf) before 2.42.2 allows a denial of service (infinite loop) in lzw.c in the function write_indexes. if c->self_code equals 10, self->code_table[10].extends will assign the value 11 to c. The next execution in the loop will assign self->code_table[11].extends to c, which will give the value of 10. This will make the loop run infinitely. This bug can, for example, be triggered by calling this function with a GIF image with LZW compression that is crafted in a special way.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29385"
},
{
"id": "CVE-2021-20240",
"summary": "A flaw was found in gdk-pixbuf in versions before 2.42.0. An integer wraparound leading to an out of bounds write can occur when a crafted GIF image is loaded. An attacker may cause applications to crash or could potentially execute code on the victim system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"scorev2": "8.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20240"
},
{
"id": "CVE-2021-46829",
"summary": "GNOME GdkPixbuf (aka GDK-PixBuf) before 2.42.8 allows a heap-based buffer overflow when compositing or clearing frames in GIF files, as demonstrated by io-gif-animation.c composite_frame. This overflow is controllable and could be abused for code execution, especially on 32-bit systems.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46829"
}
]
},
{
"name": "nativesdk-gettext",
"layer": "meta",
"version": "0.22.5",
"products": [
{
"product": "gettext",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0966",
"summary": "The (1) autopoint and (2) gettextize scripts in the GNU gettext package 1.14 and later versions, as used in Trustix Secure Linux 1.5 through 2.1 and other operating systems, allows local users to overwrite files via a symlink attack on temporary files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0966"
},
{
"id": "CVE-2018-18751",
"summary": "An issue was discovered in GNU gettext 0.19.8. There is a double free in default_add_message in read-catalog.c, related to an invalid free in po_gram_parse in po-gram-gen.y, as demonstrated by lt-msgfmt.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18751"
}
]
},
{
"name": "nativesdk-glib-2.0",
"layer": "meta",
"version": "1_2.78.6",
"products": [
{
"product": "glib",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2008-4316",
"summary": "Multiple integer overflows in glib/gbase64.c in GLib before 2.20 allow context-dependent attackers to execute arbitrary code via a long string that is converted either (1) from or (2) to a base64 representation.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4316"
},
{
"id": "CVE-2009-3289",
"summary": "The g_file_copy function in glib 2.0 sets the permissions of a target file to the permissions of a symbolic link (777), which allows user-assisted local users to modify files of other users, as demonstrated by using Nautilus to modify the permissions of the user home directory.",
"scorev2": "4.4",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3289"
},
{
"id": "CVE-2012-0039",
"summary": "GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0039"
},
{
"id": "CVE-2018-16428",
"summary": "In GNOME GLib 2.56.1, g_markup_parse_context_end_parse() in gmarkup.c has a NULL pointer dereference.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16428"
},
{
"id": "CVE-2018-16429",
"summary": "GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_parse_context_parse() in gmarkup.c, related to utf8_str().",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16429"
},
{
"id": "CVE-2019-12450",
"summary": "file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12450"
},
{
"id": "CVE-2019-13012",
"summary": "The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it does not properly restrict directory (and file) permissions. Instead, for directories, 0777 permissions are used; for files, default file permissions are used. This is similar to CVE-2019-12450.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13012"
},
{
"id": "CVE-2019-9633",
"summary": "gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent GTask remains alive during the execution of a connection-attempting enumeration, which allows remote attackers to cause a denial of service (g_socket_client_connected_callback mishandling and application crash) via a crafted web site, as demonstrated by GNOME Web (aka Epiphany).",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9633"
},
{
"id": "CVE-2020-35457",
"summary": "GNOME GLib before 2.65.3 has an integer overflow, that might lead to an out-of-bounds write, in g_option_group_add_entries. NOTE: the vendor's position is \"Realistically this is not a security issue. The standard pattern is for callers to provide a static list of option entries in a fixed number of calls to g_option_group_add_entries().\" The researcher states that this pattern is undocumented",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35457"
},
{
"id": "CVE-2020-6750",
"summary": "GSocketClient in GNOME GLib through 2.62.4 may occasionally connect directly to a target address instead of connecting via a proxy server when configured to do so, because the proxy_addr field is mishandled. This bug is timing-dependent and may occur only sporadically depending on network delays. The greatest security relevance is in use cases where a proxy is used to help with privacy/anonymity, even though there is no technical barrier to a direct connection. NOTE: versions before 2.60 are unaffected.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-6750"
},
{
"id": "CVE-2021-27218",
"summary": "An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27218"
},
{
"id": "CVE-2021-27219",
"summary": "An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27219"
},
{
"id": "CVE-2021-28153",
"summary": "An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28153"
},
{
"id": "CVE-2021-3800",
"summary": "A flaw was found in glib before version 2.63.6. Due to random charset alias, pkexec can leak content from files owned by privileged users to unprivileged ones under the right condition.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3800"
},
{
"id": "CVE-2023-29499",
"summary": "A flaw was found in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, leading to denial of service.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29499"
},
{
"id": "CVE-2023-32611",
"summary": "A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32611"
},
{
"id": "CVE-2023-32636",
"summary": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32636"
},
{
"id": "CVE-2023-32643",
"summary": "A flaw was found in GLib. The GVariant deserialization code is vulnerable to a heap buffer overflow introduced by the fix for CVE-2023-32665. This bug does not affect any released version of GLib, but does affect GLib distributors who followed the guidance of GLib developers to backport the initial fix for CVE-2023-32665.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32643"
},
{
"id": "CVE-2023-32665",
"summary": "A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32665"
}
]
},
{
"name": "nativesdk-glibc",
"layer": "meta",
"version": "2.39+git",
"products": [
{
"product": "glibc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-0199",
"summary": "manual/search.texi in the GNU C Library (aka glibc) before 2.2 lacks a statement about the unspecified tdelete return value upon deletion of a tree's root, which might allow attackers to access a dangling pointer in an application whose developer was unaware of a documentation update from 1999.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0199"
},
{
"id": "CVE-2000-0335",
"summary": "The resolver in glibc 2.1.3 uses predictable IDs, which allows a local attacker to spoof DNS query results.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0335"
},
{
"id": "CVE-2000-0824",
"summary": "The unsetenv function in glibc 2.1.1 does not properly unset an environmental variable if the variable is provided twice to a program, which could allow local users to execute arbitrary commands in setuid programs by specifying their own duplicate environmental variables such as LD_PRELOAD or LD_LIBRARY_PATH.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0824"
},
{
"id": "CVE-2000-0959",
"summary": "glibc2 does not properly clear the LD_DEBUG_OUTPUT and LD_DEBUG environmental variables when a program is spawned from a setuid program, which could allow local users to overwrite files via a symlink attack.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0959"
},
{
"id": "CVE-2002-0684",
"summary": "Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684"
},
{
"id": "CVE-2002-1146",
"summary": "The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, use the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary (\"read buffer overflow\"), allowing remote attackers to cause a denial of service (crash).",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1146"
},
{
"id": "CVE-2002-1265",
"summary": "The Sun RPC functionality in multiple libc implementations does not provide a time-out mechanism when reading data from TCP connections, which allows remote attackers to cause a denial of service (hang).",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1265"
},
{
"id": "CVE-2003-0028",
"summary": "Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0028"
},
{
"id": "CVE-2003-0859",
"summary": "The getifaddrs function in GNU libc (glibc) 2.2.4 and earlier allows local users to cause a denial of service by sending spoofed messages as other users to the kernel netlink interface.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0859"
},
{
"id": "CVE-2004-0968",
"summary": "The catchsegv script in glibc 2.3.2 and earlier allows local users to overwrite files via a symlink attack on temporary files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0968"
},
{
"id": "CVE-2004-1382",
"summary": "The glibcbug script in glibc 2.3.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CVE-2004-0968.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1382"
},
{
"id": "CVE-2004-1453",
"summary": "GNU glibc 2.3.4 before 2.3.4.20040619, 2.3.3 before 2.3.3.20040420, and 2.3.2 before 2.3.2-r10 does not restrict the use of LD_DEBUG for a setuid program, which allows local users to gain sensitive information, such as the list of symbols used by the program.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1453"
},
{
"id": "CVE-2005-3590",
"summary": "The getgrouplist function in the GNU C library (glibc) before version 2.3.5, when invoked with a zero argument, writes to the passed pointer even if the specified array size is zero, leading to a buffer overflow and potentially allowing attackers to corrupt memory.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3590"
},
{
"id": "CVE-2006-7254",
"summary": "The nscd daemon in the GNU C Library (glibc) before version 2.5 does not close incoming client sockets if they cannot be handled by the daemon, allowing local users to carry out a denial of service attack on the daemon.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7254"
},
{
"id": "CVE-2007-3508",
"summary": "Integer overflow in the process_envvars function in elf/rtld.c in glibc before 2.5-rc4 might allow local users to execute arbitrary code via a large LD_HWCAP_MASK environment variable value. NOTE: the glibc maintainers state that they do not believe that this issue is exploitable for code execution",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3508"
},
{
"id": "CVE-2009-4880",
"summary": "Multiple integer overflows in the strfmon implementation in the GNU C Library (aka glibc or libc6) 2.10.1 and earlier allow context-dependent attackers to cause a denial of service (memory consumption or application crash) via a crafted format string, as demonstrated by a crafted first argument to the money_format function in PHP, a related issue to CVE-2008-1391.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4880"
},
{
"id": "CVE-2009-4881",
"summary": "Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in the strfmon implementation in the GNU C Library (aka glibc or libc6) before 2.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted format string, as demonstrated by the %99999999999999999999n string, a related issue to CVE-2008-1391.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4881"
},
{
"id": "CVE-2009-5029",
"summary": "Integer overflow in the __tzfile_read function in glibc before 2.15 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted timezone (TZ) file, as demonstrated using vsftpd.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5029"
},
{
"id": "CVE-2009-5064",
"summary": "ldd in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows local users to gain privileges via a Trojan horse executable file linked with a modified loader that omits certain LD_TRACE_LOADED_OBJECTS checks. NOTE: the GNU C Library vendor states \"This is just nonsense. There are a gazillion other ways to introduce code if people are downloading arbitrary binaries and install them in appropriate directories or set LD_LIBRARY_PATH etc.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5064"
},
{
"id": "CVE-2009-5155",
"summary": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5155"
},
{
"id": "CVE-2010-0015",
"summary": "nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0015"
},
{
"id": "CVE-2010-0296",
"summary": "The encode_name macro in misc/mntent_r.c in the GNU C Library (aka glibc or libc6) 2.11.1 and earlier, as used by ncpmount and mount.cifs, does not properly handle newline characters in mountpoint names, which allows local users to cause a denial of service (mtab corruption), or possibly modify mount options and gain privileges, via a crafted mount request.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0296"
},
{
"id": "CVE-2010-0830",
"summary": "Integer signedness error in the elf_get_dynamic_info function in elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6) 2.0.1 through 2.11.1, when the --verify option is used, allows user-assisted remote attackers to execute arbitrary code via a crafted ELF program with a negative value for a certain d_tag structure member in the ELF header.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0830"
},
{
"id": "CVE-2010-3192",
"summary": "Certain run-time memory protection mechanisms in the GNU C Library (aka glibc or libc6) print argv[0] and backtrace information, which might allow context-dependent attackers to obtain sensitive information from process memory by executing an incorrect program, as demonstrated by a setuid program that contains a stack-based buffer overflow error, related to the __fortify_fail function in debug/fortify_fail.c, and the __stack_chk_fail (aka stack protection) and __chk_fail (aka FORTIFY_SOURCE) implementations.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3192"
},
{
"id": "CVE-2010-3847",
"summary": "elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3847"
},
{
"id": "CVE-2010-3856",
"summary": "ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x before 2.12.2, does not properly restrict use of the LD_AUDIT environment variable to reference dynamic shared objects (DSOs) as audit objects, which allows local users to gain privileges by leveraging an unsafe DSO located in a trusted library directory, as demonstrated by libpcprofile.so.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3856"
},
{
"id": "CVE-2010-4051",
"summary": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4051"
},
{
"id": "CVE-2010-4052",
"summary": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4052"
},
{
"id": "CVE-2010-4756",
"summary": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4756"
},
{
"id": "CVE-2011-0536",
"summary": "Multiple untrusted search path vulnerabilities in elf/dl-object.c in certain modified versions of the GNU C Library (aka glibc or libc6), including glibc-2.5-49.el5_5.6 and glibc-2.12-1.7.el6_0.3 in Red Hat Enterprise Linux, allow local users to gain privileges via a crafted dynamic shared object (DSO) in a subdirectory of the current working directory during execution of a (1) setuid or (2) setgid program that has $ORIGIN in (a) RPATH or (b) RUNPATH within the program itself or a referenced library. NOTE: this issue exists because of an incorrect fix for CVE-2010-3847.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0536"
},
{
"id": "CVE-2011-1071",
"summary": "The GNU C Library (aka glibc or libc6) before 2.12.2 and Embedded GLIBC (EGLIBC) allow context-dependent attackers to execute arbitrary code or cause a denial of service (memory consumption) via a long UTF8 string that is used in an fnmatch call, aka a \"stack extension attack,\" a related issue to CVE-2010-2898, CVE-2010-1917, and CVE-2007-4782, as originally reported for use of this library by Google Chrome.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1071"
},
{
"id": "CVE-2011-1089",
"summary": "The addmntent function in the GNU C Library (aka glibc or libc6) 2.13 and earlier does not report an error status for failed attempts to write to the /etc/mtab file, which makes it easier for local users to trigger corruption of this file, as demonstrated by writes from a process with a small RLIMIT_FSIZE value, a different vulnerability than CVE-2010-0296.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1089"
},
{
"id": "CVE-2011-1095",
"summary": "locale/programs/locale.c in locale in the GNU C Library (aka glibc or libc6) before 2.13 does not quote its output, which might allow local users to gain privileges via a crafted localization environment variable, in conjunction with a program that executes a script that uses the eval function.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1095"
},
{
"id": "CVE-2011-1658",
"summary": "ld.so in the GNU C Library (aka glibc or libc6) 2.13 and earlier expands the $ORIGIN dynamic string token when RPATH is composed entirely of this token, which might allow local users to gain privileges by creating a hard link in an arbitrary directory to a (1) setuid or (2) setgid program with this RPATH value, and then executing the program with a crafted value for the LD_PRELOAD environment variable, a different vulnerability than CVE-2010-3847 and CVE-2011-0536. NOTE: it is not expected that any standard operating-system distribution would ship an applicable setuid or setgid program.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1658"
},
{
"id": "CVE-2011-1659",
"summary": "Integer overflow in posix/fnmatch.c in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long UTF8 string that is used in an fnmatch call with a crafted pattern argument, a different vulnerability than CVE-2011-1071.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1659"
},
{
"id": "CVE-2011-2702",
"summary": "Integer signedness error in Glibc before 2.13 and eglibc before 2.13, when using Supplemental Streaming SIMD Extensions 3 (SSSE3) optimization, allows context-dependent attackers to execute arbitrary code via a negative length parameter to (1) memcpy-ssse3-rep.S, (2) memcpy-ssse3.S, or (3) memset-sse2.S in sysdeps/i386/i686/multiarch/, which triggers an out-of-bounds read, as demonstrated using the memcpy function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2702"
},
{
"id": "CVE-2011-4609",
"summary": "The svc_run function in the RPC implementation in glibc before 2.15 allows remote attackers to cause a denial of service (CPU consumption) via a large number of RPC connections.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4609"
},
{
"id": "CVE-2011-5320",
"summary": "scanf and related functions in glibc before 2.15 allow local users to cause a denial of service (segmentation fault) via a large string of 0s.",
"scorev2": "2.1",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-5320"
},
{
"id": "CVE-2012-0864",
"summary": "Integer overflow in the vfprintf function in stdio-common/vfprintf.c in glibc 2.14 and other versions allows context-dependent attackers to bypass the FORTIFY_SOURCE protection mechanism, conduct format string attacks, and write to arbitrary memory via a large number of arguments.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0864"
},
{
"id": "CVE-2012-3404",
"summary": "The vfprintf function in stdio-common/vfprintf.c in libc in GNU C Library (aka glibc) 2.12 and other versions does not properly calculate a buffer length, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (stack corruption and crash) via a format string that uses positional parameters and many format specifiers.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3404"
},
{
"id": "CVE-2012-3405",
"summary": "The vfprintf function in stdio-common/vfprintf.c in libc in GNU C Library (aka glibc) 2.14 and other versions does not properly calculate a buffer length, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (segmentation fault and crash) via a format string with a large number of format specifiers that triggers \"desynchronization within the buffer size handling,\" a different vulnerability than CVE-2012-3404.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3405"
},
{
"id": "CVE-2012-3406",
"summary": "The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not \"properly restrict the use of\" the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers, a different vulnerability than CVE-2012-3404 and CVE-2012-3405.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3406"
},
{
"id": "CVE-2012-3480",
"summary": "Multiple integer overflows in the (1) strtod, (2) strtof, (3) strtold, (4) strtod_l, and other unspecified \"related functions\" in stdlib in GNU C Library (aka glibc or libc6) 2.16 allow local users to cause a denial of service (application crash) and possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3480"
},
{
"id": "CVE-2012-4412",
"summary": "Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4412"
},
{
"id": "CVE-2012-4424",
"summary": "Stack-based buffer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4424"
},
{
"id": "CVE-2012-6656",
"summary": "iconvdata/ibm930.c in GNU C Library (aka glibc) before 2.16 allows context-dependent attackers to cause a denial of service (out-of-bounds read) via a multibyte character value of \"0xffff\" to the iconv function when converting IBM930 encoded data to UTF-8.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6656"
},
{
"id": "CVE-2013-0242",
"summary": "Buffer overflow in the extend_buffers function in the regular expression matcher (posix/regexec.c) in glibc, possibly 2.17 and earlier, allows context-dependent attackers to cause a denial of service (memory corruption and crash) via crafted multibyte characters.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0242"
},
{
"id": "CVE-2013-1914",
"summary": "Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in GNU C Library (aka glibc or libc6) 2.17 and earlier allows remote attackers to cause a denial of service (crash) via a (1) hostname or (2) IP address that triggers a large number of domain conversion results.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1914"
},
{
"id": "CVE-2013-2207",
"summary": "pt_chown in GNU C Library (aka glibc or libc6) before 2.18 does not properly check permissions for tty files, which allows local users to change the permission on the files and obtain access to arbitrary pseudo-terminals by leveraging a FUSE file system.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2207"
},
{
"id": "CVE-2013-4237",
"summary": "sysdeps/posix/readdir_r.c in the GNU C Library (aka glibc or libc6) 2.18 and earlier allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a crafted (1) NTFS or (2) CIFS image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4237"
},
{
"id": "CVE-2013-4332",
"summary": "Multiple integer overflows in malloc/malloc.c in the GNU C Library (aka glibc or libc6) 2.18 and earlier allow context-dependent attackers to cause a denial of service (heap corruption) via a large value to the (1) pvalloc, (2) valloc, (3) posix_memalign, (4) memalign, or (5) aligned_alloc functions.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4332"
},
{
"id": "CVE-2013-4458",
"summary": "Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in GNU C Library (aka glibc or libc6) 2.18 and earlier allows remote attackers to cause a denial of service (crash) via a (1) hostname or (2) IP address that triggers a large number of AF_INET6 address results. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1914.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4458"
},
{
"id": "CVE-2013-4788",
"summary": "The PTR_MANGLE implementation in the GNU C Library (aka glibc or libc6) 2.4, 2.17, and earlier, and Embedded GLIBC (EGLIBC) does not initialize the random value for the pointer guard, which makes it easier for context-dependent attackers to control execution flow by leveraging a buffer-overflow vulnerability in an application and using the known zero value pointer guard to calculate a pointer address.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4788"
},
{
"id": "CVE-2013-7423",
"summary": "The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7423"
},
{
"id": "CVE-2013-7424",
"summary": "The getaddrinfo function in glibc before 2.15, when compiled with libidn and the AI_IDN flag is used, allows context-dependent attackers to cause a denial of service (invalid free) and possibly execute arbitrary code via unspecified vectors, as demonstrated by an internationalized domain name to ping6.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7424"
},
{
"id": "CVE-2014-0475",
"summary": "Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0475"
},
{
"id": "CVE-2014-4043",
"summary": "The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4043"
},
{
"id": "CVE-2014-5119",
"summary": "Off-by-one error in the __gconv_translit_find function in gconv_trans.c in GNU C Library (aka glibc) allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via vectors related to the CHARSET environment variable and gconv transliteration modules.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5119"
},
{
"id": "CVE-2014-6040",
"summary": "GNU C Library (aka glibc) before 2.20 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via a multibyte character value of \"0xffff\" to the iconv function when converting (1) IBM933, (2) IBM935, (3) IBM937, (4) IBM939, or (5) IBM1364 encoded data to UTF-8.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-6040"
},
{
"id": "CVE-2014-7817",
"summary": "The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing \"$((`...`))\".",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7817"
},
{
"id": "CVE-2014-8121",
"summary": "DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up on a database while iterating over it, which triggers the file pointer to be reset.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8121"
},
{
"id": "CVE-2014-9402",
"summary": "The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9402"
},
{
"id": "CVE-2014-9761",
"summary": "Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6) before 2.23 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long argument to the (1) nan, (2) nanf, or (3) nanl function.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9761"
},
{
"id": "CVE-2014-9984",
"summary": "nscd in the GNU C Library (aka glibc or libc6) before version 2.20 does not correctly compute the size of an internal buffer when processing netgroup requests, possibly leading to an nscd daemon crash or code execution as the user running nscd.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9984"
},
{
"id": "CVE-2015-0235",
"summary": "Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka \"GHOST.\"",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0235"
},
{
"id": "CVE-2015-1472",
"summary": "The ADDW macro in stdio-common/vfscanf.c in the GNU C Library (aka glibc or libc6) before 2.21 does not properly consider data-type size during memory allocation, which allows context-dependent attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long line containing wide characters that are improperly handled in a wscanf call.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1472"
},
{
"id": "CVE-2015-1473",
"summary": "The ADDW macro in stdio-common/vfscanf.c in the GNU C Library (aka glibc or libc6) before 2.21 does not properly consider data-type size during a risk-management decision for use of the alloca function, which might allow context-dependent attackers to cause a denial of service (segmentation violation) or overwrite memory locations beyond the stack boundary via a long line containing wide characters that are improperly handled in a wscanf call.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1473"
},
{
"id": "CVE-2015-1781",
"summary": "Buffer overflow in the gethostbyname_r and other unspecified NSS functions in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response, which triggers a call with a misaligned buffer.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1781"
},
{
"id": "CVE-2015-20109",
"summary": "end_pattern (called from internal_fnmatch) in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash), as demonstrated by use of the fnmatch library function with the **(!() pattern. NOTE: this is not the same as CVE-2015-8984; also, some Linux distributions have fixed CVE-2015-8984 but have not fixed this additional fnmatch issue.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-20109"
},
{
"id": "CVE-2015-5180",
"summary": "res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5180"
},
{
"id": "CVE-2015-5277",
"summary": "The get_contents function in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) before 2.20 might allow local users to cause a denial of service (heap corruption) or gain privileges via a long line in the NSS files database.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5277"
},
{
"id": "CVE-2015-7547",
"summary": "Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing \"dual A/AAAA DNS queries\" and the libnss_dns.so.2 NSS module.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7547"
},
{
"id": "CVE-2015-8776",
"summary": "The strftime function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly obtain sensitive information via an out-of-range time value.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8776"
},
{
"id": "CVE-2015-8777",
"summary": "The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8777"
},
{
"id": "CVE-2015-8778",
"summary": "Integer overflow in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via the size argument to the __hcreate_r function, which triggers out-of-bounds heap-memory access.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8778"
},
{
"id": "CVE-2015-8779",
"summary": "Stack-based buffer overflow in the catopen function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long catalog name.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8779"
},
{
"id": "CVE-2015-8982",
"summary": "Integer overflow in the strxfrm function in the GNU C Library (aka glibc or libc6) before 2.21 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8982"
},
{
"id": "CVE-2015-8983",
"summary": "Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to computing a size in bytes, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8983"
},
{
"id": "CVE-2015-8984",
"summary": "The fnmatch function in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash) via a malformed pattern, which triggers an out-of-bounds read.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8984"
},
{
"id": "CVE-2015-8985",
"summary": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8985"
},
{
"id": "CVE-2016-10228",
"summary": "The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10228"
},
{
"id": "CVE-2016-10739",
"summary": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
"scorev2": "4.6",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10739"
},
{
"id": "CVE-2016-1234",
"summary": "Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1234"
},
{
"id": "CVE-2016-3075",
"summary": "Stack-based buffer overflow in the nss_dns implementation of the getnetbyname function in GNU C Library (aka glibc) before 2.24 allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a long name.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3075"
},
{
"id": "CVE-2016-3706",
"summary": "Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in the GNU C Library (aka glibc or libc6) allows remote attackers to cause a denial of service (crash) via vectors involving hostent conversion. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4458.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3706"
},
{
"id": "CVE-2016-4429",
"summary": "Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4429"
},
{
"id": "CVE-2016-5417",
"summary": "Memory leak in the __res_vinit function in the IPv6 name server management code in libresolv in GNU C Library (aka glibc or libc6) before 2.24 allows remote attackers to cause a denial of service (memory consumption) by leveraging partial initialization of internal resolver data structures.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5417"
},
{
"id": "CVE-2016-6323",
"summary": "The makecontext function in the GNU C Library (aka glibc or libc6) before 2.25 creates execution contexts incompatible with the unwinder on ARM EABI (32-bit) platforms, which might allow context-dependent attackers to cause a denial of service (hang), as demonstrated by applications compiled using gccgo, related to backtrace generation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6323"
},
{
"id": "CVE-2017-1000366",
"summary": "glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000366"
},
{
"id": "CVE-2017-1000408",
"summary": "A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached and amplified through the LD_HWCAP_MASK environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000408"
},
{
"id": "CVE-2017-1000409",
"summary": "A buffer overflow in glibc 2.5 (released on September 29, 2006) and can be triggered through the LD_LIBRARY_PATH environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000409"
},
{
"id": "CVE-2017-12132",
"summary": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12132"
},
{
"id": "CVE-2017-12133",
"summary": "Use-after-free vulnerability in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) before 2.26 allows remote attackers to have unspecified impact via vectors related to error path.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12133"
},
{
"id": "CVE-2017-15670",
"summary": "The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15670"
},
{
"id": "CVE-2017-15671",
"summary": "The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15671"
},
{
"id": "CVE-2017-15804",
"summary": "The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15804"
},
{
"id": "CVE-2017-16997",
"summary": "elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the \"./\" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16997"
},
{
"id": "CVE-2017-17426",
"summary": "The malloc function in the GNU C Library (aka glibc or libc6) 2.26 could return a memory block that is too small if an attempt is made to allocate an object whose size is close to SIZE_MAX, potentially leading to a subsequent heap overflow. This occurs because the per-thread cache (aka tcache) feature enables a code path that lacks an integer overflow check.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17426"
},
{
"id": "CVE-2017-18269",
"summary": "An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18269"
},
{
"id": "CVE-2017-8804",
"summary": "The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779. NOTE: [Information provided from upstream and references",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8804"
},
{
"id": "CVE-2018-1000001",
"summary": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000001"
},
{
"id": "CVE-2018-11236",
"summary": "stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11236"
},
{
"id": "CVE-2018-11237",
"summary": "An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11237"
},
{
"id": "CVE-2018-19591",
"summary": "In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19591"
},
{
"id": "CVE-2018-20796",
"summary": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20796"
},
{
"id": "CVE-2018-6485",
"summary": "An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6485"
},
{
"id": "CVE-2018-6551",
"summary": "The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6551"
},
{
"id": "CVE-2019-1010022",
"summary": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010022",
"detail": "disputed",
"description": "Upstream glibc maintainers dispute there is any issue and have no plans to address it further. this is being treated as a non-security bug and no real threat."
},
{
"id": "CVE-2019-1010023",
"summary": "GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010023",
"detail": "disputed",
"description": "Upstream glibc maintainers dispute there is any issue and have no plans to address it further. this is being treated as a non-security bug and no real threat."
},
{
"id": "CVE-2019-1010024",
"summary": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010024",
"detail": "disputed",
"description": "Upstream glibc maintainers dispute there is any issue and have no plans to address it further. this is being treated as a non-security bug and no real threat."
},
{
"id": "CVE-2019-1010025",
"summary": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010025",
"detail": "disputed",
"description": "Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow easier access for another. 'ASLR bypass itself is not a vulnerability.'"
},
{
"id": "CVE-2019-19126",
"summary": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19126"
},
{
"id": "CVE-2019-25013",
"summary": "The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.",
"scorev2": "7.1",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-25013"
},
{
"id": "CVE-2019-6488",
"summary": "The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6488"
},
{
"id": "CVE-2019-7309",
"summary": "In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7309"
},
{
"id": "CVE-2019-9169",
"summary": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9169"
},
{
"id": "CVE-2019-9192",
"summary": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9192"
},
{
"id": "CVE-2020-10029",
"summary": "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10029"
},
{
"id": "CVE-2020-1751",
"summary": "An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.",
"scorev2": "5.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1751"
},
{
"id": "CVE-2020-1752",
"summary": "A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.",
"scorev2": "3.7",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1752"
},
{
"id": "CVE-2020-27618",
"summary": "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27618"
},
{
"id": "CVE-2020-29562",
"summary": "The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.",
"scorev2": "2.1",
"scorev3": "4.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29562"
},
{
"id": "CVE-2020-29573",
"summary": "sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23 on x86 targets has a stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern, as seen when passing a \\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04 value to sprintf. NOTE: the issue does not affect glibc by default in 2016 or later (i.e., 2.23 or later) because of commits made in 2015 for inlining of C99 math functions through use of GCC built-ins. In other words, the reference to 2.23 is intentional despite the mention of \"Fixed for glibc 2.33\" in the 26649 reference.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29573"
},
{
"id": "CVE-2020-6096",
"summary": "An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-6096"
},
{
"id": "CVE-2021-27645",
"summary": "The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.",
"scorev2": "1.9",
"scorev3": "2.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27645"
},
{
"id": "CVE-2021-3326",
"summary": "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3326"
},
{
"id": "CVE-2021-33574",
"summary": "The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33574"
},
{
"id": "CVE-2021-35942",
"summary": "The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-35942"
},
{
"id": "CVE-2021-38604",
"summary": "In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer dereference. NOTE: this vulnerability was introduced as a side effect of the CVE-2021-33574 fix.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38604"
},
{
"id": "CVE-2021-3998",
"summary": "A flaw was found in glibc. The realpath() function can mistakenly return an unexpected value, potentially leading to information leakage and disclosure of sensitive data.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3998"
},
{
"id": "CVE-2021-3999",
"summary": "A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3999"
},
{
"id": "CVE-2021-43396",
"summary": "In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases. NOTE: the vendor states \"the bug cannot be invoked through user input and requires iconv to be invoked with a NULL inbuf, which ought to require a separate application bug to do so unintentionally. Hence there's no security impact to the bug.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43396"
},
{
"id": "CVE-2022-23218",
"summary": "The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23218"
},
{
"id": "CVE-2022-23219",
"summary": "The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23219"
},
{
"id": "CVE-2022-39046",
"summary": "An issue was discovered in the GNU C Library (glibc) 2.36. When the syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-39046"
},
{
"id": "CVE-2023-0687",
"summary": "A vulnerability was found in GNU C Library 2.38. It has been declared as critical. This vulnerability affects the function __monstartup of the file gmon.c of the component Call Graph Monitor. The manipulation leads to buffer overflow. It is recommended to apply a patch to fix this issue. VDB-220246 is the identifier assigned to this vulnerability. NOTE: The real existence of this vulnerability is still doubted at the moment. The inputs that induce this vulnerability are basically addresses of the running application that is built with gmon enabled. It's basically trusted input or input that needs an actual security flaw to be compromised or controlled.",
"scorev2": "4.0",
"scorev3": "9.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0687"
},
{
"id": "CVE-2023-25139",
"summary": "sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct buffer size. This is unrelated to CWE-676. It may write beyond the bounds of the destination buffer when attempting to write a padded, thousands-separated string representation of a number, if the buffer is allocated the exact size required to represent that number as a string. For example, 1,234,567 (with padding to 13) overflows by two bytes.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25139"
},
{
"id": "CVE-2023-4527",
"summary": "A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4527"
},
{
"id": "CVE-2023-4806",
"summary": "A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4806"
},
{
"id": "CVE-2023-4813",
"summary": "A flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4813"
},
{
"id": "CVE-2023-4911",
"summary": "A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4911",
"detail": "fixed-version",
"description": "Fixed in stable branch updates"
},
{
"id": "CVE-2023-5156",
"summary": "A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5156"
},
{
"id": "CVE-2023-6246",
"summary": "A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6246"
},
{
"id": "CVE-2023-6779",
"summary": "An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6779"
},
{
"id": "CVE-2023-6780",
"summary": "An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6780"
},
{
"id": "CVE-2024-2961",
"summary": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n",
"scorev2": "0.0",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961",
"detail": "cpe-stable-backport",
"description": "fix available in used git hash"
},
{
"id": "CVE-2024-33599",
"summary": "nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow. This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-33599",
"detail": "cpe-stable-backport",
"description": "fix available in used git hash"
},
{
"id": "CVE-2024-33600",
"summary": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-33600",
"detail": "cpe-stable-backport",
"description": "fix available in used git hash"
},
{
"id": "CVE-2024-33601",
"summary": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-33601",
"detail": "cpe-stable-backport",
"description": "fix available in used git hash"
},
{
"id": "CVE-2024-33602",
"summary": "nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n",
"scorev2": "0.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602",
"detail": "cpe-stable-backport",
"description": "fix available in used git hash"
}
]
},
{
"name": "nativesdk-gmp",
"layer": "meta",
"version": "6.3.0",
"products": [
{
"product": "gmp",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2021-43618",
"summary": "GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43618"
}
]
},
{
"name": "nativesdk-gnu-config",
"layer": "meta",
"version": "20240101+git",
"products": [
{
"product": "gnu-config",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-gnutls",
"layer": "meta",
"version": "3.8.4",
"products": [
{
"product": "gnutls",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-2531",
"summary": "X.509 Certificate Signature Verification in Gnu transport layer security library (GnuTLS) 1.0.16 allows remote attackers to cause a denial of service (CPU consumption) via certificates containing long chains and signed with large RSA keys.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2531"
},
{
"id": "CVE-2005-1431",
"summary": "The \"record packet parsing\" in GnuTLS 1.2 before 1.2.3 and 1.0 before 1.0.25 allows remote attackers to cause a denial of service, possibly related to padding bytes in gnutils_cipher.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1431"
},
{
"id": "CVE-2006-4790",
"summary": "verify.c in GnuTLS before 1.4.4, when using an RSA key with exponent 3, does not properly handle excess data in the digestAlgorithm.parameters field when generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents GnuTLS from correctly verifying X.509 and other certificates that use PKCS, a variant of CVE-2006-4339.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4790"
},
{
"id": "CVE-2006-7239",
"summary": "The _gnutls_x509_oid2mac_algorithm function in lib/gnutls_algorithms.c in GnuTLS before 1.4.2 allows remote attackers to cause a denial of service (crash) via a crafted X.509 certificate that uses a hash algorithm that is not supported by GnuTLS, which triggers a NULL pointer dereference.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7239"
},
{
"id": "CVE-2008-1948",
"summary": "The _gnutls_server_name_recv_params function in lib/ext_server_name.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 does not properly calculate the number of Server Names in a TLS 1.0 Client Hello message during extension handling, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a zero value for the length of Server Names, which leads to a buffer overflow in session resumption data in the pack_security_parameters function, aka GNUTLS-SA-2008-1-1.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1948"
},
{
"id": "CVE-2008-1949",
"summary": "The _gnutls_recv_client_kx_message function in lib/gnutls_kx.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to process Client Hello messages within a TLS message after one has already been processed, which allows remote attackers to cause a denial of service (NULL dereference and crash) via a TLS message containing multiple Client Hello messages, aka GNUTLS-SA-2008-1-2.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1949"
},
{
"id": "CVE-2008-1950",
"summary": "Integer signedness error in the _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in libgnutls in GnuTLS before 2.2.4 allows remote attackers to cause a denial of service (buffer over-read and crash) via a certain integer value in the Random field in an encrypted Client Hello message within a TLS record with an invalid Record Length, which leads to an invalid cipher padding length, aka GNUTLS-SA-2008-1-3.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1950"
},
{
"id": "CVE-2008-2377",
"summary": "Use-after-free vulnerability in the _gnutls_handshake_hash_buffers_clear function in lib/gnutls_handshake.c in libgnutls in GnuTLS 2.3.5 through 2.4.0 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via TLS transmission of data that is improperly used when the peer calls gnutls_handshake within a normal session, leading to attempted access to a deallocated libgcrypt handle.",
"scorev2": "7.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2377"
},
{
"id": "CVE-2008-4989",
"summary": "The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4989"
},
{
"id": "CVE-2009-1415",
"summary": "lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not properly handle invalid DSA signatures, which allows remote attackers to cause a denial of service (application crash) and possibly have unspecified other impact via a malformed DSA key that triggers a (1) free of an uninitialized pointer or (2) double free.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1415"
},
{
"id": "CVE-2009-1416",
"summary": "lib/gnutls_pk.c in libgnutls in GnuTLS 2.5.0 through 2.6.5 generates RSA keys stored in DSA structures, instead of the intended DSA keys, which might allow remote attackers to spoof signatures on certificates or have unspecified other impact by leveraging an invalid DSA key.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1416"
},
{
"id": "CVE-2009-1417",
"summary": "gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet valid or (2) no longer valid, related to lack of time checks in the _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1417"
},
{
"id": "CVE-2009-2409",
"summary": "The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2409"
},
{
"id": "CVE-2009-2730",
"summary": "libgnutls in GnuTLS before 2.8.2 does not properly handle a '\\0' character in a domain name in the subject's (1) Common Name (CN) or (2) Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2730"
},
{
"id": "CVE-2009-3555",
"summary": "The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a \"plaintext injection\" attack, aka the \"Project Mogul\" issue.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3555"
},
{
"id": "CVE-2009-5138",
"summary": "GnuTLS before 2.7.6, when the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag is not enabled, treats version 1 X.509 certificates as intermediate CAs, which allows remote attackers to bypass intended restrictions by leveraging a X.509 V1 certificate from a trusted CA to issue new certificates, a different vulnerability than CVE-2014-1959.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5138"
},
{
"id": "CVE-2010-0731",
"summary": "The gnutls_x509_crt_get_serial function in the GnuTLS library before 1.2.1, when running on big-endian, 64-bit platforms, calls the asn1_read_value with a pointer to the wrong data type and the wrong length value, which allows remote attackers to bypass the certificate revocation list (CRL) check and cause a stack-based buffer overflow via a crafted X.509 certificate, related to extraction of a serial number.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0731"
},
{
"id": "CVE-2011-4128",
"summary": "Buffer overflow in the gnutls_session_get_data function in lib/gnutls_session.c in GnuTLS 2.12.x before 2.12.14 and 3.x before 3.0.7, when used on a client that performs nonstandard session resumption, allows remote TLS servers to cause a denial of service (application crash) via a large SessionTicket.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4128"
},
{
"id": "CVE-2012-0390",
"summary": "The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain error-handling code only if there is a specific relationship between a padding length and the ciphertext size, which makes it easier for remote attackers to recover partial plaintext via a timing side-channel attack, a related issue to CVE-2011-4108.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0390"
},
{
"id": "CVE-2012-1569",
"summary": "The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1569"
},
{
"id": "CVE-2012-1573",
"summary": "gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3.0.15 does not properly handle data encrypted with a block cipher, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) via a crafted record, as demonstrated by a crafted GenericBlockCipher structure.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1573"
},
{
"id": "CVE-2012-1663",
"summary": "Double free vulnerability in libgnutls in GnuTLS before 3.0.14 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted certificate list.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1663"
},
{
"id": "CVE-2013-1619",
"summary": "The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1619"
},
{
"id": "CVE-2013-2116",
"summary": "The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS 2.12.23 allows remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length. NOTE: this might be due to an incorrect fix for CVE-2013-0169.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2116"
},
{
"id": "CVE-2013-4466",
"summary": "Buffer overflow in the dane_query_tlsa function in the DANE library (libdane) in GnuTLS 3.1.x before 3.1.15 and 3.2.x before 3.2.5 allows remote servers to cause a denial of service (memory corruption) via a response with more than four DANE entries.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4466"
},
{
"id": "CVE-2013-4487",
"summary": "Off-by-one error in the dane_raw_tlsa in the DANE library (libdane) in GnuTLS 3.1.x before 3.1.16 and 3.2.x before 3.2.6 allows remote servers to cause a denial of service (memory corruption) via a response with more than four DANE entries. NOTE: this issue is due to an incomplete fix for CVE-2013-4466.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4487"
},
{
"id": "CVE-2014-0092",
"summary": "lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0092"
},
{
"id": "CVE-2014-1959",
"summary": "lib/x509/verify.c in GnuTLS before 3.1.21 and 3.2.x before 3.2.11 treats version 1 X.509 certificates as intermediate CAs, which allows remote attackers to bypass intended restrictions by leveraging a X.509 V1 certificate from a trusted CA to issue new certificates.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1959"
},
{
"id": "CVE-2014-3465",
"summary": "The gnutls_x509_dn_oid_name function in lib/x509/common.c in GnuTLS 3.0 before 3.1.20 and 3.2.x before 3.2.10 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted X.509 certificate, related to a missing LDAP description for an OID when printing the DN.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3465"
},
{
"id": "CVE-2014-3466",
"summary": "Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows remote servers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a long session id in a ServerHello message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3466"
},
{
"id": "CVE-2014-3467",
"summary": "Multiple unspecified vulnerabilities in the DER decoder in GNU Libtasn1 before 3.6, as used in GnuTLS, allow remote attackers to cause a denial of service (out-of-bounds read) via crafted ASN.1 data.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3467"
},
{
"id": "CVE-2014-3468",
"summary": "The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN.1 data.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3468"
},
{
"id": "CVE-2014-3469",
"summary": "The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1 before 3.6 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via a NULL value in an ivalue argument.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3469"
},
{
"id": "CVE-2014-8155",
"summary": "GnuTLS before 2.9.10 does not verify the activation and expiration dates of CA certificates, which allows man-in-the-middle attackers to spoof servers via a certificate issued by a CA certificate that is (1) not yet valid or (2) no longer valid.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8155"
},
{
"id": "CVE-2014-8564",
"summary": "The _gnutls_ecc_ansi_x963_export function in gnutls_ecc.c in GnuTLS 3.x before 3.1.28, 3.2.x before 3.2.20, and 3.3.x before 3.3.10 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) Elliptic Curve Cryptography (ECC) certificate or (2) certificate signing requests (CSR), related to generating key IDs.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8564"
},
{
"id": "CVE-2015-0282",
"summary": "GnuTLS before 3.1.0 does not verify that the RSA PKCS #1 signature algorithm matches the signature algorithm in the certificate, which allows remote attackers to conduct downgrade attacks via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0282"
},
{
"id": "CVE-2015-0294",
"summary": "GnuTLS before 3.3.13 does not validate that the signature algorithms match when importing a certificate.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0294"
},
{
"id": "CVE-2015-3308",
"summary": "Double free vulnerability in lib/x509/x509_ext.c in GnuTLS before 3.3.14 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted CRL distribution point.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3308"
},
{
"id": "CVE-2015-6251",
"summary": "Double free vulnerability in GnuTLS before 3.3.17 and 3.4.x before 3.4.4 allows remote attackers to cause a denial of service via a long DistinguishedName (DN) entry in a certificate.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6251"
},
{
"id": "CVE-2015-8313",
"summary": "GnuTLS incorrectly validates the first byte of padding in CBC modes",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8313"
},
{
"id": "CVE-2016-4456",
"summary": "The \"GNUTLS_KEYLOGFILE\" environment variable in gnutls 3.4.12 allows remote attackers to overwrite and corrupt arbitrary files in the filesystem.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4456"
},
{
"id": "CVE-2016-7444",
"summary": "The gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS before 3.4.15 and 3.5.x before 3.5.4 does not verify the serial length of an OCSP response, which might allow remote attackers to bypass an intended certificate validation mechanism via vectors involving trailing bytes left by gnutls_malloc.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7444"
},
{
"id": "CVE-2017-5334",
"summary": "Double free vulnerability in the gnutls_x509_ext_import_proxy function in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allows remote attackers to have unspecified impact via crafted policy language information in an X.509 certificate with a Proxy Certificate Information extension.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5334"
},
{
"id": "CVE-2017-5335",
"summary": "The stream reading functions in lib/opencdk/read-packet.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to cause a denial of service (out-of-memory error and crash) via a crafted OpenPGP certificate.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5335"
},
{
"id": "CVE-2017-5336",
"summary": "Stack-based buffer overflow in the cdk_pk_get_keyid function in lib/opencdk/pubkey.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allows remote attackers to have unspecified impact via a crafted OpenPGP certificate.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5336"
},
{
"id": "CVE-2017-5337",
"summary": "Multiple heap-based buffer overflows in the read_attribute function in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to have unspecified impact via a crafted OpenPGP certificate.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5337"
},
{
"id": "CVE-2017-7507",
"summary": "GnuTLS version 3.5.12 and earlier is vulnerable to a NULL pointer dereference while decoding a status response TLS extension with valid contents. This could lead to a crash of the GnuTLS server application.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7507"
},
{
"id": "CVE-2017-7869",
"summary": "GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer overflow and heap-based buffer overflow related to the cdk_pkt_read function in opencdk/read-packet.c. This issue (which is a subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7869"
},
{
"id": "CVE-2018-10844",
"summary": "It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10844"
},
{
"id": "CVE-2018-10845",
"summary": "It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10845"
},
{
"id": "CVE-2018-10846",
"summary": "A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of \"Just in Time\" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets.",
"scorev2": "1.9",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10846"
},
{
"id": "CVE-2018-16868",
"summary": "A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
"scorev2": "3.3",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16868"
},
{
"id": "CVE-2019-3829",
"summary": "A vulnerability was found in gnutls versions from 3.5.8 before 3.6.7. A memory corruption (double free) vulnerability in the certificate verification API. Any client or server application that verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3829"
},
{
"id": "CVE-2019-3836",
"summary": "It was discovered in gnutls before version 3.6.7 upstream that there is an uninitialized pointer access in gnutls versions 3.6.3 or later which can be triggered by certain post-handshake messages.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3836"
},
{
"id": "CVE-2020-11501",
"summary": "GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06 commit. The DTLS client always uses 32 '\\0' bytes instead of a random value, and thus contributes no randomness to a DTLS negotiation. This breaks the security guarantees of the DTLS protocol.",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11501"
},
{
"id": "CVE-2020-13777",
"summary": "GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13777"
},
{
"id": "CVE-2020-24659",
"summary": "An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24659"
},
{
"id": "CVE-2021-20231",
"summary": "A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20231"
},
{
"id": "CVE-2021-20232",
"summary": "A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20232"
},
{
"id": "CVE-2021-4209",
"summary": "A NULL pointer dereference flaw was found in GnuTLS. As Nettle's hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. This flaw leads to a denial of service after authentication in rare circumstances.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4209"
},
{
"id": "CVE-2022-2509",
"summary": "A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2509"
},
{
"id": "CVE-2023-0361",
"summary": "A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.",
"scorev2": "0.0",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0361"
},
{
"id": "CVE-2023-5981",
"summary": "A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5981"
},
{
"id": "CVE-2024-0553",
"summary": "A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0553"
},
{
"id": "CVE-2024-0567",
"summary": "A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0567"
}
]
},
{
"name": "nativesdk-grpc",
"layer": "meta-oe",
"version": "1.60.1",
"products": [
{
"product": "grpc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2017-7860",
"summary": "Google gRPC before 2017-02-22 has an out-of-bounds write caused by a heap-based buffer overflow related to the parse_unix function in core/ext/client_channel/parse_address.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7860"
},
{
"id": "CVE-2017-7861",
"summary": "Google gRPC before 2017-02-22 has an out-of-bounds write related to the gpr_free function in core/lib/support/alloc.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7861"
},
{
"id": "CVE-2017-8359",
"summary": "Google gRPC before 2017-03-29 has an out-of-bounds write caused by a heap-based use-after-free related to the grpc_call_destroy function in core/lib/surface/call.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8359"
},
{
"id": "CVE-2017-9431",
"summary": "Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomgr/error.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9431"
},
{
"id": "CVE-2020-7768",
"summary": "The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.",
"scorev2": "5.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-7768"
},
{
"id": "CVE-2023-1428",
"summary": "There exists an vulnerability causing an abort() to be called in gRPC.\u00a0\nThe following headers cause gRPC's C++ implementation to abort() when called via http2:\n\nte: x (x != trailers)\n\n:scheme: x (x != http, https)\n\ngrpclb_client_stats: x (x == anything)\n\nOn top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit\u00a02485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1428"
},
{
"id": "CVE-2023-32731",
"summary": "When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in\u00a0 https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 \n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32731"
},
{
"id": "CVE-2023-32732",
"summary": "gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in\u00a0 https://github.com/grpc/grpc/pull/32309 https://www.google.com/url \n",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32732"
},
{
"id": "CVE-2023-33953",
"summary": "gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/\u00a0Three vectors were found that allow the following DOS attacks:\n\n- Unbounded memory buffering in the HPACK parser\n- Unbounded CPU consumption in the HPACK parser\n\nThe unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.\n\nThe unbounded memory buffering bugs:\n\n- The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.\n- HPACK varints have an encoding quirk whereby an infinite number of 0\u2019s can be added at the start of an integer. gRPC\u2019s hpack parser needed to read all of them before concluding a parse.\n- gRPC\u2019s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc\u2026",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33953"
},
{
"id": "CVE-2023-44487",
"summary": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487"
},
{
"id": "CVE-2023-4785",
"summary": "Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.\u00a0",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4785"
}
]
},
{
"name": "nativesdk-gtk+3",
"layer": "meta",
"version": "3.24.41",
"products": [
{
"product": "gtk",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2001-0084",
"summary": "GTK+ library allows local users to specify arbitrary modules via the GTK_MODULES environmental variable, which could allow local users to gain privileges if GTK+ is used by a setuid/setgid program.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0084"
},
{
"id": "CVE-2004-0753",
"summary": "The BMP image processor for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0753"
},
{
"id": "CVE-2004-0782",
"summary": "Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687).",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0782"
},
{
"id": "CVE-2004-0783",
"summary": "Stack-based buffer overflow in xpm_extract_color (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, may allow remote attackers to execute arbitrary code via a certain color string. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0688).",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0783"
},
{
"id": "CVE-2004-0788",
"summary": "Integer overflow in the ICO image decoder for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted ICO file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0788"
},
{
"id": "CVE-2005-0372",
"summary": "Directory traversal vulnerability in gftp before 2.0.18 for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0372"
},
{
"id": "CVE-2005-0891",
"summary": "Double free vulnerability in gtk 2 (gtk2) before 2.2.4 allows remote attackers to cause a denial of service (crash) via a crafted BMP image.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0891"
},
{
"id": "CVE-2005-2975",
"summary": "io-xpm.c in the gdk-pixbuf XPM image rendering library in GTK+ before 2.8.7 allows attackers to cause a denial of service (infinite loop) via a crafted XPM image with a large number of colors.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2975"
},
{
"id": "CVE-2005-2976",
"summary": "Integer overflow in io-xpm.c in gdk-pixbuf 0.22.0 in GTK+ before 2.8.7 allows attackers to cause a denial of service (crash) or execute arbitrary code via an XPM file with large height, width, and colour values, a different vulnerability than CVE-2005-3186.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2976"
},
{
"id": "CVE-2007-0010",
"summary": "The GdkPixbufLoader function in GIMP ToolKit (GTK+) in GTK 2 (gtk2) before 2.4.13 allows context-dependent attackers to cause a denial of service (crash) via a malformed image file.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0010"
},
{
"id": "CVE-2010-0732",
"summary": "gdk/gdkwindow.c in GTK+ before 2.18.5, as used in gnome-screensaver before 2.28.1, performs implicit paints on windows of type GDK_WINDOW_FOREIGN, which triggers an X error in certain circumstances and consequently allows physically proximate attackers to bypass screen locking and access an unattended workstation by pressing the Enter key many times.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0732"
},
{
"id": "CVE-2010-4831",
"summary": "Untrusted search path vulnerability in gdk/win32/gdkinput-win32.c in GTK+ before 2.21.8 allows local users to gain privileges via a Trojan horse Wintab32.dll file in the current working directory.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4831"
},
{
"id": "CVE-2010-4833",
"summary": "Untrusted search path vulnerability in modules/engines/ms-windows/xp_theme.c in GTK+ before 2.24.0 allows local users to gain privileges via a Trojan horse uxtheme.dll file in the current working directory, a different vulnerability than CVE-2010-4831.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4833"
},
{
"id": "CVE-2012-0828",
"summary": "Heap-based buffer overflow in Xchat-WDK before 1499-4 (2012-01-18) xchat 2.8.6 on Maemo architecture could allow remote attackers to cause a denial of service (xchat client crash) or execute arbitrary code via a UTF-8 line from server containing characters outside of the Basic Multilingual Plane (BMP).",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0828"
},
{
"id": "CVE-2014-1949",
"summary": "GTK+ 3.10.9 and earlier, as used in cinnamon-screensaver, gnome-screensaver, and other applications, allows physically proximate attackers to bypass the lock screen by pressing the menu button.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1949"
}
]
},
{
"name": "nativesdk-harfbuzz",
"layer": "meta",
"version": "8.3.0",
"products": [
{
"product": "harfbuzz",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-8947",
"summary": "hb-ot-layout-gpos-table.hh in HarfBuzz before 1.0.5 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted data, a different vulnerability than CVE-2016-2052.",
"scorev2": "7.5",
"scorev3": "7.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8947"
},
{
"id": "CVE-2015-9274",
"summary": "HarfBuzz before 1.0.4 allows remote attackers to cause a denial of service (invalid read of two bytes and application crash) because of GPOS and GSUB table mishandling, related to hb-ot-layout-gpos-table.hh, hb-ot-layout-gsub-table.hh, and hb-ot-layout-gsubgpos-private.hh.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9274"
},
{
"id": "CVE-2016-2052",
"summary": "Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6, as used in Google Chrome before 48.0.2564.82, allow attackers to cause a denial of service or possibly have other impact via crafted data, as demonstrated by a buffer over-read resulting from an inverted length check in hb-ot-font.cc, a different issue than CVE-2015-8947.",
"scorev2": "6.8",
"scorev3": "7.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2052"
},
{
"id": "CVE-2021-45931",
"summary": "HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertible_t::set (called from hb_sparseset_t::set and hb_set_copy).",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45931"
},
{
"id": "CVE-2022-33068",
"summary": "An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33068"
},
{
"id": "CVE-2023-25193",
"summary": "hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25193"
}
]
},
{
"name": "nativesdk-hicolor-icon-theme",
"layer": "meta",
"version": "0.17",
"products": [
{
"product": "hicolor-icon-theme",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-icu",
"layer": "meta",
"version": "74-2",
"products": [
{
"product": "international_components_for_unicode",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-4770",
"summary": "libicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts to process backreferences to the nonexistent capture group zero (aka \\0), which might allow context-dependent attackers to read from, or write to, out-of-bounds memory locations, related to corruption of REStackFrames.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4770"
},
{
"id": "CVE-2007-4771",
"summary": "Heap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack. NOTE: some of these details are obtained from third party information.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4771"
},
{
"id": "CVE-2011-4599",
"summary": "Stack-based buffer overflow in the _canonicalize function in common/uloc.c in International Components for Unicode (ICU) before 49.1 allows remote attackers to execute arbitrary code via a crafted locale ID that is not properly handled during variant canonicalization.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4599"
},
{
"id": "CVE-2014-7923",
"summary": "The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a look-behind expression.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7923"
},
{
"id": "CVE-2014-7926",
"summary": "The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a zero-length quantifier.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7926"
},
{
"id": "CVE-2014-7940",
"summary": "The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7940"
},
{
"id": "CVE-2014-8146",
"summary": "The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 does not properly track directionally isolated pieces of text, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8146"
},
{
"id": "CVE-2014-8147",
"summary": "The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8147"
},
{
"id": "CVE-2014-9654",
"summary": "The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91, calculates certain values without ensuring that they can be represented in a 24-bit field, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted string, a related issue to CVE-2014-7923.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9654"
},
{
"id": "CVE-2014-9911",
"summary": "Stack-based buffer overflow in the ures_getByKeyWithFallback function in common/uresbund.cpp in International Components for Unicode (ICU) before 54.1 for C/C++ allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted uloc_getDisplayName call.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9911"
},
{
"id": "CVE-2015-5922",
"summary": "Unspecified vulnerability in International Components for Unicode (ICU) before 53.1.0, as used in Apple OS X before 10.11 and watchOS before 2, has unknown impact and attack vectors.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5922"
},
{
"id": "CVE-2016-6293",
"summary": "The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6293"
},
{
"id": "CVE-2016-7415",
"summary": "Stack-based buffer overflow in the Locale class in common/locid.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long locale string.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7415"
},
{
"id": "CVE-2017-14952",
"summary": "Double free in i18n/zonemeta.cpp in International Components for Unicode (ICU) for C/C++ through 59.1 allows remote attackers to execute arbitrary code via a crafted string, aka a \"redundant UVector entry clean up function call\" issue.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14952"
},
{
"id": "CVE-2017-15396",
"summary": "A stack buffer overflow in NumberingSystem in International Components for Unicode (ICU) for C/C++ before 60.2, as used in V8 in Google Chrome prior to 62.0.3202.75 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15396"
},
{
"id": "CVE-2017-15422",
"summary": "Integer overflow in international date handling in International Components for Unicode (ICU) for C/C++ before 60.1, as used in V8 in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15422"
},
{
"id": "CVE-2017-17484",
"summary": "The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17484"
},
{
"id": "CVE-2017-7867",
"summary": "International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7867"
},
{
"id": "CVE-2017-7868",
"summary": "International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7868"
},
{
"id": "CVE-2018-18928",
"summary": "International Components for Unicode (ICU) for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18928"
},
{
"id": "CVE-2020-10531",
"summary": "An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10531"
},
{
"id": "CVE-2020-21913",
"summary": "International Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-21913"
}
]
},
{
"name": "nativesdk-libaio",
"layer": "meta",
"version": "0.3.113",
"products": [
{
"product": "libaio",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-libarchive",
"layer": "meta",
"version": "3.7.4",
"products": [
{
"product": "libarchive",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-3641",
"summary": "archive_read_support_format_tar.c in libarchive before 2.2.4 does not properly compute the length of a certain buffer when processing a malformed pax extension header, which allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted (1) PAX or (2) TAR archive that triggers a buffer overflow.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3641"
},
{
"id": "CVE-2007-3644",
"summary": "archive_read_support_format_tar.c in libarchive before 2.2.4 allows user-assisted remote attackers to cause a denial of service (infinite loop) via (1) an end-of-file condition within a pax extension header or (2) a malformed pax extension header in an (a) PAX or a (b) TAR archive.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3644"
},
{
"id": "CVE-2007-3645",
"summary": "archive_read_support_format_tar.c in libarchive before 2.2.4 allows user-assisted remote attackers to cause a denial of service (crash) via (1) an end-of-file condition within a tar header that follows a pax extension header or (2) a malformed pax extension header in an (a) PAX or a (b) TAR archive, which results in a NULL pointer dereference, a different issue than CVE-2007-3644.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3645"
},
{
"id": "CVE-2010-4666",
"summary": "Buffer overflow in libarchive 3.0 pre-release code allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted CAB file, which is not properly handled during the reading of Huffman code data within LZX compressed data.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4666"
},
{
"id": "CVE-2011-1777",
"summary": "Multiple buffer overflows in the (1) heap_add_entry and (2) relocate_dir functions in archive_read_support_format_iso9660.c in libarchive through 2.8.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ISO9660 image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1777"
},
{
"id": "CVE-2011-1778",
"summary": "Buffer overflow in libarchive through 2.8.5 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TAR archive.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1778"
},
{
"id": "CVE-2011-1779",
"summary": "Multiple use-after-free vulnerabilities in libarchive 2.8.4 and 2.8.5 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted (1) TAR archive or (2) ISO9660 image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1779"
},
{
"id": "CVE-2013-0211",
"summary": "Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an improper conversion between unsigned and signed types, leading to a buffer overflow.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0211"
},
{
"id": "CVE-2015-2304",
"summary": "Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2304"
},
{
"id": "CVE-2015-8915",
"summary": "bsdcpio in libarchive before 3.2.0 allows remote attackers to cause a denial of service (invalid read and crash) via crafted cpio file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8915"
},
{
"id": "CVE-2015-8916",
"summary": "bsdtar in libarchive before 3.2.0 returns a success code without filling the entry when the header is a \"split file in multivolume RAR,\" which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted rar file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8916"
},
{
"id": "CVE-2015-8917",
"summary": "bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an invalid character in the name of a cab file.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8917"
},
{
"id": "CVE-2015-8918",
"summary": "The archive_string_append function in archive_string.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted cab files, related to \"overlapping memcpy.\"",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8918"
},
{
"id": "CVE-2015-8919",
"summary": "The lha_read_file_extended_header function in archive_read_support_format_lha.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds heap) via a crafted (1) lzh or (2) lha file.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8919"
},
{
"id": "CVE-2015-8920",
"summary": "The _ar_read_header function in archive_read_support_format_ar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds stack read) via a crafted ar file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8920"
},
{
"id": "CVE-2015-8921",
"summary": "The ae_strtofflags function in archive_entry.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mtree file.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8921"
},
{
"id": "CVE-2015-8922",
"summary": "The read_CodersInfo function in archive_read_support_format_7zip.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted 7z file, related to the _7z_folder struct.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8922"
},
{
"id": "CVE-2015-8923",
"summary": "The process_extra function in libarchive before 3.2.0 uses the size field and a signed number in an offset, which allows remote attackers to cause a denial of service (crash) via a crafted zip file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8923"
},
{
"id": "CVE-2015-8924",
"summary": "The archive_read_format_tar_read_header function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tar file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8924"
},
{
"id": "CVE-2015-8925",
"summary": "The readline function in archive_read_support_format_mtree.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (invalid read) via a crafted mtree file, related to newline parsing.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8925"
},
{
"id": "CVE-2015-8926",
"summary": "The archive_read_format_rar_read_data function in archive_read_support_format_rar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted rar archive.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8926"
},
{
"id": "CVE-2015-8927",
"summary": "The trad_enc_decrypt_update function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds heap read and crash) via a crafted zip file, related to reading the password.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8927"
},
{
"id": "CVE-2015-8928",
"summary": "The process_add_entry function in archive_read_support_format_mtree.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mtree file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8928"
},
{
"id": "CVE-2015-8929",
"summary": "Memory leak in the __archive_read_get_extract function in archive_read_extract2.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service via a tar file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8929"
},
{
"id": "CVE-2015-8930",
"summary": "bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (infinite loop) via an ISO with a directory that is a member of itself.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8930"
},
{
"id": "CVE-2015-8931",
"summary": "Multiple integer overflows in the (1) get_time_t_max and (2) get_time_t_min functions in archive_read_support_format_mtree.c in libarchive before 3.2.0 allow remote attackers to have unspecified impact via a crafted mtree file, which triggers undefined behavior.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8931"
},
{
"id": "CVE-2015-8932",
"summary": "The compress_bidder_init function in archive_read_support_filter_compress.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file, which triggers an invalid left shift.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8932"
},
{
"id": "CVE-2015-8933",
"summary": "Integer overflow in the archive_read_format_tar_skip function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8933"
},
{
"id": "CVE-2015-8934",
"summary": "The copy_from_lzss_window function in archive_read_support_format_rar.c in libarchive 3.2.0 and earlier allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted rar file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8934"
},
{
"id": "CVE-2016-10209",
"summary": "The archive_wstring_append_from_mbs function in archive_string.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10209"
},
{
"id": "CVE-2016-10349",
"summary": "The archive_le32dec function in archive_endian.h in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10349"
},
{
"id": "CVE-2016-10350",
"summary": "The archive_read_format_cab_read_header function in archive_read_support_format_cab.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10350"
},
{
"id": "CVE-2016-1541",
"summary": "Heap-based buffer overflow in the zip_read_mac_metadata function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to execute arbitrary code via crafted entry-size values in a ZIP archive.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1541"
},
{
"id": "CVE-2016-4300",
"summary": "Integer overflow in the read_SubStreamsInfo function in archive_read_support_format_7zip.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a 7zip file with a large number of substreams, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4300"
},
{
"id": "CVE-2016-4301",
"summary": "Stack-based buffer overflow in the parse_device function in archive_read_support_format_mtree.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a crafted mtree file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4301"
},
{
"id": "CVE-2016-4302",
"summary": "Heap-based buffer overflow in the parse_codes function in archive_read_support_format_rar.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a RAR file with a zero-sized dictionary.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4302"
},
{
"id": "CVE-2016-4809",
"summary": "The archive_read_format_cpio_read_header function in archive_read_support_format_cpio.c in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) via a CPIO archive with a large symlink.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4809"
},
{
"id": "CVE-2016-5418",
"summary": "The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to write to arbitrary files via a crafted archive file.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5418"
},
{
"id": "CVE-2016-5844",
"summary": "Integer overflow in the ISO parser in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) via a crafted ISO file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5844"
},
{
"id": "CVE-2016-6250",
"summary": "Integer overflow in the ISO9660 writer in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors related to verifying filename lengths when writing an ISO9660 archive, which trigger a buffer overflow.",
"scorev2": "7.5",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6250"
},
{
"id": "CVE-2016-7166",
"summary": "libarchive before 3.2.0 does not limit the number of recursive decompressions, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted gzip file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7166"
},
{
"id": "CVE-2016-8687",
"summary": "Stack-based buffer overflow in the safe_fprintf function in tar/util.c in libarchive 3.2.1 allows remote attackers to cause a denial of service via a crafted non-printable multibyte character in a filename.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8687"
},
{
"id": "CVE-2016-8688",
"summary": "The mtree bidder in libarchive 3.2.1 does not keep track of line sizes when extending the read-ahead, which allows remote attackers to cause a denial of service (crash) via a crafted file, which triggers an invalid read in the (1) detect_form or (2) bid_entry function in libarchive/archive_read_support_format_mtree.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8688"
},
{
"id": "CVE-2016-8689",
"summary": "The read_Header function in archive_read_support_format_7zip.c in libarchive 3.2.1 allows remote attackers to cause a denial of service (out-of-bounds read) via multiple EmptyStream attributes in a header in a 7zip archive.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8689"
},
{
"id": "CVE-2017-14166",
"summary": "libarchive 3.3.2 allows remote attackers to cause a denial of service (xml_data heap-based buffer over-read and application crash) via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archive_read_support_format_xar.c.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14166"
},
{
"id": "CVE-2017-14501",
"summary": "An out-of-bounds read flaw exists in parse_file_info in archive_read_support_format_iso9660.c in libarchive 3.3.2 when extracting a specially crafted iso9660 iso file, related to archive_read_format_iso9660_read_header.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14501"
},
{
"id": "CVE-2017-14502",
"summary": "read_header in archive_read_support_format_rar.c in libarchive 3.3.2 suffers from an off-by-one error for UTF-16 names in RAR archives, leading to an out-of-bounds read in archive_read_format_rar_read_header.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14502"
},
{
"id": "CVE-2017-14503",
"summary": "libarchive 3.3.2 suffers from an out-of-bounds read within lha_read_data_none() in archive_read_support_format_lha.c when extracting a specially crafted lha archive, related to lha_crc16.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14503"
},
{
"id": "CVE-2017-5601",
"summary": "An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5601"
},
{
"id": "CVE-2018-1000877",
"summary": "libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-415: Double Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c, parse_codes(), realloc(rar->lzss.window, new_size) with new_size = 0 that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted RAR archive.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000877"
},
{
"id": "CVE-2018-1000878",
"summary": "libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-416: Use After Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c that can result in Crash/DoS - it is unknown if RCE is possible. This attack appear to be exploitable via the victim must open a specially crafted RAR archive.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000878"
},
{
"id": "CVE-2018-1000879",
"summary": "libarchive version commit 379867ecb330b3a952fb7bfa7bffb7bbd5547205 onwards (release v3.3.0 onwards) contains a CWE-476: NULL Pointer Dereference vulnerability in ACL parser - libarchive/archive_acl.c, archive_acl_from_text_l() that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted archive file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000879"
},
{
"id": "CVE-2018-1000880",
"summary": "libarchive version commit 9693801580c0cf7c70e862d305270a16b52826a7 onwards (release v3.2.0 onwards) contains a CWE-20: Improper Input Validation vulnerability in WARC parser - libarchive/archive_read_support_format_warc.c, _warc_read() that can result in DoS - quasi-infinite run time and disk usage from tiny file. This attack appear to be exploitable via the victim must open a specially crafted WARC file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000880"
},
{
"id": "CVE-2019-1000019",
"summary": "libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards (release v3.0.2 onwards) contains a CWE-125: Out-of-bounds Read vulnerability in 7zip decompression, archive_read_support_format_7zip.c, header_bytes() that can result in a crash (denial of service). This attack appears to be exploitable via the victim opening a specially crafted 7zip file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1000019"
},
{
"id": "CVE-2019-1000020",
"summary": "libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attack appears to be exploitable via the victim opening a specially crafted ISO9660 file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1000020"
},
{
"id": "CVE-2019-11463",
"summary": "A memory leak in archive_read_format_zip_cleanup in archive_read_support_format_zip.c in libarchive 3.3.4-dev allows remote attackers to cause a denial of service via a crafted ZIP file because of a HAVE_LZMA_H typo. NOTE: this only affects users who downloaded the development code from GitHub. Users of the product's official releases are unaffected.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11463"
},
{
"id": "CVE-2019-18408",
"summary": "archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0 has a use-after-free in a certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18408"
},
{
"id": "CVE-2019-19221",
"summary": "In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call. For example, bsdtar crashes via a crafted archive.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19221"
},
{
"id": "CVE-2020-21674",
"summary": "Heap-based buffer overflow in archive_string_append_from_wcs() (archive_string.c) in libarchive-3.4.1dev allows remote attackers to cause a denial of service (out-of-bounds write in heap memory resulting into a crash) via a crafted archive file. NOTE: this only affects users who downloaded the development code from GitHub. Users of the product's official releases are unaffected.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-21674"
},
{
"id": "CVE-2020-9308",
"summary": "archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-9308"
},
{
"id": "CVE-2021-23177",
"summary": "An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to change the ACL of a file on the system and gain more privileges.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23177"
},
{
"id": "CVE-2021-31566",
"summary": "An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to gain more privileges in a system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-31566"
},
{
"id": "CVE-2021-36976",
"summary": "libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-36976"
},
{
"id": "CVE-2022-26280",
"summary": "Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init.",
"scorev2": "5.8",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26280"
},
{
"id": "CVE-2022-36227",
"summary": "In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: \"In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.\"",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-36227"
},
{
"id": "CVE-2023-30571",
"summary": "Libarchive through 3.6.2 can cause directories to have world-writable permissions. The umask() call inside archive_write_disk_posix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask 0 setting. Such a race condition could lead to implicit directory creation with permissions 0777 (without the sticky bit), which means that any low-privileged local user can delete and rename files inside those directories.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-30571",
"detail": "upstream-wontfix",
"description": "upstream has documented that reported function is not thread-safe"
}
]
},
{
"name": "nativesdk-libcap",
"layer": "meta",
"version": "2.69",
"products": [
{
"product": "libcap",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2011-4099",
"summary": "The capsh program in libcap before 2.22 does not change the current working directory when the --chroot option is specified, which allows local users to bypass the chroot restrictions via unspecified vectors.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4099"
},
{
"id": "CVE-2023-2602",
"summary": "A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory.",
"scorev2": "0.0",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2602"
},
{
"id": "CVE-2023-2603",
"summary": "A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2603"
}
]
},
{
"name": "nativesdk-libcap-ng",
"layer": "meta",
"version": "0.8.4",
"products": [
{
"product": "libcap-ng",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-libdrm",
"layer": "meta",
"version": "2.4.120",
"products": [
{
"product": "libdrm",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-libedit",
"layer": "meta",
"version": "20230828-3.1",
"products": [
{
"product": "libedit",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-libepoxy",
"layer": "meta",
"version": "1.5.10",
"products": [
{
"product": "libepoxy",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-liberation-fonts",
"layer": "meta",
"version": "1_2.1.5",
"products": [
{
"product": "liberation-fonts",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-libffi",
"layer": "meta",
"version": "3.4.6",
"products": [
{
"product": "libffi",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2017-1000376",
"summary": "libffi requests an executable stack allowing attackers to more easily trigger arbitrary code execution by overwriting the stack. Please note that libffi is used by a number of other libraries. It was previously stated that this affects libffi version 3.2.1 but this appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems was vulnerable, and upstream is believed to have fixed this issue in version 3.1.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000376"
}
]
},
{
"name": "nativesdk-libgcc",
"layer": "meta",
"version": "13.2.0",
"products": [
{
"product": "gcc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-1439",
"summary": "gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1439"
},
{
"id": "CVE-2000-1219",
"summary": "The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-1219"
},
{
"id": "CVE-2002-2439",
"summary": "Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-2439"
},
{
"id": "CVE-2006-1902",
"summary": "fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is \"not correctly interpreting an offset to a pointer as a signed value.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1902"
},
{
"id": "CVE-2008-1367",
"summary": "gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1367"
},
{
"id": "CVE-2008-1685",
"summary": "gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999)",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1685"
},
{
"id": "CVE-2013-4598",
"summary": "The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4598"
},
{
"id": "CVE-2015-5276",
"summary": "The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5276"
},
{
"id": "CVE-2017-11671",
"summary": "Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11671"
},
{
"id": "CVE-2018-12886",
"summary": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12886"
},
{
"id": "CVE-2019-15847",
"summary": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847"
},
{
"id": "CVE-2021-37322",
"summary": "GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37322",
"detail": "cpe-incorrect",
"description": "Is a binutils 2.26 issue, not gcc"
},
{
"id": "CVE-2021-3826",
"summary": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826"
},
{
"id": "CVE-2021-46195",
"summary": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195"
},
{
"id": "CVE-2022-27943",
"summary": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943"
},
{
"id": "CVE-2023-4039",
"summary": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "4.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039",
"detail": "fixed-version",
"description": "Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source"
}
]
},
{
"name": "nativesdk-libgcc-initial",
"layer": "meta",
"version": "13.2.0",
"products": [
{
"product": "gcc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-1439",
"summary": "gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1439"
},
{
"id": "CVE-2000-1219",
"summary": "The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-1219"
},
{
"id": "CVE-2002-2439",
"summary": "Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-2439"
},
{
"id": "CVE-2006-1902",
"summary": "fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is \"not correctly interpreting an offset to a pointer as a signed value.\"",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1902"
},
{
"id": "CVE-2008-1367",
"summary": "gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1367"
},
{
"id": "CVE-2008-1685",
"summary": "gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999)",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1685"
},
{
"id": "CVE-2013-4598",
"summary": "The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4598"
},
{
"id": "CVE-2015-5276",
"summary": "The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5276"
},
{
"id": "CVE-2017-11671",
"summary": "Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11671"
},
{
"id": "CVE-2018-12886",
"summary": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12886"
},
{
"id": "CVE-2019-15847",
"summary": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847"
},
{
"id": "CVE-2021-37322",
"summary": "GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37322",
"detail": "cpe-incorrect",
"description": "Is a binutils 2.26 issue, not gcc"
},
{
"id": "CVE-2021-3826",
"summary": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826"
},
{
"id": "CVE-2021-46195",
"summary": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195"
},
{
"id": "CVE-2022-27943",
"summary": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943"
},
{
"id": "CVE-2023-4039",
"summary": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n",
"scorev2": "0.0",
"scorev3": "4.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039",
"detail": "fixed-version",
"description": "Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source"
}
]
},
{
"name": "nativesdk-libgcrypt",
"layer": "meta",
"version": "1.10.3",
"products": [
{
"product": "libgcrypt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-4242",
"summary": "GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4242"
},
{
"id": "CVE-2014-3591",
"summary": "Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.",
"scorev2": "1.9",
"scorev3": "4.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3591"
},
{
"id": "CVE-2014-5270",
"summary": "Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5270"
},
{
"id": "CVE-2015-0837",
"summary": "The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a \"Last-Level Cache Side-Channel Attack.\"",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0837"
},
{
"id": "CVE-2015-7511",
"summary": "Libgcrypt before 1.6.5 does not properly perform elliptic-point curve multiplication during decryption, which makes it easier for physically proximate attackers to extract ECDH keys by measuring electromagnetic emanations.",
"scorev2": "1.9",
"scorev3": "2.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7511"
},
{
"id": "CVE-2016-6313",
"summary": "The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6313"
},
{
"id": "CVE-2017-0379",
"summary": "Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attacks, which makes it easier for attackers to discover a secret key, related to cipher/ecc.c and mpi/ec.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0379"
},
{
"id": "CVE-2017-7526",
"summary": "libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used.",
"scorev2": "4.3",
"scorev3": "6.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7526"
},
{
"id": "CVE-2017-9526",
"summary": "In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9526"
},
{
"id": "CVE-2018-0495",
"summary": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0495"
},
{
"id": "CVE-2018-6829",
"summary": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829"
},
{
"id": "CVE-2019-12904",
"summary": "In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) NOTE: the vendor's position is that the issue report cannot be validated because there is no description of an attack",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12904"
},
{
"id": "CVE-2021-3345",
"summary": "_gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1 or later.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3345"
},
{
"id": "CVE-2021-33560",
"summary": "Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33560"
},
{
"id": "CVE-2021-40528",
"summary": "The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.",
"scorev2": "2.6",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-40528"
}
]
},
{
"name": "nativesdk-libgpg-error",
"layer": "meta",
"version": "1.48",
"products": [
{
"product": "libgpg-error",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-libidn2",
"layer": "meta",
"version": "2.3.7",
"products": [
{
"product": "libidn2",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2017-14061",
"summary": "Integer overflow in the _isBidi function in bidi.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14061"
},
{
"id": "CVE-2017-14062",
"summary": "Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14062"
},
{
"id": "CVE-2019-12290",
"summary": "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12290"
},
{
"id": "CVE-2019-18224",
"summary": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18224"
}
]
},
{
"name": "nativesdk-libjpeg-turbo",
"layer": "meta",
"version": "1_3.0.1",
"products": [
{
"product": "libjpeg-turbo",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2012-2806",
"summary": "Heap-based buffer overflow in the get_sos function in jdmarker.c in libjpeg-turbo 1.2.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large component count in the header of a JPEG image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2806"
},
{
"id": "CVE-2013-6629",
"summary": "The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6629"
},
{
"id": "CVE-2014-9092",
"summary": "libjpeg-turbo before 1.3.1 allows remote attackers to cause a denial of service (crash) via a crafted JPEG file, related to the Exif marker.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9092"
},
{
"id": "CVE-2016-3616",
"summary": "The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3616"
},
{
"id": "CVE-2017-15232",
"summary": "libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15232"
},
{
"id": "CVE-2017-9614",
"summary": "The fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted jpg file. NOTE: Maintainer asserts the issue is due to a bug in downstream code caused by misuse of the libjpeg API",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9614"
},
{
"id": "CVE-2018-1152",
"summary": "libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1152"
},
{
"id": "CVE-2018-14498",
"summary": "get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14498"
},
{
"id": "CVE-2018-19664",
"summary": "libjpeg-turbo 2.0.1 has a heap-based buffer over-read in the put_pixel_rows function in wrbmp.c, as demonstrated by djpeg.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19664"
},
{
"id": "CVE-2018-20330",
"summary": "The tjLoadImage function in libjpeg-turbo 2.0.1 has an integer overflow with a resultant heap-based buffer overflow via a BMP image because multiplication of pitch and height is mishandled, as demonstrated by tjbench.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20330"
},
{
"id": "CVE-2019-13960",
"summary": "In libjpeg-turbo 2.0.2, a large amount of memory can be used during processing of an invalid progressive JPEG image containing incorrect width and height values in the image header. NOTE: the vendor's expectation, for use cases in which this memory usage would be a denial of service, is that the application should interpret libjpeg warnings as fatal errors (aborting decompression) and/or set limits on resource consumption or image sizes",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13960"
},
{
"id": "CVE-2020-13790",
"summary": "libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.",
"scorev2": "5.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13790"
},
{
"id": "CVE-2020-17541",
"summary": "Libjpeg-turbo all version have a stack-based buffer overflow in the \"transform\" component. A remote attacker can send a malformed jpeg file to the service and cause arbitrary code execution or denial of service of the target service.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17541"
},
{
"id": "CVE-2020-35538",
"summary": "A crafted input file could cause a null pointer dereference in jcopy_sample_rows() when processed by libjpeg-turbo.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35538"
},
{
"id": "CVE-2021-20205",
"summary": "Libjpeg-turbo versions 2.0.91 and 2.0.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted GIF image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20205"
},
{
"id": "CVE-2021-29390",
"summary": "libjpeg-turbo version 2.0.90 has a heap-based buffer over-read (2 bytes) in decompress_smooth_data in jdcoefct.c.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29390"
},
{
"id": "CVE-2021-46822",
"summary": "The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46822"
},
{
"id": "CVE-2023-2804",
"summary": "A heap-based buffer overflow issue was discovered in libjpeg-turbo in h2v2_merged_upsample_internal() function of jdmrgext.c file. The vulnerability can only be exploited with 12-bit data precision for which the range of the sample data type exceeds the valid sample range, hence, an attacker could craft a 12-bit lossless JPEG image that contains out-of-range 12-bit samples. An application attempting to decompress such image using merged upsampling would lead to segmentation fault or buffer overflows, causing an application to crash.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2804"
}
]
},
{
"name": "nativesdk-libmicrohttpd",
"layer": "meta",
"version": "1.0.1",
"products": [
{
"product": "libmicrohttpd",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-7038",
"summary": "The MHD_http_unescape function in libmicrohttpd before 0.9.32 might allow remote attackers to obtain sensitive information or cause a denial of service (crash) via unspecified vectors that trigger an out-of-bounds read.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7038"
},
{
"id": "CVE-2013-7039",
"summary": "Stack-based buffer overflow in the MHD_digest_auth_check function in libmicrohttpd before 0.9.32, when MHD_OPTION_CONNECTION_MEMORY_LIMIT is set to a large value, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long URI in an authentication header.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7039"
},
{
"id": "CVE-2021-3466",
"summary": "A flaw was found in libmicrohttpd. A missing bounds check in the post_process_urlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Only version 0.9.70 is vulnerable.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3466"
},
{
"id": "CVE-2023-27371",
"summary": "GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHD_create_post_processor() method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\\0' bytes in a multipart/form-data boundary field, which - assuming a specific heap layout - will result in an out-of-bounds read and a crash in the find_boundary() function.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-27371"
}
]
},
{
"name": "nativesdk-libmpc",
"layer": "meta",
"version": "1.3.1",
"products": [
{
"product": "libmpc",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-libnsl2",
"layer": "meta",
"version": "2.0.1",
"products": [
{
"product": "libnsl2",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-libpciaccess",
"layer": "meta",
"version": "0.18",
"products": [
{
"product": "libpciaccess",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-libpcre2",
"layer": "meta",
"version": "10.43",
"products": [
{
"product": "pcre2",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-3210",
"summary": "Heap-based buffer overflow in PCRE 8.34 through 8.37 and PCRE2 10.10 allows remote attackers to execute arbitrary code via a crafted regular expression, as demonstrated by /^(?P=B)((?P=B)(?J:(?Pc)(?Pa(?P=B)))>WGXCREDITS)/, a different vulnerability than CVE-2015-8384.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3210"
},
{
"id": "CVE-2015-3217",
"summary": "PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\\\.|([^\\\\\\\\W_])?)+)+$/.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3217"
},
{
"id": "CVE-2016-3191",
"summary": "The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3191"
},
{
"id": "CVE-2017-7186",
"summary": "libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7186"
},
{
"id": "CVE-2017-8399",
"summary": "PCRE2 before 10.30 has an out-of-bounds write caused by a stack-based buffer overflow in pcre2_match.c, related to a \"pattern with very many captures.\"",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8399"
},
{
"id": "CVE-2017-8786",
"summary": "pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8786"
},
{
"id": "CVE-2019-20454",
"summary": "An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \\X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.",
"scorev2": "5.0",
"scorev3": "5.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20454"
},
{
"id": "CVE-2022-1586",
"summary": "An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1586"
},
{
"id": "CVE-2022-1587",
"summary": "An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1587"
},
{
"id": "CVE-2022-41409",
"summary": "Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41409"
}
]
},
{
"name": "nativesdk-libpng",
"layer": "meta",
"version": "1.6.42",
"products": [
{
"product": "libpng",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2002-0660",
"summary": "Buffer overflow in libpng 1.0.12-3.woody.2 and libpng3 1.2.1-1.1.woody.2 on Debian GNU/Linux 3.0, and other operating systems, may allow attackers to cause a denial of service and possibly execute arbitrary code, a different vulnerability than CVE-2002-0728.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0660"
},
{
"id": "CVE-2002-0728",
"summary": "Buffer overflow in the progressive reader for libpng 1.2.x before 1.2.4, and 1.0.x before 1.0.14, allows attackers to cause a denial of service (crash) via a PNG data stream that has more IDAT data than indicated by the IHDR chunk.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0728"
},
{
"id": "CVE-2002-1363",
"summary": "Portable Network Graphics (PNG) library libpng 1.2.5 and earlier does not correctly calculate offsets, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a buffer overflow attack on the row buffers.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1363"
},
{
"id": "CVE-2004-0421",
"summary": "The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0421"
},
{
"id": "CVE-2004-0597",
"summary": "Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0597"
},
{
"id": "CVE-2004-0598",
"summary": "The png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0598"
},
{
"id": "CVE-2004-0599",
"summary": "Multiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0599"
},
{
"id": "CVE-2006-0481",
"summary": "Heap-based buffer overflow in the alpha strip capability in libpng 1.2.7 allows context-dependent attackers to cause a denial of service (crash) when the png_do_strip_filler function is used to strip alpha channels out of the image.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0481"
},
{
"id": "CVE-2006-3334",
"summary": "Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to \"chunk error processing,\" possibly involving the \"chunk_name\".",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3334"
},
{
"id": "CVE-2006-5793",
"summary": "The sPLT chunk handling code (png_set_sPLT function in pngset.c) in libpng 1.0.6 through 1.2.12 uses a sizeof operator on the wrong data type, which allows context-dependent attackers to cause a denial of service (crash) via malformed sPLT chunks that trigger an out-of-bounds read.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5793"
},
{
"id": "CVE-2006-7244",
"summary": "Memory leak in pngwutil.c in libpng 1.2.13beta1, and other versions before 1.2.15beta3, allows context-dependent attackers to cause a denial of service (memory leak or segmentation fault) via a JPEG image containing an iCCP chunk with a negative embedded profile length.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7244"
},
{
"id": "CVE-2007-2445",
"summary": "The png_handle_tRNS function in pngrutil.c in libpng before 1.0.25 and 1.2.x before 1.2.17 allows remote attackers to cause a denial of service (application crash) via a grayscale PNG image with a bad tRNS chunk CRC value.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2445"
},
{
"id": "CVE-2007-5266",
"summary": "Off-by-one error in ICC profile chunk handling in the png_set_iCCP function in pngset.c in libpng before 1.0.29 beta1 and 1.2.x before 1.2.21 beta1 allows remote attackers to cause a denial of service (crash) via a crafted PNG image that prevents a name field from being NULL terminated.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5266"
},
{
"id": "CVE-2007-5267",
"summary": "Off-by-one error in ICC profile chunk handling in the png_set_iCCP function in pngset.c in libpng before 1.2.22 beta1 allows remote attackers to cause a denial of service (crash) via a crafted PNG image, due to an incorrect fix for CVE-2007-5266.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5267"
},
{
"id": "CVE-2007-5268",
"summary": "pngrtran.c in libpng before 1.0.29 and 1.2.x before 1.2.21 use (1) logical instead of bitwise operations and (2) incorrect comparisons, which might allow remote attackers to cause a denial of service (crash) via a crafted PNG image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5268"
},
{
"id": "CVE-2007-5269",
"summary": "Certain chunk handlers in libpng before 1.0.29 and 1.2.x before 1.2.21 allow remote attackers to cause a denial of service (crash) via crafted (1) pCAL (png_handle_pCAL), (2) sCAL (png_handle_sCAL), (3) tEXt (png_push_read_tEXt), (4) iTXt (png_handle_iTXt), and (5) ztXT (png_handle_ztXt) chunking in PNG images, which trigger out-of-bounds read operations.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5269"
},
{
"id": "CVE-2008-1382",
"summary": "libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01 through 1.4.0beta19 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length \"unknown\" chunks, which trigger an access of uninitialized memory.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1382"
},
{
"id": "CVE-2008-3964",
"summary": "Multiple off-by-one errors in libpng before 1.2.32beta01, and 1.4 before 1.4.0beta34, allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a PNG image with crafted zTXt chunks, related to (1) the png_push_read_zTXt function in pngread.c, and possibly related to (2) pngtest.c.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3964"
},
{
"id": "CVE-2008-5907",
"summary": "The png_check_keyword function in pngwutil.c in libpng before 1.0.42, and 1.2.x before 1.2.34, might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords, related to an implicit cast of the '\\0' character constant to a NULL pointer. NOTE: some sources incorrectly report this as a double free vulnerability.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5907"
},
{
"id": "CVE-2008-6218",
"summary": "Memory leak in the png_handle_tEXt function in pngrutil.c in libpng before 1.2.33 rc02 and 1.4.0 beta36 allows context-dependent attackers to cause a denial of service (memory exhaustion) via a crafted PNG file.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-6218"
},
{
"id": "CVE-2009-0040",
"summary": "The PNG reference library (aka libpng) before 1.0.43, and 1.2.x before 1.2.35, as used in pngcrush and other applications, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialized pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0040"
},
{
"id": "CVE-2009-2042",
"summary": "libpng before 1.2.37 does not properly parse 1-bit interlaced images with width values that are not divisible by 8, which causes libpng to include uninitialized bits in certain rows of a PNG file and might allow remote attackers to read portions of sensitive memory via \"out-of-bounds pixels\" in the file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2042"
},
{
"id": "CVE-2009-5063",
"summary": "Memory leak in the embedded_profile_len function in pngwutil.c in libpng before 1.2.39beta5 allows context-dependent attackers to cause a denial of service (memory leak or segmentation fault) via a JPEG image containing an iCCP chunk with a negative embedded profile length. NOTE: this is due to an incomplete fix for CVE-2006-7244.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5063"
},
{
"id": "CVE-2010-0205",
"summary": "The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a \"decompression bomb\" attack.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0205"
},
{
"id": "CVE-2010-1205",
"summary": "Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications, might allow remote attackers to execute arbitrary code via a PNG image that triggers an additional data row.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1205"
},
{
"id": "CVE-2010-2249",
"summary": "Memory leak in pngrutil.c in libpng before 1.2.44, and 1.4.x before 1.4.3, allows remote attackers to cause a denial of service (memory consumption and application crash) via a PNG image containing malformed Physical Scale (aka sCAL) chunks.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2249"
},
{
"id": "CVE-2011-0408",
"summary": "pngrtran.c in libpng 1.5.x before 1.5.1 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted palette-based PNG image that triggers a buffer overflow, related to the png_do_expand_palette function, the png_do_rgb_to_gray function, and an integer underflow. NOTE: some of these details are obtained from third party information.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0408"
},
{
"id": "CVE-2011-2501",
"summary": "The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression. NOTE: this is called an off-by-one error by some sources.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2501"
},
{
"id": "CVE-2011-2690",
"summary": "Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have unspecified other impact, via a crafted PNG image.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2690"
},
{
"id": "CVE-2011-2691",
"summary": "The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2691"
},
{
"id": "CVE-2011-2692",
"summary": "The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2692"
},
{
"id": "CVE-2011-3045",
"summary": "Integer signedness error in the png_inflate function in pngrutil.c in libpng before 1.4.10beta01, as used in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different vulnerability than CVE-2011-3026.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3045"
},
{
"id": "CVE-2011-3048",
"summary": "The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before 1.4.11, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted text chunk in a PNG image file, which triggers a memory allocation failure that is not properly handled, leading to a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3048"
},
{
"id": "CVE-2011-3328",
"summary": "The png_handle_cHRM function in pngrutil.c in libpng 1.5.4, when color-correction support is enabled, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a malformed PNG image containing a cHRM chunk associated with a certain zero value.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3328"
},
{
"id": "CVE-2011-3464",
"summary": "Off-by-one error in the png_formatted_warning function in pngerror.c in libpng 1.5.4 through 1.5.7 might allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via unspecified vectors, which trigger a stack-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3464"
},
{
"id": "CVE-2012-3425",
"summary": "The png_push_read_zTXt function in pngpread.c in libpng 1.0.x before 1.0.58, 1.2.x before 1.2.48, 1.4.x before 1.4.10, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (out-of-bounds read) via a large avail_in field value in a PNG image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3425"
},
{
"id": "CVE-2013-6954",
"summary": "The png_do_expand_palette function in libpng before 1.6.8 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via (1) a PLTE chunk of zero bytes or (2) a NULL palette, related to pngrtran.c and pngset.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6954"
},
{
"id": "CVE-2013-7353",
"summary": "Integer overflow in the png_set_unknown_chunks function in libpng/pngset.c in libpng before 1.5.14beta08 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a crafted image, which triggers a heap-based buffer overflow.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7353"
},
{
"id": "CVE-2013-7354",
"summary": "Multiple integer overflows in libpng before 1.5.14rc03 allow remote attackers to cause a denial of service (crash) via a crafted image to the (1) png_set_sPLT or (2) png_set_text_2 function, which triggers a heap-based buffer overflow.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7354"
},
{
"id": "CVE-2014-0333",
"summary": "The png_push_read_chunk function in pngpread.c in the progressive decoder in libpng 1.6.x through 1.6.9 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an IDAT chunk with a length of zero.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0333"
},
{
"id": "CVE-2014-9495",
"summary": "Heap-based buffer overflow in the png_combine_row function in libpng before 1.5.21 and 1.6.x before 1.6.16, when running on 64-bit systems, might allow context-dependent attackers to execute arbitrary code via a \"very wide interlaced\" PNG image.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9495"
},
{
"id": "CVE-2015-0973",
"summary": "Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0973"
},
{
"id": "CVE-2015-7981",
"summary": "The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1.0.64, 1.2.x before 1.2.54, and 1.4.x before 1.4.17 allows remote attackers to obtain sensitive process memory information via crafted tIME chunk data in an image file, which triggers an out-of-bounds read.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7981"
},
{
"id": "CVE-2015-8126",
"summary": "Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8126"
},
{
"id": "CVE-2015-8472",
"summary": "Buffer overflow in the png_set_PLTE function in libpng before 1.0.65, 1.1.x and 1.2.x before 1.2.55, 1.3.x, 1.4.x before 1.4.18, 1.5.x before 1.5.25, and 1.6.x before 1.6.20 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8126.",
"scorev2": "7.5",
"scorev3": "7.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8472"
},
{
"id": "CVE-2015-8540",
"summary": "Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image, which triggers an out-of-bounds read.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8540"
},
{
"id": "CVE-2016-10087",
"summary": "The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10087"
},
{
"id": "CVE-2016-3751",
"summary": "Unspecified vulnerability in libpng before 1.6.20, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01, allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 23265085.",
"scorev2": "7.5",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3751"
},
{
"id": "CVE-2017-12652",
"summary": "libpng before 1.6.32 does not properly check the length of chunks against the user limit.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12652"
},
{
"id": "CVE-2018-13785",
"summary": "In libpng 1.6.34, a wrong calculation of row_factor in the png_check_chunk_length function (pngrutil.c) may trigger an integer overflow and resultant divide-by-zero while processing a crafted PNG file, leading to a denial of service.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13785"
},
{
"id": "CVE-2018-14048",
"summary": "An issue has been found in libpng 1.6.34. It is a SEGV in the function png_free_data in png.c, related to the recommended error handling for png_read_image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14048"
},
{
"id": "CVE-2018-14550",
"summary": "An issue has been found in third-party PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow in the function get_token in pnm2png.c in pnm2png.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14550"
},
{
"id": "CVE-2019-6129",
"summary": "png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. NOTE: a third party has stated \"I don't think it is libpng's job to free this buffer.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6129"
},
{
"id": "CVE-2019-7317",
"summary": "png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.",
"scorev2": "2.6",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7317"
},
{
"id": "CVE-2021-4214",
"summary": "A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4214"
},
{
"id": "CVE-2022-3857",
"summary": "A flaw was found in libpng 1.6.38. A crafted PNG image can lead to a segmentation fault and denial of service in png_setup_paeth_row() function.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3857"
}
]
},
{
"name": "nativesdk-libpthread-stubs",
"layer": "meta",
"version": "0.5",
"products": [
{
"product": "libpthread-stubs",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-libsdl2",
"layer": "meta",
"version": "2.30.1",
"products": [
{
"product": "simple_directmedia_layer",
"cvesInRecord": "Yes"
},
{
"product": "sdl",
"cvesInRecord": "No"
}
],
"issue": [
{
"id": "CVE-2017-2888",
"summary": "An exploitable integer overflow vulnerability exists when creating a new RGB Surface in SDL 2.0.5. A specially crafted file can cause an integer overflow resulting in too little memory being allocated which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2888"
},
{
"id": "CVE-2019-12216",
"summary": "An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a heap-based buffer overflow in the SDL2_image function IMG_LoadPCX_RW at IMG_pcx.c.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12216"
},
{
"id": "CVE-2019-12217",
"summary": "An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL stdio_read function in file/SDL_rwops.c.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12217"
},
{
"id": "CVE-2019-12218",
"summary": "An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL2_image function IMG_LoadPCX_RW at IMG_pcx.c.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12218"
},
{
"id": "CVE-2019-12219",
"summary": "An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an invalid free error in the SDL function SDL_SetError_REAL at SDL_error.c.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12219"
},
{
"id": "CVE-2019-12220",
"summary": "An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an out-of-bounds read in the SDL function SDL_FreePalette_REAL at video/SDL_pixels.c.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12220"
},
{
"id": "CVE-2019-12221",
"summary": "An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a SEGV in the SDL function SDL_free_REAL at stdlib/SDL_malloc.c.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12221"
},
{
"id": "CVE-2019-12222",
"summary": "An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9. There is an out-of-bounds read in the function SDL_InvalidateMap at video/SDL_pixels.c.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12222"
},
{
"id": "CVE-2019-13616",
"summary": "SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c.",
"scorev2": "5.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13616"
},
{
"id": "CVE-2019-14906",
"summary": "A flaw was found with the RHSA-2019:3950 erratum, where it did not fix the CVE-2019-13616 SDL vulnerability. This issue only affects Red Hat SDL packages, SDL versions through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow flaw while copying an existing surface into a new optimized one, due to a lack of validation while loading a BMP image, is possible. An application that uses SDL to parse untrusted input files may be vulnerable to this flaw, which could allow an attacker to make the application crash or execute code.",
"scorev2": "7.5",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14906"
},
{
"id": "CVE-2019-7572",
"summary": "SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7572"
},
{
"id": "CVE-2019-7573",
"summary": "SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (inside the wNumCoef loop).",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7573"
},
{
"id": "CVE-2019-7574",
"summary": "SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7574"
},
{
"id": "CVE-2019-7575",
"summary": "SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7575"
},
{
"id": "CVE-2019-7576",
"summary": "SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (outside the wNumCoef loop).",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7576"
},
{
"id": "CVE-2019-7577",
"summary": "SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7577"
},
{
"id": "CVE-2019-7578",
"summary": "SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c.",
"scorev2": "5.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7578"
},
{
"id": "CVE-2019-7635",
"summary": "SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c.",
"scorev2": "5.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7635"
},
{
"id": "CVE-2019-7636",
"summary": "SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c.",
"scorev2": "5.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7636"
},
{
"id": "CVE-2019-7637",
"summary": "SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow in SDL_FillRect in video/SDL_surface.c.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7637"
},
{
"id": "CVE-2019-7638",
"summary": "SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in Map1toN in video/SDL_pixels.c.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7638"
},
{
"id": "CVE-2020-14409",
"summary": "SDL (Simple DirectMedia Layer) through 2.0.12 has an Integer Overflow (and resultant SDL_memcpy heap corruption) in SDL_BlitCopy in video/SDL_blit_copy.c via a crafted .BMP file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14409"
},
{
"id": "CVE-2020-14410",
"summary": "SDL (Simple DirectMedia Layer) through 2.0.12 has a heap-based buffer over-read in Blit_3or4_to_3or4__inversed_rgb in video/SDL_blit_N.c via a crafted .BMP file.",
"scorev2": "5.8",
"scorev3": "5.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14410"
},
{
"id": "CVE-2021-33657",
"summary": "There is a heap overflow problem in video/SDL_pixels.c in SDL (Simple DirectMedia Layer) 2.x to 2.0.18 versions. By crafting a malicious .BMP file, an attacker can cause the application using this library to crash, denial of service or Code execution.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33657"
},
{
"id": "CVE-2022-34568",
"summary": "SDL v1.2 was discovered to contain a use-after-free via the XFree function at /src/video/x11/SDL_x11yuv.c.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-34568"
},
{
"id": "CVE-2022-4743",
"summary": "A potential memory leak issue was discovered in SDL2 in GLES_CreateTexture() function in SDL_render_gles.c. The vulnerability allows an attacker to cause a denial of service attack. The vulnerability affects SDL2 v2.0.4 and above. SDL-1.x are not affected.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4743"
}
]
},
{
"name": "nativesdk-libslirp",
"layer": "meta",
"version": "4.7.0",
"products": [
{
"product": "libslirp",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2019-14378",
"summary": "ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.",
"scorev2": "6.5",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14378"
},
{
"id": "CVE-2019-15890",
"summary": "libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15890"
},
{
"id": "CVE-2020-10756",
"summary": "An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible information disclosure. This flaw affects versions of libslirp before 4.3.1.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10756"
},
{
"id": "CVE-2020-1983",
"summary": "A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows crafted packets to cause a denial of service.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1983"
},
{
"id": "CVE-2020-29129",
"summary": "ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.",
"scorev2": "4.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29129"
},
{
"id": "CVE-2020-29130",
"summary": "slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.",
"scorev2": "4.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29130"
},
{
"id": "CVE-2020-7039",
"summary": "tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code.",
"scorev2": "6.8",
"scorev3": "5.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-7039"
},
{
"id": "CVE-2020-7211",
"summary": "tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\\ directory traversal on Windows.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-7211"
},
{
"id": "CVE-2020-8608",
"summary": "In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code.",
"scorev2": "6.8",
"scorev3": "5.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8608"
},
{
"id": "CVE-2021-3592",
"summary": "An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.",
"scorev2": "2.1",
"scorev3": "3.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3592"
},
{
"id": "CVE-2021-3593",
"summary": "An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.",
"scorev2": "2.1",
"scorev3": "3.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3593"
},
{
"id": "CVE-2021-3594",
"summary": "An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.",
"scorev2": "2.1",
"scorev3": "3.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3594"
},
{
"id": "CVE-2021-3595",
"summary": "An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.",
"scorev2": "2.1",
"scorev3": "3.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3595"
}
]
},
{
"name": "nativesdk-libsolv",
"layer": "meta",
"version": "0.7.28",
"products": [
{
"product": "libsolv",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2018-20532",
"summary": "There is a NULL pointer dereference at ext/testcase.c (function testcase_read) in libsolvext.a in libsolv through 0.7.2 that will cause a denial of service.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20532"
},
{
"id": "CVE-2018-20533",
"summary": "There is a NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a in libsolv through 0.7.2 that will cause a denial of service.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20533"
},
{
"id": "CVE-2018-20534",
"summary": "There is an illegal address access at ext/testcase.c in libsolv.a in libsolv through 0.7.2 that will cause a denial of service. NOTE: third parties dispute this issue stating that the issue affects the test suite and not the underlying library. It cannot be exploited in any real-world application",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20534"
},
{
"id": "CVE-2019-20387",
"summary": "repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-based buffer over-read via a last schema whose length is less than the length of the input schema.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20387"
},
{
"id": "CVE-2021-3200",
"summary": "Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service",
"scorev2": "4.3",
"scorev3": "3.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3200"
},
{
"id": "CVE-2021-33928",
"summary": "Buffer overflow vulnerability in function pool_installable in src/repo.h in libsolv before 0.7.17 allows attackers to cause a Denial of Service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33928"
},
{
"id": "CVE-2021-33929",
"summary": "Buffer overflow vulnerability in function pool_disabled_solvable in src/repo.h in libsolv before 0.7.17 allows attackers to cause a Denial of Service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33929"
},
{
"id": "CVE-2021-33930",
"summary": "Buffer overflow vulnerability in function pool_installable_whatprovides in src/repo.h in libsolv before 0.7.17 allows attackers to cause a Denial of Service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33930"
},
{
"id": "CVE-2021-33938",
"summary": "Buffer overflow vulnerability in function prune_to_recommended in src/policy.c in libsolv before 0.7.17 allows attackers to cause a Denial of Service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33938"
},
{
"id": "CVE-2021-44568",
"summary": "Two heap-overflow vulnerabilities exist in openSUSE/libsolv libsolv through 13 Dec 2020 in the decisionmap variable via the resolve_dependencies function at src/solver.c (line 1940 & line 1995), which could cause a remote Denial of Service.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-44568"
}
]
},
{
"name": "nativesdk-libtasn1",
"layer": "meta",
"version": "4.19.0",
"products": [
{
"product": "libtasn1",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0401",
"summary": "Unknown vulnerability in libtasn1 0.1.x before 0.1.2, and 0.2.x before 0.2.7, related to the DER parsing functions.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0401"
},
{
"id": "CVE-2006-0645",
"summary": "Tiny ASN.1 Library (libtasn1) before 0.2.18, as used by (1) GnuTLS 1.2.x before 1.2.10 and 1.3.x before 1.3.4, and (2) GNU Shishi, allows attackers to crash the DER decoder and possibly execute arbitrary code via \"out-of-bounds access\" caused by invalid input, as demonstrated by the ProtoVer SSL test suite.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0645"
},
{
"id": "CVE-2012-1569",
"summary": "The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1569"
},
{
"id": "CVE-2014-3467",
"summary": "Multiple unspecified vulnerabilities in the DER decoder in GNU Libtasn1 before 3.6, as used in GnuTLS, allow remote attackers to cause a denial of service (out-of-bounds read) via crafted ASN.1 data.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3467"
},
{
"id": "CVE-2014-3468",
"summary": "The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN.1 data.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3468"
},
{
"id": "CVE-2014-3469",
"summary": "The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1 before 3.6 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via a NULL value in an ivalue argument.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3469"
},
{
"id": "CVE-2015-2806",
"summary": "Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows remote attackers to have unspecified impact via unknown vectors.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2806"
},
{
"id": "CVE-2015-3622",
"summary": "The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.5 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3622"
},
{
"id": "CVE-2016-4008",
"summary": "The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.8, when used without the ASN1_DECODE_FLAG_STRICT_DER flag, allows remote attackers to cause a denial of service (infinite recursion) via a crafted certificate.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4008"
},
{
"id": "CVE-2017-10790",
"summary": "The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10790"
},
{
"id": "CVE-2017-6891",
"summary": "Two errors in the \"asn1_find_node()\" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6891"
},
{
"id": "CVE-2018-1000654",
"summary": "GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000654"
},
{
"id": "CVE-2018-6003",
"summary": "An issue was discovered in the _asn1_decode_simple_ber function in decoding.c in GNU Libtasn1 before 4.13. Unlimited recursion in the BER decoder leads to stack exhaustion and DoS.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6003"
},
{
"id": "CVE-2021-46848",
"summary": "GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.",
"scorev2": "0.0",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46848"
}
]
},
{
"name": "nativesdk-libtirpc",
"layer": "meta",
"version": "1.3.4",
"products": [
{
"product": "libtirpc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-1950",
"summary": "The svc_dg_getargs function in libtirpc 0.2.3 and earlier allows remote attackers to cause a denial of service (rpcbind crash) via a Sun RPC request with crafted arguments that trigger a free of an invalid pointer.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1950"
},
{
"id": "CVE-2017-8779",
"summary": "rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8779"
},
{
"id": "CVE-2018-14621",
"summary": "An infinite loop vulnerability was found in libtirpc before version 1.0.2-rc2. With the port to using poll rather than select, exhaustion of file descriptors would cause the server to enter an infinite loop, consuming a large amount of CPU time and denying service to other clients until restarted.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14621"
},
{
"id": "CVE-2018-14622",
"summary": "A null-pointer dereference vulnerability was found in libtirpc before version 0.3.3-rc3. The return value of makefd_xprt() was not checked in all instances, which could lead to a crash when the server exhausted the maximum number of available file descriptors. A remote attacker could cause an rpc-based application to crash by flooding it with new connections.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14622"
},
{
"id": "CVE-2021-46828",
"summary": "In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46828",
"detail": "fixed-version",
"description": "fixed in 1.3.3rc1 so not present in 1.3.3"
}
]
},
{
"name": "nativesdk-libtool",
"layer": "meta",
"version": "2.4.7",
"products": [
{
"product": "libtool",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0256",
"summary": "GNU libtool before 1.5.2, during compile time, allows local users to overwrite arbitrary files via a symlink attack on libtool directories in /tmp.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0256"
},
{
"id": "CVE-2009-3736",
"summary": "ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries, Q, and possibly other products, attempts to open a .la file in the current working directory, which allows local users to gain privileges via a Trojan horse file.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3736"
}
]
},
{
"name": "nativesdk-libunistring",
"layer": "meta",
"version": "1.2",
"products": [
{
"product": "libunistring",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-libusb1",
"layer": "meta",
"version": "1.0.27",
"products": [
{
"product": "libusb",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-libx11",
"layer": "meta",
"version": "1_1.8.9",
"products": [
{
"product": "libx11",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2006-5397",
"summary": "The Xinput module (modules/im/ximcp/imLcIm.c) in X.Org libX11 1.0.2 and 1.0.3 opens a file for reading twice using the same file descriptor, which causes a file descriptor leak that allows local users to read files specified by the XCOMPOSEFILE environment variable via the duplicate file descriptor.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5397"
},
{
"id": "CVE-2007-1667",
"summary": "Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1667"
},
{
"id": "CVE-2013-1981",
"summary": "Multiple integer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XQueryFont, (2) _XF86BigfontQueryFont, (3) XListFontsWithInfo, (4) XGetMotionEvents, (5) XListHosts, (6) XGetModifierMapping, (7) XGetPointerMapping, (8) XGetKeyboardMapping, (9) XGetWindowProperty, (10) XGetImage, (11) LoadColornameDB, (12) XrmGetFileDatabase, (13) _XimParseStringFile, or (14) TransFileName functions.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1981"
},
{
"id": "CVE-2013-1997",
"summary": "Multiple buffer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and earlier allow X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the (1) XAllocColorCells, (2) _XkbReadGetDeviceInfoReply, (3) _XkbReadGeomShapes, (4) _XkbReadGetGeometryReply, (5) _XkbReadKeySyms, (6) _XkbReadKeyActions, (7) _XkbReadKeyBehaviors, (8) _XkbReadModifierMap, (9) _XkbReadExplicitComponents, (10) _XkbReadVirtualModMap, (11) _XkbReadGetNamesReply, (12) _XkbReadGetMapReply, (13) _XimXGetReadData, (14) XListFonts, (15) XListExtensions, and (16) XGetFontPath functions.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1997"
},
{
"id": "CVE-2013-2004",
"summary": "The (1) GetDatabase and (2) _XimParseStringFile functions in X.org libX11 1.5.99.901 (1.6 RC1) and earlier do not restrict the recursion depth when processing directives to include files, which allows X servers to cause a denial of service (stack consumption) via a crafted file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2004"
},
{
"id": "CVE-2013-7439",
"summary": "Multiple off-by-one errors in the (1) MakeBigReq and (2) SetReqLen macros in include/X11/Xlibint.h in X11R6.x and libX11 before 1.6.0 allow remote attackers to have unspecified impact via a crafted request, which triggers a buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7439"
},
{
"id": "CVE-2016-7942",
"summary": "The XGetImage function in X.org libX11 before 1.6.4 might allow remote X servers to gain privileges via vectors involving image type and geometry, which triggers out-of-bounds read operations.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7942"
},
{
"id": "CVE-2016-7943",
"summary": "The XListFonts function in X.org libX11 before 1.6.4 might allow remote X servers to gain privileges via vectors involving length fields, which trigger out-of-bounds write operations.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7943"
},
{
"id": "CVE-2018-14598",
"summary": "An issue was discovered in XListExtensions in ListExt.c in libX11 through 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14598"
},
{
"id": "CVE-2018-14599",
"summary": "An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14599"
},
{
"id": "CVE-2018-14600",
"summary": "An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14600"
},
{
"id": "CVE-2020-14344",
"summary": "An integer overflow leading to a heap-buffer overflow was found in The X Input Method (XIM) client was implemented in libX11 before version 1.6.10. As per upstream this is security relevant when setuid programs call XIM client functions while running with elevated privileges. No such programs are shipped with Red Hat Enterprise Linux.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14344"
},
{
"id": "CVE-2020-14363",
"summary": "An integer overflow vulnerability leading to a double-free was found in libX11. This flaw allows a local privileged attacker to cause an application compiled with libX11 to crash, or in some cases, result in arbitrary code execution. The highest threat from this flaw is to confidentiality, integrity as well as system availability.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14363"
},
{
"id": "CVE-2021-31535",
"summary": "LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-31535"
},
{
"id": "CVE-2023-3138",
"summary": "A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3138"
},
{
"id": "CVE-2023-43785",
"summary": "A vulnerability was found in libX11 due to a boundary condition within the _XkbReadKeySyms() function. This flaw allows a local user to trigger an out-of-bounds read error and read the contents of memory on the system.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43785"
},
{
"id": "CVE-2023-43786",
"summary": "A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43786"
},
{
"id": "CVE-2023-43787",
"summary": "A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43787"
}
]
},
{
"name": "nativesdk-libxau",
"layer": "meta",
"version": "1_1.0.11",
"products": [
{
"product": "libxau",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-libxcb",
"layer": "meta",
"version": "1.16",
"products": [
{
"product": "libxcb",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-2064",
"summary": "Integer overflow in X.org libxcb 1.9 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the read_packet function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2064"
}
]
},
{
"name": "nativesdk-libxcomposite",
"layer": "meta",
"version": "1_0.4.6",
"products": [
{
"product": "libxcomposite",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-libxcrypt",
"layer": "meta",
"version": "4.4.36",
"products": [
{
"product": "libxcrypt",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-libxcursor",
"layer": "meta",
"version": "1_1.2.2",
"products": [
{
"product": "libxcursor",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-2003",
"summary": "Integer overflow in X.org libXcursor 1.1.13 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the _XcursorFileHeaderCreate function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2003"
},
{
"id": "CVE-2015-9262",
"summary": "_XcursorThemeInherits in library.c in libXcursor before 1.1.15 allows remote attackers to cause denial of service or potentially code execution via a one-byte heap overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9262"
},
{
"id": "CVE-2017-16612",
"summary": "libXcursor before 1.1.15 has various integer overflows that could lead to heap buffer overflows when processing malicious cursors, e.g., with programs like GIMP. It is also possible that an attack vector exists against the related code in cursor/xcursor.c in Wayland through 1.14.0.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16612"
}
]
},
{
"name": "nativesdk-libxdamage",
"layer": "meta",
"version": "1_1.1.6",
"products": [
{
"product": "libxdamage",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-libxdmcp",
"layer": "meta",
"version": "1_1.1.4",
"products": [
{
"product": "libxdmcp",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2017-2625",
"summary": "It was discovered that libXdmcp before 1.1.2 including used weak entropy to generate session keys. On a multi-user system using xdmcp, a local attacker could potentially use information available from the process list to brute force the key, allowing them to hijack other users' sessions.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2625"
}
]
},
{
"name": "nativesdk-libxext",
"layer": "meta",
"version": "1_1.3.6",
"products": [
{
"product": "libxext",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-1982",
"summary": "Multiple integer overflows in X.org libXext 1.3.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XcupGetReservedColormapEntries, (2) XcupStoreColors, (3) XdbeGetVisualInfo, (4) XeviGetVisualInfo, (5) XShapeGetRectangles, and (6) XSyncListSystemCounters functions.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1982"
}
]
},
{
"name": "nativesdk-libxfixes",
"layer": "meta",
"version": "1_6.0.1",
"products": [
{
"product": "libxfixes",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-1983",
"summary": "Integer overflow in X.org libXfixes 5.0 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XFixesGetCursorImage function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1983"
},
{
"id": "CVE-2016-7944",
"summary": "Integer overflow in X.org libXfixes before 5.0.3 on 32-bit platforms might allow remote X servers to gain privileges via a length value of INT_MAX, which triggers the client to stop reading data and get out of sync.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7944"
}
]
},
{
"name": "nativesdk-libxft",
"layer": "meta",
"version": "1_2.3.8",
"products": [
{
"product": "libxft",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-libxi",
"layer": "meta",
"version": "1_1.8.1",
"products": [
{
"product": "libxi",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-1984",
"summary": "Multiple integer overflows in X.org libXi 1.7.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XGetDeviceControl, (2) XGetFeedbackControl, (3) XGetDeviceDontPropagateList, (4) XGetDeviceMotionEvents, (5) XIGetProperty, (6) XIGetSelectedEvents, (7) XGetDeviceProperties, and (8) XListInputDevices functions.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1984"
},
{
"id": "CVE-2013-1995",
"summary": "X.org libXi 1.7.1 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to an unexpected sign extension in the XListInputDevices function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1995"
},
{
"id": "CVE-2013-1998",
"summary": "Multiple buffer overflows in X.org libXi 1.7.1 and earlier allow X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the (1) XGetDeviceButtonMapping, (2) XIPassiveGrabDevice, and (3) XQueryDeviceState functions.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1998"
},
{
"id": "CVE-2016-7945",
"summary": "Multiple integer overflows in X.org libXi before 1.7.7 allow remote X servers to cause a denial of service (out-of-bounds memory access or infinite loop) via vectors involving length fields.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7945"
},
{
"id": "CVE-2016-7946",
"summary": "X.org libXi before 1.7.7 allows remote X servers to cause a denial of service (infinite loop) via vectors involving length fields.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7946"
}
]
},
{
"name": "nativesdk-libxml2",
"layer": "meta",
"version": "2.12.6",
"products": [
{
"product": "libxml2",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2003-1564",
"summary": "libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the \"billion laughs attack.\"",
"scorev2": "9.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-1564"
},
{
"id": "CVE-2004-0110",
"summary": "Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0110"
},
{
"id": "CVE-2004-0989",
"summary": "Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and possibly other versions, may allow remote attackers to execute arbitrary code via (1) a long FTP URL that is not properly handled by the xmlNanoFTPScanURL function, (2) a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy function, and other overflows related to manipulation of DNS length values, including (3) xmlNanoFTPConnect, (4) xmlNanoHTTPConnectHost, and (5) xmlNanoHTTPConnectHost.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0989"
},
{
"id": "CVE-2008-3281",
"summary": "libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3281"
},
{
"id": "CVE-2008-3529",
"summary": "Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3529"
},
{
"id": "CVE-2008-4409",
"summary": "libxml2 2.7.0 and 2.7.1 does not properly handle \"predefined entities definitions\" in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4409"
},
{
"id": "CVE-2009-2414",
"summary": "Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD, related to a function recursion, as demonstrated by the Codenomicon XML fuzzing framework.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2414"
},
{
"id": "CVE-2009-2416",
"summary": "Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2416"
},
{
"id": "CVE-2010-4008",
"summary": "libxml2 before 2.7.8, as used in Google Chrome before 7.0.517.44, Apple Safari 5.0.2 and earlier, and other products, reads from invalid memory locations during processing of malformed XPath expressions, which allows context-dependent attackers to cause a denial of service (application crash) via a crafted XML document.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4008"
},
{
"id": "CVE-2010-4494",
"summary": "Double free vulnerability in libxml2 2.7.8 and other versions, as used in Google Chrome before 8.0.552.215 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to XPath handling.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4494"
},
{
"id": "CVE-2011-1944",
"summary": "Integer overflow in xpath.c in libxml2 2.6.x through 2.6.32 and 2.7.x through 2.7.8, and libxml 1.8.16 and earlier, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted XML file that triggers a heap-based buffer overflow when adding a new namespace node, related to handling of XPath expressions.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1944"
},
{
"id": "CVE-2012-0841",
"summary": "libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0841"
},
{
"id": "CVE-2012-2871",
"summary": "libxml2 2.9.0-rc1 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly support a cast of an unspecified variable during handling of XSL transforms, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document, related to the _xmlNs data structure in include/libxml/tree.h.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2871"
},
{
"id": "CVE-2012-5134",
"summary": "Heap-based buffer underflow in the xmlParseAttValueComplex function in parser.c in libxml2 2.9.0 and earlier, as used in Google Chrome before 23.0.1271.91 and other products, allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted entities in an XML document.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5134"
},
{
"id": "CVE-2013-0338",
"summary": "libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka \"internal entity expansion\" with linear complexity.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0338"
},
{
"id": "CVE-2013-0339",
"summary": "libxml2 through 2.9.1 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because libxml2 already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed and each affected application would need its own CVE.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0339"
},
{
"id": "CVE-2013-1969",
"summary": "Multiple use-after-free vulnerabilities in libxml2 2.9.0 and possibly other versions might allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to the (1) htmlParseChunk and (2) xmldecl_done functions, as demonstrated by a buffer overflow in the xmlBufGetInputBase function.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1969"
},
{
"id": "CVE-2013-2877",
"summary": "parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2877"
},
{
"id": "CVE-2014-3660",
"summary": "parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the \"billion laughs\" attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3660"
},
{
"id": "CVE-2015-5312",
"summary": "The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5312"
},
{
"id": "CVE-2015-6837",
"summary": "The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation during initial error checking, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6838.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6837"
},
{
"id": "CVE-2015-6838",
"summary": "The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation after the principal argument loop, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6837.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6838"
},
{
"id": "CVE-2015-7497",
"summary": "Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7497"
},
{
"id": "CVE-2015-7498",
"summary": "Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7498"
},
{
"id": "CVE-2015-7499",
"summary": "Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7499"
},
{
"id": "CVE-2015-7500",
"summary": "The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7500"
},
{
"id": "CVE-2015-7941",
"summary": "libxml2 2.9.2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as demonstrated by non-terminated entities.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7941"
},
{
"id": "CVE-2015-7942",
"summary": "The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data, a different vulnerability than CVE-2015-7941.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7942"
},
{
"id": "CVE-2015-8035",
"summary": "The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8035"
},
{
"id": "CVE-2015-8241",
"summary": "The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8241"
},
{
"id": "CVE-2015-8242",
"summary": "The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8242"
},
{
"id": "CVE-2015-8317",
"summary": "The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8317"
},
{
"id": "CVE-2015-8710",
"summary": "The htmlParseComment function in HTMLparser.c in libxml2 allows attackers to obtain sensitive information, cause a denial of service (out-of-bounds heap memory access and application crash), or possibly have unspecified other impact via an unclosed HTML comment.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8710"
},
{
"id": "CVE-2015-8806",
"summary": "dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the \"type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about \"size\" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9047"
},
{
"id": "CVE-2017-9048",
"summary": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9048"
},
{
"id": "CVE-2017-9049",
"summary": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9049"
},
{
"id": "CVE-2017-9050",
"summary": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9050"
},
{
"id": "CVE-2018-14404",
"summary": "A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14404"
},
{
"id": "CVE-2018-14567",
"summary": "libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14567"
},
{
"id": "CVE-2018-9251",
"summary": "The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035.",
"scorev2": "2.6",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9251"
},
{
"id": "CVE-2019-19956",
"summary": "xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19956"
},
{
"id": "CVE-2019-20388",
"summary": "xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20388"
},
{
"id": "CVE-2020-24977",
"summary": "GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.",
"scorev2": "6.4",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24977"
},
{
"id": "CVE-2020-7595",
"summary": "xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-7595"
},
{
"id": "CVE-2021-3517",
"summary": "There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.",
"scorev2": "7.5",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3517"
},
{
"id": "CVE-2021-3518",
"summary": "There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3518"
},
{
"id": "CVE-2021-3537",
"summary": "A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3537"
},
{
"id": "CVE-2021-3541",
"summary": "A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3541"
},
{
"id": "CVE-2022-23308",
"summary": "valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.",
"scorev2": "4.3",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23308"
},
{
"id": "CVE-2022-29824",
"summary": "In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29824"
},
{
"id": "CVE-2022-40303",
"summary": "An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40303"
},
{
"id": "CVE-2022-40304",
"summary": "An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40304"
},
{
"id": "CVE-2023-28484",
"summary": "In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-28484"
},
{
"id": "CVE-2023-29469",
"summary": "An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\\0' value).",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29469"
},
{
"id": "CVE-2023-39615",
"summary": "Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39615"
},
{
"id": "CVE-2023-45322",
"summary": "libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is \"I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail.\"",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-45322",
"detail": "disputed",
"description": "issue requires memory allocation to fail"
},
{
"id": "CVE-2024-25062",
"summary": "An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-25062"
}
]
},
{
"name": "nativesdk-libxrandr",
"layer": "meta",
"version": "1_1.5.4",
"products": [
{
"product": "libxrandr",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-1986",
"summary": "Multiple integer overflows in X.org libXrandr 1.4.0 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XRRQueryOutputProperty and (2) XRRQueryProviderProperty functions.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1986"
},
{
"id": "CVE-2016-7947",
"summary": "Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7947"
},
{
"id": "CVE-2016-7948",
"summary": "X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7948"
}
]
},
{
"name": "nativesdk-libxrender",
"layer": "meta",
"version": "1_0.9.11",
"products": [
{
"product": "libxrender",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-1987",
"summary": "Multiple integer overflows in X.org libXrender 0.9.7 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XRenderQueryFilters, (2) XRenderQueryFormats, and (3) XRenderQueryPictIndexValues functions.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1987"
},
{
"id": "CVE-2016-7949",
"summary": "Multiple buffer overflows in the (1) XvQueryAdaptors and (2) XvQueryEncodings functions in X.org libXrender before 0.9.10 allow remote X servers to trigger out-of-bounds write operations via vectors involving length fields.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7949"
},
{
"id": "CVE-2016-7950",
"summary": "The XRenderQueryFilters function in X.org libXrender before 0.9.10 allows remote X servers to trigger out-of-bounds write operations via vectors involving filter name lengths.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7950"
}
]
},
{
"name": "nativesdk-libxshmfence",
"layer": "meta",
"version": "1.3.2",
"products": [
{
"product": "libxshmfence",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-libxtst",
"layer": "meta",
"version": "1_1.2.4",
"products": [
{
"product": "libxtst",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-2063",
"summary": "Integer overflow in X.org libXtst 1.2.1 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XRecordGetContext function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2063"
},
{
"id": "CVE-2016-7951",
"summary": "Multiple integer overflows in X.org libXtst before 1.2.3 allow remote X servers to trigger out-of-bounds memory access operations by leveraging the lack of range checks.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7951"
},
{
"id": "CVE-2016-7952",
"summary": "X.org libXtst before 1.2.3 allows remote X servers to cause a denial of service (infinite loop) via a reply in the (1) XRecordStartOfData, (2) XRecordEndOfData, or (3) XRecordClientDied category without a client sequence and with attached data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7952"
}
]
},
{
"name": "nativesdk-libxxf86vm",
"layer": "meta",
"version": "1_1.1.5",
"products": [
{
"product": "libxxf86vm",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-2001",
"summary": "Buffer overflow in X.org libXxf86vm 1.1.2 and earlier allows X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the XF86VidModeGetGammaRamp function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2001"
}
]
},
{
"name": "nativesdk-linux-libc-headers",
"layer": "meta",
"version": "6.6",
"products": [
{
"product": "linux-libc-headers",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-lua",
"layer": "meta",
"version": "5.4.6",
"products": [
{
"product": "lua",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2014-5461",
"summary": "Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5461"
},
{
"id": "CVE-2019-6706",
"summary": "Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6706"
},
{
"id": "CVE-2020-15888",
"summary": "Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15888"
},
{
"id": "CVE-2020-15889",
"summary": "Lua 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15889"
},
{
"id": "CVE-2020-15945",
"summary": "Lua through 5.4.0 has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15945"
},
{
"id": "CVE-2020-24342",
"summary": "Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24342"
},
{
"id": "CVE-2020-24369",
"summary": "ldebug.c in Lua 5.4.0 attempts to access debug information via the line hook of a stripped function, leading to a NULL pointer dereference.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24369"
},
{
"id": "CVE-2020-24370",
"summary": "ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24370"
},
{
"id": "CVE-2020-24371",
"summary": "lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24371"
},
{
"id": "CVE-2021-43519",
"summary": "Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allows attackers to perform a Denial of Service via a crafted script file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43519"
},
{
"id": "CVE-2021-44647",
"summary": "Lua v5.4.3 and above are affected by SEGV by type confusion in funcnamefromcode function in ldebug.c which can cause a local denial of service.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-44647"
},
{
"id": "CVE-2021-44964",
"summary": "Use after free in garbage collector and finalizer of lgc.c in Lua interpreter 5.4.0~5.4.3 allows attackers to perform Sandbox Escape via a crafted script file.",
"scorev2": "4.3",
"scorev3": "6.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-44964"
},
{
"id": "CVE-2021-45985",
"summary": "In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45985"
},
{
"id": "CVE-2022-28805",
"summary": "singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-28805"
},
{
"id": "CVE-2022-33099",
"summary": "An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33099"
}
]
},
{
"name": "nativesdk-lzlib",
"layer": "meta",
"version": "1.14",
"products": [
{
"product": "lzlib",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-m4",
"layer": "meta",
"version": "1.4.19",
"products": [
{
"product": "m4",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2008-1687",
"summary": "The (1) maketemp and (2) mkstemp builtin functions in GNU m4 before 1.4.11 do not quote their output when a file is created, which might allow context-dependent attackers to trigger a macro expansion, leading to unspecified use of an incorrect filename.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1687"
},
{
"id": "CVE-2008-1688",
"summary": "Unspecified vulnerability in GNU m4 before 1.4.11 might allow context-dependent attackers to execute arbitrary code, related to improper handling of filenames specified with the -F option. NOTE: it is not clear when this issue crosses privilege boundaries.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1688"
}
]
},
{
"name": "nativesdk-makedevs",
"layer": "meta",
"version": "1.0.1",
"products": [
{
"product": "makedevs",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-mesa",
"layer": "meta",
"version": "2_24.0.3",
"products": [
{
"product": "mesa",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2001-0474",
"summary": "Utah-glx in Mesa before 3.3-14 on Mandrake Linux 7.2 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/glxmemory file.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0474"
},
{
"id": "CVE-2013-1872",
"summary": "The Intel drivers in Mesa 8.0.x and 9.0.x allow context-dependent attackers to cause a denial of service (reachable assertion and crash) and possibly execute arbitrary code via vectors involving 3d graphics that trigger an out-of-bounds array access, related to the fs_visitor::remove_dead_constants function. NOTE: this issue might be related to CVE-2013-0796.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1872"
},
{
"id": "CVE-2013-1993",
"summary": "Multiple integer overflows in X.org libGLX in Mesa 9.1.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XF86DRIOpenConnection and (2) XF86DRIGetClientDriverName functions.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1993"
},
{
"id": "CVE-2019-5068",
"summary": "An exploitable shared memory permissions vulnerability exists in the functionality of X11 Mesa 3D Graphics Library 19.1.2. An attacker can access the shared memory without any specific permissions to trigger this vulnerability.",
"scorev2": "3.6",
"scorev3": "5.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5068"
}
]
},
{
"name": "nativesdk-meson",
"layer": "meta",
"version": "1.3.1",
"products": [
{
"product": "meson",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-mpfr",
"layer": "meta",
"version": "4.2.1",
"products": [
{
"product": "mpfr",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-ncurses",
"layer": "meta",
"version": "6.4",
"products": [
{
"product": "ncurses",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2000-0963",
"summary": "Buffer overflow in ncurses library allows local users to execute arbitrary commands via long environmental information such as TERM or TERMINFO_DIRS.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0963"
},
{
"id": "CVE-2002-0062",
"summary": "Buffer overflow in ncurses 5.0, and the ncurses4 compatibility package as used in Red Hat Linux, allows local users to gain privileges, related to \"routines for moving the physical cursor and scrolling.\"",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0062"
},
{
"id": "CVE-2017-10684",
"summary": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10684"
},
{
"id": "CVE-2017-10685",
"summary": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10685"
},
{
"id": "CVE-2017-11112",
"summary": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11112"
},
{
"id": "CVE-2017-11113",
"summary": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11113"
},
{
"id": "CVE-2017-13728",
"summary": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13728"
},
{
"id": "CVE-2017-13729",
"summary": "There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13729"
},
{
"id": "CVE-2017-13730",
"summary": "There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13730"
},
{
"id": "CVE-2017-13731",
"summary": "There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13731"
},
{
"id": "CVE-2017-13732",
"summary": "There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13732"
},
{
"id": "CVE-2017-13733",
"summary": "There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13733"
},
{
"id": "CVE-2017-13734",
"summary": "There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13734"
},
{
"id": "CVE-2017-16879",
"summary": "Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16879"
},
{
"id": "CVE-2018-19211",
"summary": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19211"
},
{
"id": "CVE-2018-19217",
"summary": "In ncurses, possibly a 6.x version, there is a NULL pointer dereference at the function _nc_name_match that will lead to a denial of service attack. NOTE: the original report stated version 6.1, but the issue did not reproduce for that version according to the maintainer or a reliable third-party",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19217"
},
{
"id": "CVE-2019-15547",
"summary": "An issue was discovered in the ncurses crate through 5.99.0 for Rust. There are format string issues in printw functions because C format arguments are mishandled.",
"scorev2": "6.4",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15547"
},
{
"id": "CVE-2019-15548",
"summary": "An issue was discovered in the ncurses crate through 5.99.0 for Rust. There are instr and mvwinstr buffer overflows because interaction with C functions is mishandled.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15548"
},
{
"id": "CVE-2019-17594",
"summary": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"scorev2": "4.6",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17594"
},
{
"id": "CVE-2019-17595",
"summary": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"scorev2": "5.8",
"scorev3": "5.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17595"
},
{
"id": "CVE-2020-19185",
"summary": "Buffer Overflow vulnerability in one_one_mapping function in progs/dump_entry.c:1373 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19185"
},
{
"id": "CVE-2020-19186",
"summary": "Buffer Overflow vulnerability in _nc_find_entry function in tinfo/comp_hash.c:66 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19186"
},
{
"id": "CVE-2020-19187",
"summary": "Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1100 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19187"
},
{
"id": "CVE-2020-19188",
"summary": "Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1116 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19188"
},
{
"id": "CVE-2020-19189",
"summary": "Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19189"
},
{
"id": "CVE-2020-19190",
"summary": "Buffer Overflow vulnerability in _nc_find_entry in tinfo/comp_hash.c:70 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19190"
},
{
"id": "CVE-2021-39537",
"summary": "An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-39537"
},
{
"id": "CVE-2022-29458",
"summary": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.",
"scorev2": "5.8",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29458"
},
{
"id": "CVE-2023-29491",
"summary": "ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29491"
},
{
"id": "CVE-2023-45918",
"summary": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-45918"
},
{
"id": "CVE-2023-50495",
"summary": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495"
}
]
},
{
"name": "nativesdk-nettle",
"layer": "meta",
"version": "3.9.1",
"products": [
{
"product": "nettle",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-8803",
"summary": "The ecc_256_modp function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8805.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8803"
},
{
"id": "CVE-2015-8804",
"summary": "x86_64/ecc-384-modp.asm in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-384 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8804"
},
{
"id": "CVE-2015-8805",
"summary": "The ecc_256_modq function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8803.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8805"
},
{
"id": "CVE-2016-6489",
"summary": "The RSA and DSA decryption code in Nettle makes it easier for attackers to discover private keys via a cache side channel attack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6489"
},
{
"id": "CVE-2018-16869",
"summary": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
"scorev2": "3.3",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16869"
},
{
"id": "CVE-2021-20305",
"summary": "A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20305"
},
{
"id": "CVE-2021-3580",
"summary": "A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3580"
},
{
"id": "CVE-2023-36660",
"summary": "The OCB feature in libnettle in Nettle 3.9 before 3.9.1 allows memory corruption.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-36660"
}
]
},
{
"name": "nativesdk-ninja",
"layer": "meta",
"version": "1.11.1",
"products": [
{
"product": "ninja",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2014-4550",
"summary": "Cross-site scripting (XSS) vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the shortcode parameter.",
"scorev2": "4.3",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4550"
},
{
"id": "CVE-2021-4336",
"summary": "A vulnerability was found in ITRS Group monitor-ninja up to 2021.11.1. It has been rated as critical. Affected by this issue is some unknown functionality of the file modules/reports/models/scheduled_reports.php. The manipulation leads to sql injection. Upgrading to version 2021.11.30 is able to address this issue. The name of the patch is 6da9080faec9bca1ca5342386c0421dca0a6c0cc. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-230084.",
"scorev2": "5.2",
"scorev3": "9.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4336",
"detail": "cpe-incorrect",
"description": "This is a different Ninja"
}
]
},
{
"name": "nativesdk-openssl",
"layer": "meta",
"version": "3.2.1",
"products": [
{
"product": "openssl",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-0428",
"summary": "OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0428"
},
{
"id": "CVE-2000-0535",
"summary": "OpenSSL 0.9.4 and OpenSSH for FreeBSD do not properly check for the existence of the /dev/random or /dev/urandom devices, which are absent on FreeBSD Alpha systems, which causes them to produce weak keys which may be more easily broken.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0535"
},
{
"id": "CVE-2000-1254",
"summary": "crypto/rsa/rsa_gen.c in OpenSSL before 0.9.6 mishandles C bitwise-shift operations that exceed the size of an expression, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging improper RSA key generation on 64-bit HP-UX platforms.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-1254"
},
{
"id": "CVE-2001-1141",
"summary": "The Pseudo-Random Number Generator (PRNG) in SSLeay and OpenSSL before 0.9.6b allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1141"
},
{
"id": "CVE-2002-0655",
"summary": "OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, does not properly handle ASCII representations of integers on 64 bit platforms, which could allow attackers to cause a denial of service and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0655"
},
{
"id": "CVE-2002-0656",
"summary": "Buffer overflows in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allow remote attackers to execute arbitrary code via (1) a large client master key in SSL2 or (2) a large session ID in SSL3.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0656"
},
{
"id": "CVE-2002-0657",
"summary": "Buffer overflow in OpenSSL 0.9.7 before 0.9.7-beta3, with Kerberos enabled, allows attackers to execute arbitrary code via a long master key.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0657"
},
{
"id": "CVE-2002-0659",
"summary": "The ASN1 library in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allows remote attackers to cause a denial of service via invalid encodings.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0659"
},
{
"id": "CVE-2002-1568",
"summary": "OpenSSL 0.9.6e uses assertions when detecting buffer overflow attacks instead of less severe mechanisms, which allows remote attackers to cause a denial of service (crash) via certain messages that cause OpenSSL to abort from a failed assertion, as demonstrated using SSLv2 CLIENT_MASTER_KEY messages, which are not properly handled in s2_srvr.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1568"
},
{
"id": "CVE-2003-0078",
"summary": "ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the \"Vaudenay timing attack.\"",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0078"
},
{
"id": "CVE-2003-0131",
"summary": "The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the \"Klima-Pokorny-Rosa attack.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0131"
},
{
"id": "CVE-2003-0147",
"summary": "OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms (\"Karatsuba\" and normal).",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0147"
},
{
"id": "CVE-2003-0543",
"summary": "Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0543"
},
{
"id": "CVE-2003-0544",
"summary": "OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0544"
},
{
"id": "CVE-2003-0545",
"summary": "Double free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0545"
},
{
"id": "CVE-2003-0851",
"summary": "OpenSSL 0.9.6k allows remote attackers to cause a denial of service (crash via large recursion) via malformed ASN.1 sequences.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0851"
},
{
"id": "CVE-2004-0079",
"summary": "The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0079"
},
{
"id": "CVE-2004-0081",
"summary": "OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0081"
},
{
"id": "CVE-2004-0975",
"summary": "The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0975"
},
{
"id": "CVE-2005-1797",
"summary": "The design of Advanced Encryption Standard (AES), aka Rijndael, allows remote attackers to recover AES keys via timing attacks on S-box lookups, which are difficult to perform in constant time in AES implementations.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1797"
},
{
"id": "CVE-2005-2946",
"summary": "The default configuration on OpenSSL before 0.9.8 uses MD5 for creating message digests instead of a more cryptographically strong algorithm, which makes it easier for remote attackers to forge certificates with a valid certificate authority signature.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2946"
},
{
"id": "CVE-2005-2969",
"summary": "The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2969"
},
{
"id": "CVE-2006-2937",
"summary": "OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2937"
},
{
"id": "CVE-2006-2940",
"summary": "OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) \"public exponent\" or (2) \"public modulus\" values in X.509 certificates that require extra time to process when using RSA signature verification.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2940"
},
{
"id": "CVE-2006-3738",
"summary": "Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions has unspecified impact and remote attack vectors involving a long list of ciphers.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3738"
},
{
"id": "CVE-2006-4339",
"summary": "OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4339"
},
{
"id": "CVE-2006-4343",
"summary": "The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4343"
},
{
"id": "CVE-2006-7250",
"summary": "The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7250"
},
{
"id": "CVE-2007-3108",
"summary": "The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3108"
},
{
"id": "CVE-2007-4995",
"summary": "Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f allows remote attackers to execute arbitrary code via unspecified vectors.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4995"
},
{
"id": "CVE-2007-5135",
"summary": "Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5135"
},
{
"id": "CVE-2008-0166",
"summary": "OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0166"
},
{
"id": "CVE-2008-0891",
"summary": "Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS server name extensions are enabled, allows remote attackers to cause a denial of service (crash) via a malformed Client Hello packet. NOTE: some of these details are obtained from third party information.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0891"
},
{
"id": "CVE-2008-1672",
"summary": "OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of service (crash) via a TLS handshake that omits the Server Key Exchange message and uses \"particular cipher suites,\" which triggers a NULL pointer dereference.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1672"
},
{
"id": "CVE-2008-1678",
"summary": "Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1678"
},
{
"id": "CVE-2008-5077",
"summary": "OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5077"
},
{
"id": "CVE-2008-7270",
"summary": "OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-7270"
},
{
"id": "CVE-2009-0590",
"summary": "The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0590"
},
{
"id": "CVE-2009-0591",
"summary": "The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0591"
},
{
"id": "CVE-2009-0653",
"summary": "OpenSSL, probably 0.9.6, does not verify the Basic Constraints for an intermediate CA-signed certificate, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack, a related issue to CVE-2002-0970.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0653"
},
{
"id": "CVE-2009-0789",
"summary": "OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0789"
},
{
"id": "CVE-2009-1377",
"summary": "The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of \"future epoch\" DTLS records that are buffered in a queue, aka \"DTLS record buffer limitation bug.\"",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1377"
},
{
"id": "CVE-2009-1378",
"summary": "Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka \"DTLS fragment handling memory leak.\"",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1378"
},
{
"id": "CVE-2009-1379",
"summary": "Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1379"
},
{
"id": "CVE-2009-1386",
"summary": "ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1386"
},
{
"id": "CVE-2009-1387",
"summary": "The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a \"fragment bug.\"",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1387"
},
{
"id": "CVE-2009-2409",
"summary": "The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2409"
},
{
"id": "CVE-2009-3245",
"summary": "OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3245"
},
{
"id": "CVE-2009-3555",
"summary": "The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a \"plaintext injection\" attack, aka the \"Project Mogul\" issue.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3555"
},
{
"id": "CVE-2009-4355",
"summary": "Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4355"
},
{
"id": "CVE-2010-0433",
"summary": "The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0433"
},
{
"id": "CVE-2010-0740",
"summary": "The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f through 0.9.8m allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection that triggers a NULL pointer dereference, related to the minor version number. NOTE: some of these details are obtained from third party information.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0740"
},
{
"id": "CVE-2010-0742",
"summary": "The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0742"
},
{
"id": "CVE-2010-0928",
"summary": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0928"
},
{
"id": "CVE-2010-1633",
"summary": "RSA verification recovery in the EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other applications, returns uninitialized memory upon failure, which might allow context-dependent attackers to bypass intended key requirements or obtain sensitive information via unspecified vectors. NOTE: some of these details are obtained from third party information.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1633"
},
{
"id": "CVE-2010-2939",
"summary": "Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, when using ECDH, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted private key with an invalid prime. NOTE: some sources refer to this as a use-after-free issue.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2939"
},
{
"id": "CVE-2010-3864",
"summary": "Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography.",
"scorev2": "7.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3864"
},
{
"id": "CVE-2010-4180",
"summary": "OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4180"
},
{
"id": "CVE-2010-4252",
"summary": "OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4252"
},
{
"id": "CVE-2010-5298",
"summary": "Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5298"
},
{
"id": "CVE-2011-0014",
"summary": "ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-bounds memory access, aka \"OCSP stapling vulnerability.\"",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0014"
},
{
"id": "CVE-2011-1473",
"summary": "OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1473"
},
{
"id": "CVE-2011-1945",
"summary": "The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1945"
},
{
"id": "CVE-2011-3207",
"summary": "crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which makes it easier for remote attackers to bypass CRL validation by using a nextUpdate value corresponding to a time in the past.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3207"
},
{
"id": "CVE-2011-3210",
"summary": "The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages from clients, which allows remote attackers to cause a denial of service (daemon crash) via out-of-order messages that violate the TLS protocol.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3210"
},
{
"id": "CVE-2011-4108",
"summary": "The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4108"
},
{
"id": "CVE-2011-4109",
"summary": "Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4109"
},
{
"id": "CVE-2011-4354",
"summary": "crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as used in stunnel and other products, in certain circumstances involving ECDH or ECDHE cipher suites, uses an incorrect modular reduction algorithm in its implementation of the P-256 and P-384 NIST elliptic curves, which allows remote attackers to obtain the private key of a TLS server via multiple handshake attempts.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4354"
},
{
"id": "CVE-2011-4576",
"summary": "The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4576"
},
{
"id": "CVE-2011-4577",
"summary": "OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4577"
},
{
"id": "CVE-2011-4619",
"summary": "The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4619"
},
{
"id": "CVE-2011-5095",
"summary": "The Diffie-Hellman key-exchange implementation in OpenSSL 0.9.8, when FIPS mode is enabled, does not properly validate a public parameter, which makes it easier for man-in-the-middle attackers to obtain the shared secret key by modifying network traffic, a related issue to CVE-2011-1923.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-5095"
},
{
"id": "CVE-2012-0027",
"summary": "The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0027"
},
{
"id": "CVE-2012-0050",
"summary": "OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, which allows remote attackers to cause a denial of service (crash) via unspecified vectors related to an out-of-bounds read. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4108.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0050"
},
{
"id": "CVE-2012-0884",
"summary": "The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0884"
},
{
"id": "CVE-2012-1165",
"summary": "The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1165"
},
{
"id": "CVE-2012-2110",
"summary": "The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2110"
},
{
"id": "CVE-2012-2131",
"summary": "Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL 0.9.8v allow remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2110.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2131"
},
{
"id": "CVE-2012-2333",
"summary": "Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2333"
},
{
"id": "CVE-2012-2686",
"summary": "crypto/evp/e_aes_cbc_hmac_sha1.c in the AES-NI functionality in the TLS 1.1 and 1.2 implementations in OpenSSL 1.0.1 before 1.0.1d allows remote attackers to cause a denial of service (application crash) via crafted CBC data.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2686"
},
{
"id": "CVE-2013-0166",
"summary": "OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0166"
},
{
"id": "CVE-2013-0169",
"summary": "The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0169"
},
{
"id": "CVE-2013-4353",
"summary": "The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4353"
},
{
"id": "CVE-2013-6449",
"summary": "The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6449"
},
{
"id": "CVE-2013-6450",
"summary": "The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6450"
},
{
"id": "CVE-2014-0076",
"summary": "The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0076"
},
{
"id": "CVE-2014-0160",
"summary": "The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0160"
},
{
"id": "CVE-2014-0195",
"summary": "The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0195"
},
{
"id": "CVE-2014-0198",
"summary": "The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0198"
},
{
"id": "CVE-2014-0221",
"summary": "The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0221"
},
{
"id": "CVE-2014-0224",
"summary": "OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the \"CCS Injection\" vulnerability.",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0224"
},
{
"id": "CVE-2014-3470",
"summary": "The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3470"
},
{
"id": "CVE-2014-3505",
"summary": "Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3505"
},
{
"id": "CVE-2014-3506",
"summary": "d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3506"
},
{
"id": "CVE-2014-3507",
"summary": "Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3507"
},
{
"id": "CVE-2014-3508",
"summary": "The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\\0' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3508"
},
{
"id": "CVE-2014-3509",
"summary": "Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3509"
},
{
"id": "CVE-2014-3510",
"summary": "The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote DTLS servers to cause a denial of service (NULL pointer dereference and client application crash) via a crafted handshake message in conjunction with a (1) anonymous DH or (2) anonymous ECDH ciphersuite.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3510"
},
{
"id": "CVE-2014-3511",
"summary": "The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a \"protocol downgrade\" issue.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3511"
},
{
"id": "CVE-2014-3512",
"summary": "Multiple buffer overflows in crypto/srp/srp_lib.c in the SRP implementation in OpenSSL 1.0.1 before 1.0.1i allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid SRP (1) g, (2) A, or (3) B parameter.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3512"
},
{
"id": "CVE-2014-3513",
"summary": "Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted handshake message.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3513"
},
{
"id": "CVE-2014-3566",
"summary": "The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the \"POODLE\" issue.",
"scorev2": "4.3",
"scorev3": "3.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3566"
},
{
"id": "CVE-2014-3567",
"summary": "Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3567"
},
{
"id": "CVE-2014-3568",
"summary": "OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3568"
},
{
"id": "CVE-2014-3569",
"summary": "The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3569"
},
{
"id": "CVE-2014-3570",
"summary": "The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3570"
},
{
"id": "CVE-2014-3571",
"summary": "OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3571"
},
{
"id": "CVE-2014-3572",
"summary": "The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3572"
},
{
"id": "CVE-2014-5139",
"summary": "The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i allows remote SSL servers to cause a denial of service (NULL pointer dereference and client application crash) via a ServerHello message that includes an SRP ciphersuite without the required negotiation of that ciphersuite with the client.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5139"
},
{
"id": "CVE-2014-8176",
"summary": "The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without considering that application data can arrive between a ChangeCipherSpec message and a Finished message, which allows remote DTLS peers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unexpected application data.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8176"
},
{
"id": "CVE-2014-8275",
"summary": "OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8275"
},
{
"id": "CVE-2015-0204",
"summary": "The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the \"FREAK\" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0204"
},
{
"id": "CVE-2015-0205",
"summary": "The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0205"
},
{
"id": "CVE-2015-0206",
"summary": "Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0206"
},
{
"id": "CVE-2015-0207",
"summary": "The dtls1_listen function in d1_lib.c in OpenSSL 1.0.2 before 1.0.2a does not properly isolate the state information of independent data streams, which allows remote attackers to cause a denial of service (application crash) via crafted DTLS traffic, as demonstrated by DTLS 1.0 traffic to a DTLS 1.2 server.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0207"
},
{
"id": "CVE-2015-0208",
"summary": "The ASN.1 signature-verification implementation in the rsa_item_verify function in crypto/rsa/rsa_ameth.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted RSA PSS parameters to an endpoint that uses the certificate-verification feature.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0208"
},
{
"id": "CVE-2015-0209",
"summary": "Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0209"
},
{
"id": "CVE-2015-0285",
"summary": "The ssl3_client_hello function in s3_clnt.c in OpenSSL 1.0.2 before 1.0.2a does not ensure that the PRNG is seeded before proceeding with a handshake, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and then conducting a brute-force attack.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0285"
},
{
"id": "CVE-2015-0286",
"summary": "The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly perform boolean-type comparisons, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0286"
},
{
"id": "CVE-2015-0287",
"summary": "The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0287"
},
{
"id": "CVE-2015-0288",
"summary": "The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid certificate key.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0288"
},
{
"id": "CVE-2015-0289",
"summary": "The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0289"
},
{
"id": "CVE-2015-0290",
"summary": "The multi-block feature in the ssl3_write_bytes function in s3_pkt.c in OpenSSL 1.0.2 before 1.0.2a on 64-bit x86 platforms with AES NI support does not properly handle certain non-blocking I/O cases, which allows remote attackers to cause a denial of service (pointer corruption and application crash) via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0290"
},
{
"id": "CVE-2015-0291",
"summary": "The sigalgs implementation in t1_lib.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by using an invalid signature_algorithms extension in the ClientHello message during a renegotiation.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0291"
},
{
"id": "CVE-2015-0292",
"summary": "Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0292"
},
{
"id": "CVE-2015-0293",
"summary": "The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0293"
},
{
"id": "CVE-2015-1787",
"summary": "The ssl3_get_client_key_exchange function in s3_srvr.c in OpenSSL 1.0.2 before 1.0.2a, when client authentication and an ephemeral Diffie-Hellman ciphersuite are enabled, allows remote attackers to cause a denial of service (daemon crash) via a ClientKeyExchange message with a length of zero.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1787"
},
{
"id": "CVE-2015-1788",
"summary": "The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1788"
},
{
"id": "CVE-2015-1789",
"summary": "The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback.",
"scorev2": "4.3",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1789"
},
{
"id": "CVE-2015-1790",
"summary": "The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1790"
},
{
"id": "CVE-2015-1791",
"summary": "Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1791"
},
{
"id": "CVE-2015-1792",
"summary": "The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1792"
},
{
"id": "CVE-2015-1793",
"summary": "The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.",
"scorev2": "6.4",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1793"
},
{
"id": "CVE-2015-1794",
"summary": "The ssl3_get_key_exchange function in ssl/s3_clnt.c in OpenSSL 1.0.2 before 1.0.2e allows remote servers to cause a denial of service (segmentation fault) via a zero p value in an anonymous Diffie-Hellman (DH) ServerKeyExchange message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1794"
},
{
"id": "CVE-2015-3193",
"summary": "The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3193"
},
{
"id": "CVE-2015-3194",
"summary": "crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3194"
},
{
"id": "CVE-2015-3195",
"summary": "The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3195"
},
{
"id": "CVE-2015-3196",
"summary": "ssl/s3_clnt.c in OpenSSL 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1p, and 1.0.2 before 1.0.2d, when used for a multi-threaded client, writes the PSK identity hint to an incorrect data structure, which allows remote servers to cause a denial of service (race condition and double free) via a crafted ServerKeyExchange message.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3196"
},
{
"id": "CVE-2015-3197",
"summary": "ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3197"
},
{
"id": "CVE-2015-3216",
"summary": "Race condition in a certain Red Hat patch to the PRNG lock implementation in the ssleay_rand_bytes function in OpenSSL, as distributed in openssl-1.0.1e-25.el7 in Red Hat Enterprise Linux (RHEL) 7 and other products, allows remote attackers to cause a denial of service (application crash) by establishing many TLS sessions to a multithreaded server, leading to use of a negative value for a certain length field.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3216"
},
{
"id": "CVE-2015-4000",
"summary": "The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the \"Logjam\" issue.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4000"
},
{
"id": "CVE-2016-0701",
"summary": "The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file.",
"scorev2": "2.6",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0701"
},
{
"id": "CVE-2016-0702",
"summary": "The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a \"CacheBleed\" attack.",
"scorev2": "1.9",
"scorev3": "5.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0702"
},
{
"id": "CVE-2016-0703",
"summary": "The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0703"
},
{
"id": "CVE-2016-0704",
"summary": "An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0704"
},
{
"id": "CVE-2016-0705",
"summary": "Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0705"
},
{
"id": "CVE-2016-0797",
"summary": "Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0797"
},
{
"id": "CVE-2016-0798",
"summary": "Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto/srp/srp_vfy.c.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0798"
},
{
"id": "CVE-2016-0799",
"summary": "The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0799"
},
{
"id": "CVE-2016-0800",
"summary": "The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a \"DROWN\" attack.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0800"
},
{
"id": "CVE-2016-2105",
"summary": "Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2105"
},
{
"id": "CVE-2016-2106",
"summary": "Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2106"
},
{
"id": "CVE-2016-2107",
"summary": "The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.",
"scorev2": "2.6",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2107"
},
{
"id": "CVE-2016-2108",
"summary": "The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the \"negative zero\" issue.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2108"
},
{
"id": "CVE-2016-2109",
"summary": "The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2109"
},
{
"id": "CVE-2016-2176",
"summary": "The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.",
"scorev2": "6.4",
"scorev3": "8.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2176"
},
{
"id": "CVE-2016-2177",
"summary": "OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2177"
},
{
"id": "CVE-2016-2178",
"summary": "The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2178"
},
{
"id": "CVE-2016-2179",
"summary": "The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2179"
},
{
"id": "CVE-2016-2180",
"summary": "The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the \"openssl ts\" command.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2180"
},
{
"id": "CVE-2016-2181",
"summary": "The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2181"
},
{
"id": "CVE-2016-2182",
"summary": "The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2182"
},
{
"id": "CVE-2016-2183",
"summary": "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2183"
},
{
"id": "CVE-2016-2842",
"summary": "The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2842"
},
{
"id": "CVE-2016-6302",
"summary": "The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6302"
},
{
"id": "CVE-2016-6303",
"summary": "Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6303"
},
{
"id": "CVE-2016-6304",
"summary": "Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6304"
},
{
"id": "CVE-2016-6305",
"summary": "The ssl3_read_bytes function in record/rec_layer_s3.c in OpenSSL 1.1.0 before 1.1.0a allows remote attackers to cause a denial of service (infinite loop) by triggering a zero-length record in an SSL_peek call.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6305"
},
{
"id": "CVE-2016-6306",
"summary": "The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6306"
},
{
"id": "CVE-2016-6307",
"summary": "The state-machine implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted TLS messages, related to statem/statem.c and statem/statem_lib.c.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6307"
},
{
"id": "CVE-2016-6308",
"summary": "statem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted DTLS messages.",
"scorev2": "7.1",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6308"
},
{
"id": "CVE-2016-6309",
"summary": "statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6309"
},
{
"id": "CVE-2016-7052",
"summary": "crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7052"
},
{
"id": "CVE-2016-7053",
"summary": "In OpenSSL 1.1.0 before 1.1.0c, applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. Only CHOICE structures using a callback which do not handle NULL value are affected.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7053"
},
{
"id": "CVE-2016-7054",
"summary": "In OpenSSL 1.1.0 before 1.1.0c, TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7054"
},
{
"id": "CVE-2016-7055",
"summary": "There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected.",
"scorev2": "2.6",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7055"
},
{
"id": "CVE-2016-7056",
"summary": "A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7056"
},
{
"id": "CVE-2016-8610",
"summary": "A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8610"
},
{
"id": "CVE-2017-3730",
"summary": "In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3730"
},
{
"id": "CVE-2017-3731",
"summary": "If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3731"
},
{
"id": "CVE-2017-3732",
"summary": "There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3732"
},
{
"id": "CVE-2017-3733",
"summary": "During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3733"
},
{
"id": "CVE-2017-3735",
"summary": "While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3735"
},
{
"id": "CVE-2017-3736",
"summary": "There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3736"
},
{
"id": "CVE-2017-3737",
"summary": "OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \"error state\" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3737"
},
{
"id": "CVE-2017-3738",
"summary": "There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3738"
},
{
"id": "CVE-2018-0732",
"summary": "During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0732"
},
{
"id": "CVE-2018-0733",
"summary": "Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0733"
},
{
"id": "CVE-2018-0734",
"summary": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0734"
},
{
"id": "CVE-2018-0735",
"summary": "The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0735"
},
{
"id": "CVE-2018-0737",
"summary": "The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0737"
},
{
"id": "CVE-2018-0739",
"summary": "Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0739"
},
{
"id": "CVE-2018-5407",
"summary": "Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5407"
},
{
"id": "CVE-2019-1543",
"summary": "ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1c (Affected 1.1.1-1.1.1b). Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j).",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1543"
},
{
"id": "CVE-2019-1547",
"summary": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1547"
},
{
"id": "CVE-2019-1549",
"summary": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1549"
},
{
"id": "CVE-2019-1551",
"summary": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1551"
},
{
"id": "CVE-2019-1552",
"summary": "OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"scorev2": "1.9",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1552"
},
{
"id": "CVE-2019-1559",
"summary": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1559"
},
{
"id": "CVE-2019-1563",
"summary": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1563"
},
{
"id": "CVE-2020-1967",
"summary": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1967"
},
{
"id": "CVE-2020-1968",
"summary": "The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1968"
},
{
"id": "CVE-2020-1971",
"summary": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971"
},
{
"id": "CVE-2021-23839",
"summary": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23839"
},
{
"id": "CVE-2021-23840",
"summary": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23840"
},
{
"id": "CVE-2021-23841",
"summary": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23841"
},
{
"id": "CVE-2021-3449",
"summary": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3449"
},
{
"id": "CVE-2021-3450",
"summary": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3450"
},
{
"id": "CVE-2021-3711",
"summary": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3711"
},
{
"id": "CVE-2021-3712",
"summary": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712"
},
{
"id": "CVE-2021-4044",
"summary": "Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4044"
},
{
"id": "CVE-2021-4160",
"summary": "There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4160"
},
{
"id": "CVE-2022-0778",
"summary": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0778"
},
{
"id": "CVE-2022-1292",
"summary": "The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1292"
},
{
"id": "CVE-2022-1343",
"summary": "The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL \"ocsp\" application. When verifying an ocsp response with the \"-no_cert_checks\" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).",
"scorev2": "4.3",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1343"
},
{
"id": "CVE-2022-1434",
"summary": "The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and the connection will fail at that point. Many application protocols require data to be sent from the client to the server first. Therefore, in such a case, only an OpenSSL 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. If both endpoints are OpenSSL 3.0 then the attacker could modify data being sent in both directions. In this case both clients and servers could be affected, regardless of the application protocol. Note that in the absence of an attacker this bug means that an OpenSSL 3.0 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete the handshake when using this ciphersuite. The confidentiality of data is not impacted by this issue, i.e. an attacker cannot decrypt data that has been encrypted using this ciphersuite - they can only modify it. In order for this attack to work both endpoints must legitimately negotiate the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in OpenSSL 3.0, and is not available within the default provider or the default ciphersuite list. This ciphersuite will never be used if TLSv1.3 has been negotiated. In order for an OpenSSL 3.0 endpoint to use this ciphersuite the following must have occurred: 1) OpenSSL must have been compiled with the (non-default) compile time option enable-weak-ssl-ciphers 2) OpenSSL must have had the legacy provider explicitly loaded (either through application code or via configuration) 3) The ciphersuite must have been explicitly added to the ciphersuite list 4) The libssl security level must have been set to 0 (default is 1) 5) A version of SSL/TLS below TLSv1.3 must have been negotiated 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any others that both endpoints have in common Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1434"
},
{
"id": "CVE-2022-1473",
"summary": "The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1473"
},
{
"id": "CVE-2022-2068",
"summary": "In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2068"
},
{
"id": "CVE-2022-2097",
"summary": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2097"
},
{
"id": "CVE-2022-2274",
"summary": "The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2274"
},
{
"id": "CVE-2022-3358",
"summary": "OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5).",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3358"
},
{
"id": "CVE-2022-3602",
"summary": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3602"
},
{
"id": "CVE-2022-3786",
"summary": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3786"
},
{
"id": "CVE-2022-3996",
"summary": "If an X.509 certificate contains a malformed policy constraint and\npolicy processing is enabled, then a write lock will be taken twice\nrecursively. On some operating systems (most widely: Windows) this\nresults in a denial of service when the affected process hangs. Policy\nprocessing being enabled on a publicly facing server is not considered\nto be a common setup.\n\nPolicy processing is enabled by passing the `-policy'\nargument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.\n\nUpdate (31 March 2023): The description of the policy processing enablement\nwas corrected based on CVE-2023-0466.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3996"
},
{
"id": "CVE-2022-4203",
"summary": "A read buffer overrun can be triggered in X.509 certificate verification,\nspecifically in name constraint checking. Note that this occurs\nafter certificate chain signature verification and requires either a\nCA to have signed the malicious certificate or for the application to\ncontinue certificate verification despite failure to construct a path\nto a trusted issuer.\n\nThe read buffer overrun might result in a crash which could lead to\na denial of service attack. In theory it could also result in the disclosure\nof private memory contents (such as private keys, or sensitive plaintext)\nalthough we are not aware of any working exploit leading to memory\ncontents disclosure as of the time of release of this advisory.\n\nIn a TLS client, this can be triggered by connecting to a malicious\nserver. In a TLS server, this can be triggered if the server requests\nclient authentication and a malicious client connects.\n\n",
"scorev2": "0.0",
"scorev3": "4.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4203"
},
{
"id": "CVE-2022-4304",
"summary": "A timing based side channel exists in the OpenSSL RSA Decryption implementation\nwhich could be sufficient to recover a plaintext across a network in a\nBleichenbacher style attack. To achieve a successful decryption an attacker\nwould have to be able to send a very large number of trial messages for\ndecryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,\nRSA-OEAP and RSASVE.\n\nFor example, in a TLS connection, RSA is commonly used by a client to send an\nencrypted pre-master secret to the server. An attacker that had observed a\ngenuine connection between a client and a server could use this flaw to send\ntrial messages to the server and record the time taken to process them. After a\nsufficiently large number of messages the attacker could recover the pre-master\nsecret used for the original connection and thus be able to decrypt the\napplication data sent over that connection.\n\n",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4304"
},
{
"id": "CVE-2022-4450",
"summary": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and\ndecodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data.\nIf the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are\npopulated with pointers to buffers containing the relevant decoded data. The\ncaller is responsible for freeing those buffers. It is possible to construct a\nPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()\nwill return a failure code but will populate the header argument with a pointer\nto a buffer that has already been freed. If the caller also frees this buffer\nthen a double free will occur. This will most likely lead to a crash. This\ncould be exploited by an attacker who has the ability to supply malicious PEM\nfiles for parsing to achieve a denial of service attack.\n\nThe functions PEM_read_bio() and PEM_read() are simple wrappers around\nPEM_read_bio_ex() and therefore these functions are also directly affected.\n\nThese functions are also called indirectly by a number of other OpenSSL\nfunctions including PEM_X509_INFO_read_bio_ex() and\nSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal\nuses of these functions are not vulnerable because the caller does not free the\nheader argument if PEM_read_bio_ex() returns a failure code. These locations\ninclude the PEM_read_bio_TYPE() functions as well as the decoders introduced in\nOpenSSL 3.0.\n\nThe OpenSSL asn1parse command line application is also impacted by this issue.\n\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4450"
},
{
"id": "CVE-2023-0215",
"summary": "The public API function BIO_new_NDEF is a helper function used for streaming\nASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the\nSMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by\nend user applications.\n\nThe function receives a BIO from the caller, prepends a new BIO_f_asn1 filter\nBIO onto the front of it to form a BIO chain, and then returns the new head of\nthe BIO chain to the caller. Under certain conditions, for example if a CMS\nrecipient public key is invalid, the new filter BIO is freed and the function\nreturns a NULL result indicating a failure. However, in this case, the BIO chain\nis not properly cleaned up and the BIO passed by the caller still retains\ninternal pointers to the previously freed filter BIO. If the caller then goes on\nto call BIO_pop() on the BIO then a use-after-free will occur. This will most\nlikely result in a crash.\n\n\n\nThis scenario occurs directly in the internal function B64_write_ASN1() which\nmay cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on\nthe BIO. This internal function is in turn called by the public API functions\nPEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,\nSMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.\n\nOther public API functions that may be impacted by this include\ni2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and\ni2d_PKCS7_bio_stream.\n\nThe OpenSSL cms and smime command line applications are similarly affected.\n\n\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0215"
},
{
"id": "CVE-2023-0216",
"summary": "An invalid pointer dereference on read can be triggered when an\napplication tries to load malformed PKCS7 data with the\nd2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.\n\nThe result of the dereference is an application crash which could\nlead to a denial of service attack. The TLS implementation in OpenSSL\ndoes not call this function however third party applications might\ncall these functions on untrusted data.\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0216"
},
{
"id": "CVE-2023-0217",
"summary": "An invalid pointer dereference on read can be triggered when an\napplication tries to check a malformed DSA public key by the\nEVP_PKEY_public_check() function. This will most likely lead\nto an application crash. This function can be called on public\nkeys supplied from untrusted sources which could allow an attacker\nto cause a denial of service attack.\n\nThe TLS implementation in OpenSSL does not call this function\nbut applications might call the function if there are additional\nsecurity requirements imposed by standards such as FIPS 140-3.\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0217"
},
{
"id": "CVE-2023-0286",
"summary": "There is a type confusion vulnerability relating to X.400 address processing\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\nthe public structure definition for GENERAL_NAME incorrectly specified the type\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\nASN1_STRING.\n\nWhen CRL checking is enabled (i.e. the application sets the\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\narbitrary pointers to a memcmp call, enabling them to read memory contents or\nenact a denial of service. In most cases, the attack requires the attacker to\nprovide both the certificate chain and CRL, neither of which need to have a\nvalid signature. If the attacker only controls one of these inputs, the other\ninput must already contain an X.400 address as a CRL distribution point, which\nis uncommon. As such, this vulnerability is most likely to only affect\napplications which have implemented their own functionality for retrieving CRLs\nover a network.\n\n",
"scorev2": "0.0",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286"
},
{
"id": "CVE-2023-0401",
"summary": "A NULL pointer can be dereferenced when signatures are being\nverified on PKCS7 signed or signedAndEnveloped data. In case the hash\nalgorithm used for the signature is known to the OpenSSL library but\nthe implementation of the hash algorithm is not available the digest\ninitialization will fail. There is a missing check for the return\nvalue from the initialization function which later leads to invalid\nusage of the digest API most likely leading to a crash.\n\nThe unavailability of an algorithm can be caused by using FIPS\nenabled configuration of providers or more commonly by not loading\nthe legacy provider.\n\nPKCS7 data is processed by the SMIME library calls and also by the\ntime stamp (TS) library calls. The TLS implementation in OpenSSL does\nnot call these functions however third party applications would be\naffected if they call these functions to verify signatures on untrusted\ndata.\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0401"
},
{
"id": "CVE-2023-0464",
"summary": "A security vulnerability has been identified in all supported versions\n\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints. Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0464"
},
{
"id": "CVE-2023-0465",
"summary": "Applications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\n\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0465"
},
{
"id": "CVE-2023-0466",
"summary": "The function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\n\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\n\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\n\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0466"
},
{
"id": "CVE-2023-1255",
"summary": "Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\nplatform contains a bug that could cause it to read past the input buffer,\nleading to a crash.\n\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\nused for disk encryption.\n\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\nbuffer is unmapped, this will trigger a crash which results in a denial of\nservice.\n\nIf an attacker can control the size and location of the ciphertext buffer\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\napplication is affected. This is fairly unlikely making this issue\na Low severity one.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1255"
},
{
"id": "CVE-2023-2650",
"summary": "Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit. OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime. The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced. This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL. If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS. It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain. Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates. This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2650"
},
{
"id": "CVE-2023-2975",
"summary": "Issue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be mislead by removing\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2975"
},
{
"id": "CVE-2023-3446",
"summary": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3446"
},
{
"id": "CVE-2023-3817",
"summary": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817"
},
{
"id": "CVE-2023-4807",
"summary": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications on the\nWindows 64 platform when running on newer X86_64 processors supporting the\nAVX512-IFMA instructions.\n\nImpact summary: If in an application that uses the OpenSSL library an attacker\ncan influence whether the POLY1305 MAC algorithm is used, the application\nstate might be corrupted with various application dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL does\nnot save the contents of non-volatile XMM registers on Windows 64 platform\nwhen calculating the MAC of data larger than 64 bytes. Before returning to\nthe caller all the XMM registers are set to zero rather than restoring their\nprevious content. The vulnerable code is used only on newer x86_64 processors\nsupporting the AVX512-IFMA instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However given the contents of the registers are just zeroized so\nthe attacker cannot put arbitrary values inside, the most likely consequence,\nif any, would be an incorrect result of some application dependent\ncalculations or a crash leading to a denial of service.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3 and a malicious client can influence whether this AEAD\ncipher is used by the server. This implies that server applications using\nOpenSSL can be potentially impacted. However we are currently not aware of\nany concrete application that would be affected by this issue therefore we\nconsider this a Low severity security issue.\n\nAs a workaround the AVX512-IFMA instructions support can be disabled at\nruntime by setting the environment variable OPENSSL_ia32cap:\n\n OPENSSL_ia32cap=:~0x200000\n\nThe FIPS provider is not affected by this issue.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4807"
},
{
"id": "CVE-2023-5363",
"summary": "Issue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the \"keylen\" parameter or the IV length, via the \"ivlen\" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5363"
},
{
"id": "CVE-2023-5678",
"summary": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678"
},
{
"id": "CVE-2023-6129",
"summary": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129"
},
{
"id": "CVE-2024-0727",
"summary": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727"
},
{
"id": "CVE-2024-2511",
"summary": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511"
},
{
"id": "CVE-2024-4603",
"summary": "Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-4603"
}
]
},
{
"name": "nativesdk-opkg",
"layer": "meta",
"version": "1_0.6.3",
"products": [
{
"product": "opkg",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-opkg-utils",
"layer": "meta",
"version": "0.6.3",
"products": [
{
"product": "opkg-utils",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-pango",
"layer": "meta",
"version": "1.52.1",
"products": [
{
"product": "pango",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2009-1194",
"summary": "Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1194"
},
{
"id": "CVE-2010-0421",
"summary": "Array index error in the hb_ot_layout_build_glyph_classes function in pango/opentype/hb-ot-layout.cc in Pango before 1.27.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted font file, related to building a synthetic Glyph Definition (aka GDEF) table by using this font's charmap and the Unicode property database.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0421"
},
{
"id": "CVE-2011-0020",
"summary": "Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object.",
"scorev2": "7.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0020"
},
{
"id": "CVE-2011-0064",
"summary": "The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0064"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2018-15120",
"summary": "libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted text with invalid Unicode sequences.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15120"
},
{
"id": "CVE-2019-1010238",
"summary": "Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010238"
}
]
},
{
"name": "nativesdk-perl",
"layer": "meta",
"version": "5.38.2",
"products": [
{
"product": "perl",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-0034",
"summary": "Buffer overflow in suidperl (sperl), Perl 4.x and 5.x.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0034"
},
{
"id": "CVE-1999-1386",
"summary": "Perl 5.004_04 and earlier follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack on the /tmp/perl-eaXXXXX file.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1386"
},
{
"id": "CVE-2000-0703",
"summary": "suidperl (aka sperl) does not properly cleanse the escape sequence \"~!\" before calling /bin/mail to send an error report, which allows local users to gain privileges by setting the \"interactive\" environmental variable and calling suidperl with a filename that contains the escape sequence.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0703"
},
{
"id": "CVE-2003-0900",
"summary": "Perl 5.8.1 on Fedora Core does not properly initialize the random number generator when forking, which makes it easier for attackers to predict random numbers.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0900"
},
{
"id": "CVE-2004-0377",
"summary": "Buffer overflow in the win32_stat function for (1) ActiveState's ActivePerl and (2) Larry Wall's Perl before 5.8.3 allows local or remote attackers to execute arbitrary commands via filenames that end in a backslash character.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0377"
},
{
"id": "CVE-2004-0452",
"summary": "Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0452"
},
{
"id": "CVE-2004-0976",
"summary": "Multiple scripts in the perl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0976"
},
{
"id": "CVE-2004-2286",
"summary": "Integer overflow in the duplication operator in ActivePerl allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large multiplier, which may trigger a buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2286"
},
{
"id": "CVE-2005-0155",
"summary": "The PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to create arbitrary files via the PERLIO_DEBUG variable.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0155"
},
{
"id": "CVE-2005-0156",
"summary": "Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0156"
},
{
"id": "CVE-2005-0448",
"summary": "Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0448"
},
{
"id": "CVE-2005-3962",
"summary": "Integer overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3962"
},
{
"id": "CVE-2005-4278",
"summary": "Untrusted search path vulnerability in Perl before 5.8.7-r1 on Gentoo Linux allows local users in the portage group to gain privileges via a malicious shared object in the Portage temporary build directory, which is part of the RUNPATH.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4278"
},
{
"id": "CVE-2007-5116",
"summary": "Buffer overflow in the polymorphic opcode support in the Regular Expression Engine (regcomp.c) in Perl 5.8 allows context-dependent attackers to execute arbitrary code by switching from byte to Unicode (UTF) characters in a regular expression.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5116"
},
{
"id": "CVE-2008-1927",
"summary": "Double free vulnerability in Perl 5.8.8 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a crafted regular expression containing UTF8 characters. NOTE: this issue might only be present on certain operating systems.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1927"
},
{
"id": "CVE-2008-2827",
"summary": "The rmtree function in lib/File/Path.pm in Perl 5.10 does not properly check permissions before performing a chmod, which allows local users to modify the permissions of arbitrary files via a symlink attack, a different vulnerability than CVE-2005-0448 and CVE-2004-0452.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2827"
},
{
"id": "CVE-2009-3626",
"summary": "Perl 5.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a UTF-8 character with a large, invalid codepoint, which is not properly handled during a regular-expression match.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3626"
},
{
"id": "CVE-2010-1158",
"summary": "Integer overflow in the regular expression engine in Perl 5.8.x allows context-dependent attackers to cause a denial of service (stack consumption and application crash) by matching a crafted regular expression against a long string.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1158"
},
{
"id": "CVE-2010-4777",
"summary": "The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4777"
},
{
"id": "CVE-2011-0761",
"summary": "Perl 5.10.x allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an ability to inject arguments into a (1) getpeername, (2) readdir, (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir function call.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0761"
},
{
"id": "CVE-2011-1487",
"summary": "The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1487"
},
{
"id": "CVE-2011-2728",
"summary": "The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2728"
},
{
"id": "CVE-2011-2939",
"summary": "Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2939"
},
{
"id": "CVE-2012-1151",
"summary": "Multiple format string vulnerabilities in dbdimp.c in DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.19.0 for Perl allow remote PostgreSQL database servers to cause a denial of service (process crash) via format string specifiers in (1) a crafted database warning to the pg_warn function or (2) a crafted DBD statement to the dbd_st_prepare function.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1151"
},
{
"id": "CVE-2012-5195",
"summary": "Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5195"
},
{
"id": "CVE-2012-6329",
"summary": "The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6329"
},
{
"id": "CVE-2013-1667",
"summary": "The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1667"
},
{
"id": "CVE-2013-7422",
"summary": "Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7422"
},
{
"id": "CVE-2014-4330",
"summary": "The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4330"
},
{
"id": "CVE-2015-8608",
"summary": "The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8608"
},
{
"id": "CVE-2015-8853",
"summary": "The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by \"a\\x80.\"",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8853"
},
{
"id": "CVE-2016-1238",
"summary": "(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1238"
},
{
"id": "CVE-2016-2381",
"summary": "Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2381"
},
{
"id": "CVE-2016-6185",
"summary": "The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6185"
},
{
"id": "CVE-2017-12814",
"summary": "Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 on Windows allows attackers to execute arbitrary code via a long environment variable.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12814"
},
{
"id": "CVE-2017-12837",
"summary": "Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\\N{}' escape and the case-insensitive modifier.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12837"
},
{
"id": "CVE-2017-12883",
"summary": "Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\\N{U+...}' escape.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12883"
},
{
"id": "CVE-2018-12015",
"summary": "In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.",
"scorev2": "6.4",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12015"
},
{
"id": "CVE-2018-18311",
"summary": "Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18311"
},
{
"id": "CVE-2018-18312",
"summary": "Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18312"
},
{
"id": "CVE-2018-18313",
"summary": "Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18313"
},
{
"id": "CVE-2018-18314",
"summary": "Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18314"
},
{
"id": "CVE-2018-6797",
"summary": "An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6797"
},
{
"id": "CVE-2018-6798",
"summary": "An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6798"
},
{
"id": "CVE-2018-6913",
"summary": "Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6913"
},
{
"id": "CVE-2020-10543",
"summary": "Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.",
"scorev2": "6.4",
"scorev3": "8.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10543"
},
{
"id": "CVE-2020-10878",
"summary": "Perl before 5.30.3 has an integer overflow related to mishandling of a \"PL_regkind[OP(n)] == NOTHING\" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.",
"scorev2": "7.5",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10878"
},
{
"id": "CVE-2020-12723",
"summary": "regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12723"
},
{
"id": "CVE-2022-48522",
"summary": "In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48522"
},
{
"id": "CVE-2023-31484",
"summary": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31484"
},
{
"id": "CVE-2023-31486",
"summary": "HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31486"
},
{
"id": "CVE-2023-47038",
"summary": "A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-47038"
},
{
"id": "CVE-2023-47039",
"summary": "A vulnerability was found in Perl. This security issue occurs while Perl for Windows relies on the system path environment variable to find the shell (`cmd.exe`). When running an executable that uses the Windows Perl interpreter, Perl attempts to find and execute `cmd.exe` within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. This flaw allows an attacker with limited privileges to place`cmd.exe` in locations with weak permissions, such as `C:\\ProgramData`. By doing so, arbitrary code can be executed when an administrator attempts to use this executable from these compromised locations.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-47039"
},
{
"id": "CVE-2023-47100",
"summary": "In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \\p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-47100"
}
]
},
{
"name": "nativesdk-pixman",
"layer": "meta",
"version": "1_0.42.2",
"products": [
{
"product": "pixman",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-6424",
"summary": "Integer underflow in the xTrapezoidValid macro in render/picture.h in X.Org allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6424"
},
{
"id": "CVE-2013-6425",
"summary": "Integer underflow in the pixman_trapezoid_valid macro in pixman.h in Pixman before 0.32.0, as used in X.Org server and cairo, allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6425"
},
{
"id": "CVE-2014-9766",
"summary": "Integer overflow in the create_bits function in pixman-bits-image.c in Pixman before 0.32.6 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via large height and stride values.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9766"
},
{
"id": "CVE-2015-5297",
"summary": "An integer overflow issue has been reported in the general_composite_rect() function in pixman prior to version 0.32.8. An attacker could exploit this issue to cause an application using pixman to crash or, potentially, execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5297"
},
{
"id": "CVE-2022-44638",
"summary": "In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-44638"
},
{
"id": "CVE-2023-37769",
"summary": "stress-test master commit e4c878 was discovered to contain a FPE vulnerability via the component combine_inner at /pixman-combine-float.c.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37769",
"detail": "not-applicable-config",
"description": "stress-test is an uninstalled test"
}
]
},
{
"name": "nativesdk-pkgconfig",
"layer": "meta",
"version": "0.29.2+git",
"products": [
{
"product": "pkgconfig",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-popt",
"layer": "meta",
"version": "1.19",
"products": [
{
"product": "popt",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-protobuf",
"layer": "meta-oe",
"version": "4.25.3",
"products": [
{
"product": "protobuf",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-5237",
"summary": "protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.",
"scorev2": "6.5",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5237"
},
{
"id": "CVE-2021-22570",
"summary": "Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22570"
},
{
"id": "CVE-2021-3121",
"summary": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.",
"scorev2": "7.5",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121"
},
{
"id": "CVE-2023-24535",
"summary": "Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24535"
}
]
},
{
"name": "nativesdk-pseudo",
"layer": "meta",
"version": "1.9.0+git",
"products": [
{
"product": "pseudo",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-python3",
"layer": "meta",
"version": "3.12.3",
"products": [
{
"product": "python",
"cvesInRecord": "Yes"
},
{
"product": "cpython",
"cvesInRecord": "No"
}
],
"issue": [
{
"id": "CVE-2002-1119",
"summary": "os._execvpe from os.py in Python 2.2.1 and earlier creates temporary files with predictable names, which could allow local users to execute arbitrary code via a symlink attack.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1119"
},
{
"id": "CVE-2004-0150",
"summary": "Buffer overflow in the getaddrinfo function in Python 2.2 before 2.2.2, when IPv6 support is disabled, allows remote attackers to execute arbitrary code via an IPv6 address that is obtained using DNS.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0150"
},
{
"id": "CVE-2005-0089",
"summary": "The SimpleXMLRPCServer library module in Python 2.2, 2.3 before 2.3.5, and 2.4, when used by XML-RPC servers that use the register_instance method to register an object without a _dispatch method, allows remote attackers to read or modify globals of the associated module, and possibly execute arbitrary code, via dotted attributes.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0089"
},
{
"id": "CVE-2006-1542",
"summary": "Stack-based buffer overflow in Python 2.4.2 and earlier, running on Linux 2.6.12.5 under gcc 4.0.3 with libc 2.3.5, allows local users to cause a \"stack overflow,\" and possibly gain privileges, by running a script from a current working directory that has a long name, related to the realpath function. NOTE: this might not be a vulnerability. However, the fact that it appears in a programming language interpreter could mean that some applications are affected, although attack scenarios might be limited because the attacker might already need to cross privilege boundaries to cause an exploitable program to be placed in a directory with a long name; or, depending on the method that Python uses to determine the current working directory, setuid applications might be affected.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1542"
},
{
"id": "CVE-2006-4980",
"summary": "Buffer overflow in the repr function in Python 2.3 through 2.6 before 20060822 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via crafted wide character UTF-32/UCS-4 strings to certain scripts.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4980"
},
{
"id": "CVE-2007-1657",
"summary": "Stack-based buffer overflow in the file_compress function in minigzip (Modules/zlib) in Python 2.5 allows context-dependent attackers to execute arbitrary code via a long file argument.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1657"
},
{
"id": "CVE-2007-2052",
"summary": "Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2052"
},
{
"id": "CVE-2007-4559",
"summary": "Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4559",
"detail": "disputed",
"description": "Upstream consider this expected behaviour"
},
{
"id": "CVE-2007-4965",
"summary": "Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4965"
},
{
"id": "CVE-2008-1679",
"summary": "Multiple integer overflows in imageop.c in Python before 2.5.3 allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted images that trigger heap-based buffer overflows. NOTE: this issue is due to an incomplete fix for CVE-2007-4965.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1679"
},
{
"id": "CVE-2008-1721",
"summary": "Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1721"
},
{
"id": "CVE-2008-1887",
"summary": "Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1887"
},
{
"id": "CVE-2008-2315",
"summary": "Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules. NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2315"
},
{
"id": "CVE-2008-2316",
"summary": "Integer overflow in _hashopenssl.c in the hashlib module in Python 2.5.2 and earlier might allow context-dependent attackers to defeat cryptographic digests, related to \"partial hashlib hashing of data exceeding 4GB.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2316"
},
{
"id": "CVE-2008-3142",
"summary": "Multiple buffer overflows in Python 2.5.2 and earlier on 32bit platforms allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a long string that leads to incorrect memory allocation during Unicode string processing, related to the unicode_resize function and the PyMem_RESIZE macro.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3142"
},
{
"id": "CVE-2008-3143",
"summary": "Multiple integer overflows in Python before 2.5.2 might allow context-dependent attackers to have an unknown impact via vectors related to (1) Include/pymem.h; (2) _csv.c, (3) _struct.c, (4) arraymodule.c, (5) audioop.c, (6) binascii.c, (7) cPickle.c, (8) cStringIO.c, (9) cjkcodecs/multibytecodec.c, (10) datetimemodule.c, (11) md5.c, (12) rgbimgmodule.c, and (13) stropmodule.c in Modules/; (14) bufferobject.c, (15) listobject.c, and (16) obmalloc.c in Objects/; (17) Parser/node.c; and (18) asdl.c, (19) ast.c, (20) bltinmodule.c, and (21) compile.c in Python/, as addressed by \"checks for integer overflows, contributed by Google.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3143"
},
{
"id": "CVE-2008-3144",
"summary": "Multiple integer overflows in the PyOS_vsnprintf function in Python/mysnprintf.c in Python 2.5.2 and earlier allow context-dependent attackers to cause a denial of service (memory corruption) or have unspecified other impact via crafted input to string formatting operations. NOTE: the handling of certain integer values is also affected by related integer underflows and an off-by-one error.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3144"
},
{
"id": "CVE-2008-4108",
"summary": "Tools/faqwiz/move-faqwiz.sh (aka the generic FAQ wizard moving tool) in Python 2.4.5 might allow local users to overwrite arbitrary files via a symlink attack on a tmp$RANDOM.tmp temporary file. NOTE: there may not be common usage scenarios in which tmp$RANDOM.tmp is located in an untrusted directory.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4108"
},
{
"id": "CVE-2008-4864",
"summary": "Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4864"
},
{
"id": "CVE-2008-5031",
"summary": "Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5031"
},
{
"id": "CVE-2008-5983",
"summary": "Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5983"
},
{
"id": "CVE-2009-4134",
"summary": "Buffer underflow in the rgbimg module in Python 2.5 allows remote attackers to cause a denial of service (application crash) via a large ZSIZE value in a black-and-white (aka B/W) RGB image that triggers an invalid pointer dereference.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4134"
},
{
"id": "CVE-2010-1449",
"summary": "Integer overflow in rgbimgmodule.c in the rgbimg module in Python 2.5 allows remote attackers to have an unspecified impact via a large image that triggers a buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-3143.12.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1449"
},
{
"id": "CVE-2010-1450",
"summary": "Multiple buffer overflows in the RLE decoder in the rgbimg module in Python 2.5 allow remote attackers to have an unspecified impact via an image file containing crafted data that triggers improper processing within the (1) longimagedata or (2) expandrow function.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1450"
},
{
"id": "CVE-2010-1634",
"summary": "Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1634"
},
{
"id": "CVE-2010-2089",
"summary": "The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2089"
},
{
"id": "CVE-2010-3492",
"summary": "The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3492"
},
{
"id": "CVE-2010-3493",
"summary": "Multiple race conditions in smtpd.py in the smtpd module in Python 2.6, 2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername function having an ENOTCONN error, a related issue to CVE-2010-3492.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3493"
},
{
"id": "CVE-2011-1015",
"summary": "The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script source code via an HTTP GET request that lacks a / (slash) character at the beginning of the URI.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1015"
},
{
"id": "CVE-2011-1521",
"summary": "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1521"
},
{
"id": "CVE-2011-4940",
"summary": "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4940"
},
{
"id": "CVE-2011-4944",
"summary": "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4944"
},
{
"id": "CVE-2012-0845",
"summary": "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0845"
},
{
"id": "CVE-2012-0876",
"summary": "The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0876"
},
{
"id": "CVE-2012-1150",
"summary": "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1150"
},
{
"id": "CVE-2012-2135",
"summary": "The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2135"
},
{
"id": "CVE-2013-0340",
"summary": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0340"
},
{
"id": "CVE-2013-1753",
"summary": "The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1753"
},
{
"id": "CVE-2013-2099",
"summary": "Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2099"
},
{
"id": "CVE-2013-4238",
"summary": "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4238"
},
{
"id": "CVE-2013-7040",
"summary": "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7040"
},
{
"id": "CVE-2013-7338",
"summary": "Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7338"
},
{
"id": "CVE-2013-7440",
"summary": "The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7440"
},
{
"id": "CVE-2014-0224",
"summary": "OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the \"CCS Injection\" vulnerability.",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0224"
},
{
"id": "CVE-2014-1912",
"summary": "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1912"
},
{
"id": "CVE-2014-2667",
"summary": "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2667"
},
{
"id": "CVE-2014-4616",
"summary": "Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4616"
},
{
"id": "CVE-2014-4650",
"summary": "The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4650"
},
{
"id": "CVE-2014-7185",
"summary": "Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a \"buffer\" function.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7185"
},
{
"id": "CVE-2014-9365",
"summary": "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9365"
},
{
"id": "CVE-2015-1283",
"summary": "Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1283"
},
{
"id": "CVE-2015-20107",
"summary": "In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9",
"scorev2": "8.0",
"scorev3": "7.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:C/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-20107",
"detail": "upstream-wontfix",
"description": "The mailcap module is insecure by design, so this can't be fixed in a meaningful way"
},
{
"id": "CVE-2015-5652",
"summary": "Untrusted search path vulnerability in python.exe in Python through 3.5.0 on Windows allows local users to gain privileges via a Trojan horse readline.pyd file in the current working directory. NOTE: the vendor says \"It was determined that this is a longtime behavior of Python that cannot really be altered at this point.\"",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5652"
},
{
"id": "CVE-2016-0718",
"summary": "Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0718"
},
{
"id": "CVE-2016-0772",
"summary": "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"",
"scorev2": "5.8",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0772"
},
{
"id": "CVE-2016-1000110",
"summary": "The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.",
"scorev2": "5.8",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000110"
},
{
"id": "CVE-2016-2183",
"summary": "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2183"
},
{
"id": "CVE-2016-3189",
"summary": "Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3189"
},
{
"id": "CVE-2016-4472",
"summary": "The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4472"
},
{
"id": "CVE-2016-5636",
"summary": "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5636"
},
{
"id": "CVE-2016-5699",
"summary": "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.",
"scorev2": "4.3",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5699"
},
{
"id": "CVE-2016-9063",
"summary": "An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9063"
},
{
"id": "CVE-2017-1000158",
"summary": "CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000158"
},
{
"id": "CVE-2017-17522",
"summary": "Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17522"
},
{
"id": "CVE-2017-18207",
"summary": "The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4 does not ensure a nonzero channel value, which allows attackers to cause a denial of service (divide-by-zero and exception) via a crafted wav format audio file. NOTE: the vendor disputes this issue because Python applications \"need to be prepared to handle a wide variety of exceptions.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18207"
},
{
"id": "CVE-2017-20052",
"summary": "A vulnerability classified as problematic was found in Python 2.7.13. This vulnerability affects unknown code of the component pgAdmin4. The manipulation leads to uncontrolled search path. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.",
"scorev2": "4.4",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-20052"
},
{
"id": "CVE-2017-9233",
"summary": "XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9233"
},
{
"id": "CVE-2018-1000030",
"summary": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.",
"scorev2": "3.3",
"scorev3": "3.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000030"
},
{
"id": "CVE-2018-1000117",
"summary": "Python Software Foundation CPython version From 3.2 until 3.6.4 on Windows contains a Buffer Overflow vulnerability in os.symlink() function on Windows that can result in Arbitrary code execution, likely escalation of privilege. This attack appears to be exploitable via a python script that creates a symlink with an attacker controlled name or location. This vulnerability appears to have been fixed in 3.7.0 and 3.6.5.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000117"
},
{
"id": "CVE-2018-1000802",
"summary": "Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000802"
},
{
"id": "CVE-2018-1060",
"summary": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.",
"scorev2": "5.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1060"
},
{
"id": "CVE-2018-1061",
"summary": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1061"
},
{
"id": "CVE-2018-14647",
"summary": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14647"
},
{
"id": "CVE-2018-20406",
"summary": "Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a \"resize to twice the size\" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. This issue is fixed in: v3.4.10, v3.4.10rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.7rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.7, v3.6.7rc1, v3.6.7rc2, v3.6.8, v3.6.8rc1, v3.6.9, v3.6.9rc1; v3.7.1, v3.7.1rc1, v3.7.1rc2, v3.7.2, v3.7.2rc1, v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20406"
},
{
"id": "CVE-2018-20852",
"summary": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20852"
},
{
"id": "CVE-2018-25032",
"summary": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-25032"
},
{
"id": "CVE-2019-10160",
"summary": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.",
"scorev2": "5.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10160"
},
{
"id": "CVE-2019-12900",
"summary": "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12900"
},
{
"id": "CVE-2019-13404",
"summary": "The MSI installer for Python through 2.7.16 on Windows defaults to the C:\\Python27 directory, which makes it easier for local users to deploy Trojan horse code. (This also affects old 3.x releases before 3.5.) NOTE: the vendor's position is that it is the user's responsibility to ensure C:\\Python27 access control or choose a different directory, because backwards compatibility requires that C:\\Python27 remain the default for 2.7.x",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13404"
},
{
"id": "CVE-2019-15903",
"summary": "In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15903"
},
{
"id": "CVE-2019-16056",
"summary": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16056"
},
{
"id": "CVE-2019-16935",
"summary": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.",
"scorev2": "4.3",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16935"
},
{
"id": "CVE-2019-17514",
"summary": "library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated \"finds all the pathnames matching a specified pattern according to the rules used by the Unix shell,\" one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17514"
},
{
"id": "CVE-2019-18348",
"summary": "An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.",
"scorev2": "4.3",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18348",
"detail": "not-applicable-config",
"description": "This is not exploitable when glibc has CVE-2016-10739 fixed"
},
{
"id": "CVE-2019-20907",
"summary": "In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20907"
},
{
"id": "CVE-2019-5010",
"summary": "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.",
"scorev2": "5.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5010"
},
{
"id": "CVE-2019-9636",
"summary": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.",
"scorev2": "5.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9636"
},
{
"id": "CVE-2019-9674",
"summary": "Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9674"
},
{
"id": "CVE-2019-9740",
"summary": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.",
"scorev2": "4.3",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9740"
},
{
"id": "CVE-2019-9947",
"summary": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.",
"scorev2": "4.3",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9947"
},
{
"id": "CVE-2019-9948",
"summary": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9948"
},
{
"id": "CVE-2020-10735",
"summary": "A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int(\"text\"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10735"
},
{
"id": "CVE-2020-14422",
"summary": "Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14422"
},
{
"id": "CVE-2020-15523",
"summary": "In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15523",
"detail": "not-applicable-platform",
"description": "Issue only applies on Windows"
},
{
"id": "CVE-2020-15801",
"summary": "In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The ._pth file (e.g., the python._pth file) is not affected.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15801"
},
{
"id": "CVE-2020-26116",
"summary": "http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.",
"scorev2": "6.4",
"scorev3": "7.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-26116"
},
{
"id": "CVE-2020-27619",
"summary": "In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27619"
},
{
"id": "CVE-2020-8315",
"summary": "In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8315"
},
{
"id": "CVE-2020-8492",
"summary": "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.",
"scorev2": "7.1",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8492"
},
{
"id": "CVE-2021-23336",
"summary": "The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.",
"scorev2": "4.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23336"
},
{
"id": "CVE-2021-28861",
"summary": "Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states \"Warning: http.server is not recommended for production. It only implements basic security checks.\"",
"scorev2": "0.0",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28861"
},
{
"id": "CVE-2021-29921",
"summary": "In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29921"
},
{
"id": "CVE-2021-3177",
"summary": "Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3177"
},
{
"id": "CVE-2021-3426",
"summary": "There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3426"
},
{
"id": "CVE-2021-3733",
"summary": "There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3733"
},
{
"id": "CVE-2021-3737",
"summary": "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.",
"scorev2": "7.1",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3737"
},
{
"id": "CVE-2021-4189",
"summary": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4189"
},
{
"id": "CVE-2022-0391",
"summary": "A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\\r' and '\\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0391"
},
{
"id": "CVE-2022-26488",
"summary": "In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26488",
"detail": "not-applicable-platform",
"description": "Issue only applies on Windows"
},
{
"id": "CVE-2022-37454",
"summary": "The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-37454"
},
{
"id": "CVE-2022-42919",
"summary": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919"
},
{
"id": "CVE-2022-45061",
"summary": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061"
},
{
"id": "CVE-2022-48560",
"summary": "A use-after-free exists in Python through 3.9 via heappushpop in heapq.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48560"
},
{
"id": "CVE-2022-48564",
"summary": "read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48564"
},
{
"id": "CVE-2022-48565",
"summary": "An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48565"
},
{
"id": "CVE-2022-48566",
"summary": "An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48566"
},
{
"id": "CVE-2023-24329",
"summary": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329"
},
{
"id": "CVE-2023-27043",
"summary": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043"
},
{
"id": "CVE-2023-33595",
"summary": "CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-free via the function ascii_decode at /Objects/unicodeobject.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33595"
},
{
"id": "CVE-2023-36632",
"summary": "The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger \"RecursionError: maximum recursion depth exceeded while calling a Python object\" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-36632",
"detail": "disputed",
"description": "Not an issue, in fact expected behaviour"
},
{
"id": "CVE-2023-38898",
"summary": "An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component. NOTE: this is disputed by the vendor because (1) neither 3.7 nor any other release is affected (it is a bug in some 3.12 pre-releases); (2) there are no common scenarios in which an adversary can call _asyncio._swap_current_task but does not already have the ability to call arbitrary functions; and (3) there are no common scenarios in which sensitive information, which is not already accessible to an adversary, becomes accessible through this bug.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38898"
},
{
"id": "CVE-2023-40217",
"summary": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217"
},
{
"id": "CVE-2023-41105",
"summary": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105"
},
{
"id": "CVE-2023-6507",
"summary": "An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases.\n\nWhen using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list.\n\nThis issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).\n\n",
"scorev2": "0.0",
"scorev3": "4.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6507"
}
]
},
{
"name": "nativesdk-python3-packaging",
"layer": "meta",
"version": "23.2",
"products": [
{
"product": "packaging",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-python3-setuptools",
"layer": "meta",
"version": "69.1.1",
"products": [
{
"product": "setuptools",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-1633",
"summary": "easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1633"
},
{
"id": "CVE-2022-40897",
"summary": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40897"
}
]
},
{
"name": "nativesdk-qemu",
"layer": "meta",
"version": "8.2.1",
"products": [
{
"product": "qemu",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-0998",
"summary": "The VNC server implementation in QEMU, as used by Xen and possibly other environments, allows local users of a guest operating system to read arbitrary files on the host operating system via unspecified vectors related to QEMU monitor mode, as demonstrated by mapping files to a CDROM device. NOTE: some of these details are obtained from third party information.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0998",
"detail": "not-applicable-config",
"description": "The VNC server can expose host files uder some circumstances. We don't enable it by default."
},
{
"id": "CVE-2007-1320",
"summary": "Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to \"attempting to mark non-existent regions as dirty,\" aka the \"bitblt\" heap overflow.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1320"
},
{
"id": "CVE-2007-1321",
"summary": "Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 \"receive\" integer signedness error. NOTE: this identifier was inadvertently used by some sources to cover multiple issues that were labeled \"NE2000 network driver and the socket code,\" but separate identifiers have been created for the individual vulnerabilities since there are sometimes different fixes; see CVE-2007-5729 and CVE-2007-5730.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1321"
},
{
"id": "CVE-2007-1322",
"summary": "QEMU 0.8.2 allows local users to halt a virtual machine by executing the icebp instruction.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1322"
},
{
"id": "CVE-2007-1366",
"summary": "QEMU 0.8.2 allows local users to crash a virtual machine via the divisor operand to the aam instruction, as demonstrated by \"aam 0x0,\" which triggers a divide-by-zero error.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1366"
},
{
"id": "CVE-2007-5729",
"summary": "The NE2000 emulator in QEMU 0.8.2 allows local users to execute arbitrary code by writing Ethernet frames with a size larger than the MTU to the EN0_TCNT register, which triggers a heap-based buffer overflow in the slirp library, aka NE2000 \"mtu\" heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of \"NE2000 network driver and the socket code,\" but this is the correct identifier for the mtu overflow vulnerability.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5729"
},
{
"id": "CVE-2007-5730",
"summary": "Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to execute arbitrary code via crafted data in the \"net socket listen\" option, aka QEMU \"net socket\" heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of \"NE2000 network driver and the socket code,\" but this is the correct identifier for the individual net socket listen vulnerability.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5730"
},
{
"id": "CVE-2007-6227",
"summary": "QEMU 0.9.0 allows local users of a Windows XP SP2 guest operating system to overwrite the TranslationBlock (code_gen_buffer) buffer, and probably have unspecified other impacts related to an \"overflow,\" via certain Windows executable programs, as demonstrated by qemu-dos.com.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6227"
},
{
"id": "CVE-2008-0928",
"summary": "Qemu 0.9.1 and earlier does not perform range checks for block device read or write requests, which allows guest host users with root privileges to access arbitrary memory and escape the virtual machine.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0928"
},
{
"id": "CVE-2008-1945",
"summary": "QEMU 0.9.0 does not properly handle changes to removable media, which allows guest OS users to read arbitrary files on the host OS by using the diskformat: parameter in the -usbdevice option to modify the disk-image header to identify a different format, a related issue to CVE-2008-2004.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1945"
},
{
"id": "CVE-2008-2004",
"summary": "The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2004"
},
{
"id": "CVE-2008-2382",
"summary": "The protocol_client_msg function in vnc.c in the VNC server in (1) Qemu 0.9.1 and earlier and (2) KVM kvm-79 and earlier allows remote attackers to cause a denial of service (infinite loop) via a certain message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2382"
},
{
"id": "CVE-2008-4539",
"summary": "Heap-based buffer overflow in the Cirrus VGA implementation in (1) KVM before kvm-82 and (2) QEMU on Debian GNU/Linux and Ubuntu might allow local users to gain privileges by using the VNC console for a connection, aka the LGD-54XX \"bitblt\" heap overflow. NOTE: this issue exists because of an incorrect fix for CVE-2007-1320.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4539"
},
{
"id": "CVE-2008-4553",
"summary": "qemu-make-debian-root in qemu 0.9.1-5 on Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack on temporary files and directories.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4553"
},
{
"id": "CVE-2008-5714",
"summary": "Off-by-one error in monitor.c in Qemu 0.9.1 might make it easier for remote attackers to guess the VNC password, which is limited to seven characters where eight was intended.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5714"
},
{
"id": "CVE-2009-3616",
"summary": "Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities.",
"scorev2": "8.5",
"scorev3": "9.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3616"
},
{
"id": "CVE-2010-0297",
"summary": "Buffer overflow in the usb_host_handle_control function in the USB passthrough handling implementation in usb-linux.c in QEMU before 0.11.1 allows guest OS users to cause a denial of service (guest OS crash or hang) or possibly execute arbitrary code on the host OS via a crafted USB packet.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0297"
},
{
"id": "CVE-2011-0011",
"summary": "qemu-kvm before 0.11.0 disables VNC authentication when the password is cleared, which allows remote attackers to bypass authentication and establish VNC sessions.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0011"
},
{
"id": "CVE-2011-1750",
"summary": "Multiple heap-based buffer overflows in the virtio-blk driver (hw/virtio-blk.c) in qemu-kvm 0.14.0 allow local guest users to cause a denial of service (guest crash) and possibly gain privileges via a (1) write request to the virtio_blk_handle_write function or (2) read request to the virtio_blk_handle_read function that is not properly aligned.",
"scorev2": "7.4",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1750"
},
{
"id": "CVE-2011-1751",
"summary": "The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Management emulation in qemu-kvm does not check if a device is hotpluggable before unplugging the PCI-ISA bridge, which allows privileged guest users to cause a denial of service (guest crash) and possibly execute arbitrary code by sending a crafted value to the 0xae08 (PCI_EJ_BASE) I/O port, which leads to a use-after-free related to \"active qemu timers.\"",
"scorev2": "7.4",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1751"
},
{
"id": "CVE-2011-2212",
"summary": "Buffer overflow in the virtio subsystem in qemu-kvm 0.14.0 and earlier allows privileged guest users to cause a denial of service (guest crash) or gain privileges via a crafted indirect descriptor related to \"virtqueue in and out requests.\"",
"scorev2": "7.4",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2212"
},
{
"id": "CVE-2011-2527",
"summary": "The change_process_uid function in os-posix.c in Qemu 0.14.0 and earlier does not properly drop group privileges when the -runas option is used, which allows local guest users to access restricted files on the host.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2527"
},
{
"id": "CVE-2011-3346",
"summary": "Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU before 0.15.2, as used by Xen, might allow local guest users with permission to access the CD-ROM to cause a denial of service (guest crash) via a crafted SAI READ CAPACITY SCSI command. NOTE: this is only a vulnerability when root has manually modified certain permissions or ACLs.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3346"
},
{
"id": "CVE-2011-4111",
"summary": "Buffer overflow in the ccid_card_vscard_handle_message function in hw/ccid-card-passthru.c in QEMU before 0.15.2 and 1.x before 1.0-rc4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted VSC_ATR message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4111"
},
{
"id": "CVE-2012-2652",
"summary": "The bdrv_open function in Qemu 1.0 does not properly handle the failure of the mkstemp function, when in snapshot node, which allows local users to overwrite or read arbitrary files via a symlink attack on an unspecified temporary file.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2652"
},
{
"id": "CVE-2012-3515",
"summary": "Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a \"device model's address space.\"",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3515"
},
{
"id": "CVE-2012-6075",
"summary": "Buffer overflow in the e1000_receive function in the e1000 device driver (hw/e1000.c) in QEMU 1.3.0-rc2 and other versions, when the SBP and LPE flags are disabled, allows remote attackers to cause a denial of service (guest OS crash) and possibly execute arbitrary guest code via a large packet.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6075"
},
{
"id": "CVE-2013-2007",
"summary": "The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when started in daemon mode, uses weak permissions for certain files, which allows local users to read and write to these files.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2007"
},
{
"id": "CVE-2013-2016",
"summary": "A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the matching host's qemu address space and thus increase their privileges on the host.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2016"
},
{
"id": "CVE-2013-4148",
"summary": "Integer signedness error in the virtio_net_load function in hw/net/virtio-net.c in QEMU 1.x before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image, which triggers a buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4148"
},
{
"id": "CVE-2013-4149",
"summary": "Buffer overflow in virtio_net_load function in net/virtio-net.c in QEMU 1.3.0 through 1.7.x before 1.7.2 might allow remote attackers to execute arbitrary code via a large MAC table.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4149"
},
{
"id": "CVE-2013-4150",
"summary": "The virtio_net_load function in hw/net/virtio-net.c in QEMU 1.5.0 through 1.7.x before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors in which the value of curr_queues is greater than max_queues, which triggers an out-of-bounds write.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4150"
},
{
"id": "CVE-2013-4151",
"summary": "The virtio_load function in virtio/virtio.c in QEMU 1.x before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds write.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4151"
},
{
"id": "CVE-2013-4344",
"summary": "Buffer overflow in the SCSI implementation in QEMU, as used in Xen, when a SCSI controller has more than 256 attached devices, allows local users to gain privileges via a small transfer buffer in a REPORT LUNS command.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4344"
},
{
"id": "CVE-2013-4375",
"summary": "The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before 4.3.1, and qemu 1.1 and other versions, allows local HVM guests to cause a denial of service (domain grant reference consumption) via unspecified vectors.",
"scorev2": "2.7",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4375"
},
{
"id": "CVE-2013-4377",
"summary": "Use-after-free vulnerability in the virtio-pci implementation in Qemu 1.4.0 through 1.6.0 allows local users to cause a denial of service (daemon crash) by \"hot-unplugging\" a virtio device.",
"scorev2": "2.3",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4377"
},
{
"id": "CVE-2013-4526",
"summary": "Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via vectors related to migrating ports.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4526"
},
{
"id": "CVE-2013-4527",
"summary": "Buffer overflow in hw/timer/hpet.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via vectors related to the number of timers.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4527"
},
{
"id": "CVE-2013-4529",
"summary": "Buffer overflow in hw/pci/pcie_aer.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large log_num value in a savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4529"
},
{
"id": "CVE-2013-4530",
"summary": "Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4530"
},
{
"id": "CVE-2013-4531",
"summary": "Buffer overflow in target-arm/machine.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative value in cpreg_vmstate_array_len in a savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4531"
},
{
"id": "CVE-2013-4532",
"summary": "Qemu 1.1.2+dfsg to 2.1+dfsg suffers from a buffer overrun which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4532"
},
{
"id": "CVE-2013-4533",
"summary": "Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted s->rx_level value in a savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4533"
},
{
"id": "CVE-2013-4534",
"summary": "Buffer overflow in hw/intc/openpic.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to IRQDest elements.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4534"
},
{
"id": "CVE-2013-4535",
"summary": "The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read.",
"scorev2": "7.2",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4535"
},
{
"id": "CVE-2013-4536",
"summary": "An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4536"
},
{
"id": "CVE-2013-4537",
"summary": "The ssi_sd_transfer function in hw/sd/ssi-sd.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted arglen value in a savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4537"
},
{
"id": "CVE-2013-4538",
"summary": "Multiple buffer overflows in the ssd0323_load function in hw/display/ssd0323.c in QEMU before 1.7.2 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted (1) cmd_len, (2) row, or (3) col values; (4) row_start and row_end values; or (5) col_star and col_end values in a savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4538"
},
{
"id": "CVE-2013-4539",
"summary": "Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4539"
},
{
"id": "CVE-2013-4540",
"summary": "Buffer overflow in scoop_gpio_handler_update in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a large (1) prev_level, (2) gpio_level, or (3) gpio_dir value in a savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4540"
},
{
"id": "CVE-2013-4541",
"summary": "The usb_device_post_load function in hw/usb/bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, related to a negative setup_len or setup_index value.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4541"
},
{
"id": "CVE-2013-4542",
"summary": "The virtio_scsi_load_request function in hw/scsi/scsi-bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds array access.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4542"
},
{
"id": "CVE-2013-4544",
"summary": "hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier allows local guest users to cause a denial of service or possibly execute arbitrary code via vectors related to (1) RX or (2) TX queue numbers or (3) interrupt indices. NOTE: some of these details are obtained from third party information.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4544"
},
{
"id": "CVE-2013-6399",
"summary": "Array index error in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6399"
},
{
"id": "CVE-2014-0142",
"summary": "QEMU, possibly before 2.0.0, allows local users to cause a denial of service (divide-by-zero error and crash) via a zero value in the (1) tracks field to the seek_to_sector function in block/parallels.c or (2) extent_size field in the bochs function in block/bochs.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0142"
},
{
"id": "CVE-2014-0143",
"summary": "Multiple integer overflows in the block drivers in QEMU, possibly before 2.0.0, allow local users to cause a denial of service (crash) via a crafted catalog size in (1) the parallels_open function in block/parallels.c or (2) bochs_open function in bochs.c, a large L1 table in the (3) qcow2_snapshot_load_tmp in qcow2-snapshot.c or (4) qcow2_grow_l1_table function in qcow2-cluster.c, (5) a large request in the bdrv_check_byte_request function in block.c and other block drivers, (6) crafted cluster indexes in the get_refcount function in qcow2-refcount.c, or (7) a large number of blocks in the cloop_open function in cloop.c, which trigger buffer overflows, memory corruption, large memory allocations and out-of-bounds read and writes.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0143"
},
{
"id": "CVE-2014-0144",
"summary": "QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host with the privileges of the QEMU process.",
"scorev2": "0.0",
"scorev3": "8.6",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0144"
},
{
"id": "CVE-2014-0145",
"summary": "Multiple buffer overflows in QEMU before 1.7.2 and 2.x before 2.0.0, allow local users to cause a denial of service (crash) or possibly execute arbitrary code via a large (1) L1 table in the qcow2_snapshot_load_tmp in the QCOW 2 block driver (block/qcow2-snapshot.c) or (2) uncompressed chunk, (3) chunk length, or (4) number of sectors in the DMG block driver (block/dmg.c).",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0145"
},
{
"id": "CVE-2014-0146",
"summary": "The qcow2_open function in the (block/qcow2.c) in QEMU before 1.7.2 and 2.x before 2.0.0 allows local users to cause a denial of service (NULL pointer dereference) via a crafted image which causes an error, related to the initialization of the snapshot_offset and nb_snapshots fields.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0146"
},
{
"id": "CVE-2014-0147",
"summary": "Qemu before 1.6.2 block diver for the various disk image formats used by Bochs and for the QCOW version 2 format, are vulnerable to a possible crash caused by signed data types or a logic error while creating QCOW2 snapshots, which leads to incorrectly calling update_refcount() routine.",
"scorev2": "0.0",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0147"
},
{
"id": "CVE-2014-0148",
"summary": "Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_sector_size variables. These are used to derive other fields like 'sectors_per_block' etc. A user able to alter the Qemu disk image could ise this flaw to crash the Qemu instance resulting in DoS.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0148"
},
{
"id": "CVE-2014-0150",
"summary": "Integer overflow in the virtio_net_handle_mac function in hw/net/virtio-net.c in QEMU 2.0 and earlier allows local guest users to execute arbitrary code via a MAC addresses table update request, which triggers a heap-based buffer overflow.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0150"
},
{
"id": "CVE-2014-0182",
"summary": "Heap-based buffer overflow in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted config length in a savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0182"
},
{
"id": "CVE-2014-0222",
"summary": "Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0222"
},
{
"id": "CVE-2014-0223",
"summary": "Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0223"
},
{
"id": "CVE-2014-2894",
"summary": "Off-by-one error in the cmd_smart function in the smart self test in hw/ide/core.c in QEMU before 2.0 allows local users to have unspecified impact via a SMART EXECUTE OFFLINE command that triggers a buffer underflow and memory corruption.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2894"
},
{
"id": "CVE-2014-3461",
"summary": "hw/usb/bus.c in QEMU 1.6.2 allows remote attackers to execute arbitrary code via crafted savevm data, which triggers a heap-based buffer overflow, related to \"USB post load checks.\"",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3461"
},
{
"id": "CVE-2014-3471",
"summary": "Use-after-free vulnerability in hw/pci/pcie.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU instance crash) via hotplug and hotunplug operations of Virtio block devices.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3471"
},
{
"id": "CVE-2014-3615",
"summary": "The VGA emulator in QEMU allows local guest users to read host memory by setting the display to a high resolution.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3615"
},
{
"id": "CVE-2014-3640",
"summary": "The sosendto function in slirp/udp.c in QEMU before 2.1.2 allows local users to cause a denial of service (NULL pointer dereference) by sending a udp packet with a value of 0 in the source port and address, which triggers access of an uninitialized socket.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3640"
},
{
"id": "CVE-2014-3689",
"summary": "The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3689"
},
{
"id": "CVE-2014-5263",
"summary": "vmstate_xhci_event in hw/usb/hcd-xhci.c in QEMU 1.6.0 does not terminate the list with the VMSTATE_END_OF_LIST macro, which allows attackers to cause a denial of service (out-of-bounds access, infinite loop, and memory corruption) and possibly gain privileges via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5263"
},
{
"id": "CVE-2014-5388",
"summary": "Off-by-one error in the pci_read function in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in QEMU allows local guest users to obtain sensitive information and have other unspecified impact related to a crafted PCI device that triggers memory corruption.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5388"
},
{
"id": "CVE-2014-7815",
"summary": "The set_pixel_format function in ui/vnc.c in QEMU allows remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7815"
},
{
"id": "CVE-2014-7840",
"summary": "The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allows remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7840"
},
{
"id": "CVE-2014-8106",
"summary": "Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for CVE-2007-1320.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8106"
},
{
"id": "CVE-2014-9718",
"summary": "The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality in QEMU 1.0 through 2.1.3 have multiple interpretations of a function's return value, which allows guest OS users to cause a host OS denial of service (memory consumption or infinite loop, and system crash) via a PRDT with zero complete sectors, related to the bmdma_prepare_buf and ahci_dma_prepare_buf functions.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9718"
},
{
"id": "CVE-2015-1779",
"summary": "The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section.",
"scorev2": "7.8",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1779"
},
{
"id": "CVE-2015-3209",
"summary": "Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3209"
},
{
"id": "CVE-2015-3214",
"summary": "The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3214"
},
{
"id": "CVE-2015-3456",
"summary": "The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.",
"scorev2": "7.7",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3456"
},
{
"id": "CVE-2015-4037",
"summary": "The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4037"
},
{
"id": "CVE-2015-4106",
"summary": "QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4106"
},
{
"id": "CVE-2015-5154",
"summary": "Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5154"
},
{
"id": "CVE-2015-5158",
"summary": "Stack-based buffer overflow in hw/scsi/scsi-bus.c in QEMU, when built with SCSI-device emulation support, allows guest OS users with CAP_SYS_RAWIO permissions to cause a denial of service (instance crash) via an invalid opcode in a SCSI command descriptor block.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5158"
},
{
"id": "CVE-2015-5225",
"summary": "Buffer overflow in the vnc_refresh_server_surface function in the VNC display driver in QEMU before 2.4.0.1 allows guest users to cause a denial of service (heap memory corruption and process crash) or possibly execute arbitrary code on the host via unspecified vectors, related to refreshing the server display surface.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5225"
},
{
"id": "CVE-2015-5239",
"summary": "Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5239"
},
{
"id": "CVE-2015-5278",
"summary": "The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows attackers to cause a denial of service (infinite loop and instance crash) or possibly execute arbitrary code via vectors related to receiving packets.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5278"
},
{
"id": "CVE-2015-5279",
"summary": "Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5279"
},
{
"id": "CVE-2015-5745",
"summary": "Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5745"
},
{
"id": "CVE-2015-6815",
"summary": "The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors.",
"scorev2": "2.7",
"scorev3": "3.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6815"
},
{
"id": "CVE-2015-6855",
"summary": "hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6855"
},
{
"id": "CVE-2015-7295",
"summary": "hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7295"
},
{
"id": "CVE-2015-7504",
"summary": "Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode.",
"scorev2": "4.6",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7504"
},
{
"id": "CVE-2015-7512",
"summary": "Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet.",
"scorev2": "6.8",
"scorev3": "9.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7512"
},
{
"id": "CVE-2015-7549",
"summary": "The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by leveraging failure to define the .write method.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7549"
},
{
"id": "CVE-2015-8345",
"summary": "The eepro100 emulator in QEMU qemu-kvm blank allows local guest users to cause a denial of service (application crash and infinite loop) via vectors involving the command block list.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8345"
},
{
"id": "CVE-2015-8504",
"summary": "Qemu, when built with VNC display driver support, allows remote attackers to cause a denial of service (arithmetic exception and application crash) via crafted SetPixelFormat messages from a client.",
"scorev2": "3.5",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8504"
},
{
"id": "CVE-2015-8556",
"summary": "Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1.",
"scorev2": "10.0",
"scorev3": "10.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8556"
},
{
"id": "CVE-2015-8558",
"summary": "The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular isochronous transfer descriptor (iTD) list.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8558"
},
{
"id": "CVE-2015-8567",
"summary": "Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause a denial of service (memory consumption).",
"scorev2": "6.8",
"scorev3": "7.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8567"
},
{
"id": "CVE-2015-8568",
"summary": "Memory leak in QEMU, when built with a VMWARE VMXNET3 paravirtual NIC emulator support, allows local guest users to cause a denial of service (host memory consumption) by trying to activate the vmxnet3 device repeatedly.",
"scorev2": "4.7",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8568"
},
{
"id": "CVE-2015-8613",
"summary": "Stack-based buffer overflow in the megasas_ctrl_get_info function in QEMU, when built with SCSI MegaRAID SAS HBA emulation support, allows local guest users to cause a denial of service (QEMU instance crash) via a crafted SCSI controller CTRL_GET_INFO command.",
"scorev2": "1.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8613"
},
{
"id": "CVE-2015-8619",
"summary": "The Human Monitor Interface support in QEMU allows remote attackers to cause a denial of service (out-of-bounds write and application crash).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8619"
},
{
"id": "CVE-2015-8666",
"summary": "Heap-based buffer overflow in QEMU, when built with the Q35-chipset-based PC system emulator.",
"scorev2": "3.3",
"scorev3": "7.9",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8666"
},
{
"id": "CVE-2015-8701",
"summary": "QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit (tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments. A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the QEMU process instance resulting in DoS issue.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8701"
},
{
"id": "CVE-2015-8743",
"summary": "QEMU (aka Quick Emulator) built with the NE2000 device emulation support is vulnerable to an OOB r/w access issue. It could occur while performing 'ioport' r/w operations. A privileged (CAP_SYS_RAWIO) user/process could use this flaw to leak or corrupt QEMU memory bytes.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8743"
},
{
"id": "CVE-2015-8744",
"summary": "QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It occurs when a guest sends a Layer-2 packet smaller than 22 bytes. A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8744"
},
{
"id": "CVE-2015-8745",
"summary": "QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It could occur while reading Interrupt Mask Registers (IMR). A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8745"
},
{
"id": "CVE-2015-8817",
"summary": "QEMU (aka Quick Emulator) built to use 'address_space_translate' to map an address to a MemoryRegionSection is vulnerable to an OOB r/w access issue. It could occur while doing pci_dma_read/write calls. Affects QEMU versions >= 1.6.0 and <= 2.3.1. A privileged user inside guest could use this flaw to crash the guest instance resulting in DoS.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8817"
},
{
"id": "CVE-2015-8818",
"summary": "The cpu_physical_memory_write_rom_internal function in exec.c in QEMU (aka Quick Emulator) does not properly skip MMIO regions, which allows local privileged guest users to cause a denial of service (guest crash) via unspecified vectors.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8818"
},
{
"id": "CVE-2016-10028",
"summary": "The virgl_cmd_get_capset function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) built with Virtio GPU Device emulator support allows local guest OS users to cause a denial of service (out-of-bounds read and process crash) via a VIRTIO_GPU_CMD_GET_CAPSET command with a maximum capabilities size with a value of 0.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10028"
},
{
"id": "CVE-2016-10029",
"summary": "The virtio_gpu_set_scanout function in QEMU (aka Quick Emulator) built with Virtio GPU Device emulator support allows local guest OS users to cause a denial of service (out-of-bounds read and process crash) via a scanout id in a VIRTIO_GPU_CMD_SET_SCANOUT command larger than num_scanouts.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10029"
},
{
"id": "CVE-2016-10155",
"summary": "Memory leak in hw/watchdog/wdt_i6300esb.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.",
"scorev2": "4.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10155"
},
{
"id": "CVE-2016-1568",
"summary": "Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.",
"scorev2": "6.9",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1568"
},
{
"id": "CVE-2016-1714",
"summary": "The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO privilege to cause a denial of service (out-of-bounds read or write access and process crash) or possibly execute arbitrary code via an invalid current entry value in a firmware configuration.",
"scorev2": "6.9",
"scorev3": "8.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1714"
},
{
"id": "CVE-2016-1922",
"summary": "QEMU (aka Quick Emulator) built with the TPR optimization for 32-bit Windows guests support is vulnerable to a null pointer dereference flaw. It occurs while doing I/O port write operations via hmp interface. In that, 'current_cpu' remains null, which leads to the null pointer dereference. A user or process could use this flaw to crash the QEMU instance, resulting in DoS issue.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1922"
},
{
"id": "CVE-2016-1981",
"summary": "QEMU (aka Quick Emulator) built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing data via transmit or receive descriptors, provided the initial receive/transmit descriptor head (TDH/RDH) is set outside the allocated descriptor buffer. A privileged user inside guest could use this flaw to crash the QEMU instance resulting in DoS.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1981"
},
{
"id": "CVE-2016-2197",
"summary": "QEMU (aka Quick Emulator) built with an IDE AHCI emulation support is vulnerable to a null pointer dereference flaw. It occurs while unmapping the Frame Information Structure (FIS) and Command List Block (CLB) entries. A privileged user inside guest could use this flaw to crash the QEMU process instance resulting in DoS.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2197"
},
{
"id": "CVE-2016-2198",
"summary": "QEMU (aka Quick Emulator) built with the USB EHCI emulation support is vulnerable to a null pointer dereference flaw. It could occur when an application attempts to write to EHCI capabilities registers. A privileged user inside quest could use this flaw to crash the QEMU process instance resulting in DoS.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2198"
},
{
"id": "CVE-2016-2391",
"summary": "The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers.",
"scorev2": "2.1",
"scorev3": "5.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2391"
},
{
"id": "CVE-2016-2392",
"summary": "The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 does not properly validate USB configuration descriptor objects, which allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2392"
},
{
"id": "CVE-2016-2538",
"summary": "Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_dataout function.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2538"
},
{
"id": "CVE-2016-2841",
"summary": "The ne2000_receive function in the NE2000 NIC emulation support (hw/net/ne2000.c) in QEMU before 2.5.1 allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via crafted values for the PSTART and PSTOP registers, involving ring buffer control.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2841"
},
{
"id": "CVE-2016-2857",
"summary": "The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet.",
"scorev2": "3.6",
"scorev3": "8.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2857"
},
{
"id": "CVE-2016-2858",
"summary": "QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption.",
"scorev2": "1.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2858"
},
{
"id": "CVE-2016-3710",
"summary": "The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the \"Dark Portal\" issue.",
"scorev2": "7.2",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3710"
},
{
"id": "CVE-2016-3712",
"summary": "Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3712"
},
{
"id": "CVE-2016-4001",
"summary": "Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet.",
"scorev2": "4.3",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4001"
},
{
"id": "CVE-2016-4002",
"summary": "Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes.",
"scorev2": "6.8",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4002"
},
{
"id": "CVE-2016-4020",
"summary": "The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR).",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4020"
},
{
"id": "CVE-2016-4037",
"summary": "The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular split isochronous transfer descriptor (siTD) list, a related issue to CVE-2015-8558.",
"scorev2": "4.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4037"
},
{
"id": "CVE-2016-4439",
"summary": "The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the QEMU host via unspecified vectors.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4439"
},
{
"id": "CVE-2016-4441",
"summary": "The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check DMA length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4441"
},
{
"id": "CVE-2016-4453",
"summary": "The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4453"
},
{
"id": "CVE-2016-4454",
"summary": "The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read.",
"scorev2": "3.6",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4454"
},
{
"id": "CVE-2016-4952",
"summary": "QEMU (aka Quick Emulator), when built with VMWARE PVSCSI paravirtual SCSI bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds array access) via vectors related to the (1) PVSCSI_CMD_SETUP_RINGS or (2) PVSCSI_CMD_SETUP_MSG_RING SCSI command.",
"scorev2": "1.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4952"
},
{
"id": "CVE-2016-4964",
"summary": "The mptsas_fetch_requests function in hw/scsi/mptsas.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop, and CPU consumption or QEMU process crash) via vectors involving s->state.",
"scorev2": "4.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4964"
},
{
"id": "CVE-2016-5105",
"summary": "The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, uses an uninitialized variable, which allows local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command.",
"scorev2": "1.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5105"
},
{
"id": "CVE-2016-5106",
"summary": "The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command.",
"scorev2": "1.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5106"
},
{
"id": "CVE-2016-5107",
"summary": "The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors.",
"scorev2": "1.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5107"
},
{
"id": "CVE-2016-5126",
"summary": "Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5126"
},
{
"id": "CVE-2016-5238",
"summary": "The get_cmd function in hw/scsi/esp.c in QEMU might allow local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5238"
},
{
"id": "CVE-2016-5337",
"summary": "The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allows local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5337"
},
{
"id": "CVE-2016-5338",
"summary": "The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allow local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5338"
},
{
"id": "CVE-2016-5403",
"summary": "The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5403"
},
{
"id": "CVE-2016-6351",
"summary": "The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), when built with ESP/NCR53C9x controller emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the QEMU host via vectors involving DMA read into ESP command buffer.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6351"
},
{
"id": "CVE-2016-6490",
"summary": "The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6490"
},
{
"id": "CVE-2016-6833",
"summary": "Use-after-free vulnerability in the vmxnet3_io_bar0_write function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU instance crash) by leveraging failure to check if the device is active.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6833"
},
{
"id": "CVE-2016-6834",
"summary": "The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the current fragment length.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6834"
},
{
"id": "CVE-2016-6835",
"summary": "The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (buffer over-read) by leveraging failure to check IP header length.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6835"
},
{
"id": "CVE-2016-6836",
"summary": "The vmxnet3_complete_packet function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host memory information by leveraging failure to initialize the txcq_descr object.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6836"
},
{
"id": "CVE-2016-6888",
"summary": "Integer overflow in the net_tx_pkt_init function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU process crash) via the maximum fragmentation count, which triggers an unchecked multiplication and NULL pointer dereference.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6888"
},
{
"id": "CVE-2016-7116",
"summary": "Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to access host files outside the export path via a .. (dot dot) in an unspecified string.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7116"
},
{
"id": "CVE-2016-7155",
"summary": "hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds access or infinite loop, and QEMU process crash) via a crafted page count for descriptor rings.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7155"
},
{
"id": "CVE-2016-7156",
"summary": "The pvscsi_convert_sglist function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging an incorrect cast.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7156"
},
{
"id": "CVE-2016-7157",
"summary": "The (1) mptsas_config_manufacturing_1 and (2) mptsas_config_ioc_0 functions in hw/scsi/mptconfig.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via vectors involving MPTSAS_CONFIG_PACK.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7157"
},
{
"id": "CVE-2016-7161",
"summary": "Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7161"
},
{
"id": "CVE-2016-7170",
"summary": "The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to cursor.mask[] and cursor.image[] array sizes when processing a DEFINE_CURSOR svga command.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7170"
},
{
"id": "CVE-2016-7421",
"summary": "The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the ring size.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7421"
},
{
"id": "CVE-2016-7422",
"summary": "The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via a large I/O descriptor buffer length value.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7422"
},
{
"id": "CVE-2016-7423",
"summary": "The mptsas_process_scsi_io_request function in QEMU (aka Quick Emulator), when built with LSI SAS1068 Host Bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors involving MPTSASRequest objects.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7423"
},
{
"id": "CVE-2016-7466",
"summary": "Memory leak in the usb_xhci_exit function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator), when the xhci uses msix, allows local guest OS administrators to cause a denial of service (memory consumption and possibly QEMU process crash) by repeatedly unplugging a USB device.",
"scorev2": "1.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7466"
},
{
"id": "CVE-2016-7907",
"summary": "The imx_fec_do_tx function in hw/net/imx_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7907"
},
{
"id": "CVE-2016-7908",
"summary": "The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7908"
},
{
"id": "CVE-2016-7909",
"summary": "The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7909"
},
{
"id": "CVE-2016-7994",
"summary": "Memory leak in the virtio_gpu_resource_create_2d function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_CREATE_2D commands.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7994"
},
{
"id": "CVE-2016-7995",
"summary": "Memory leak in the ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of crafted buffer page select (PG) indexes.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7995"
},
{
"id": "CVE-2016-8576",
"summary": "The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8576"
},
{
"id": "CVE-2016-8577",
"summary": "Memory leak in the v9fs_read function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors related to an I/O read operation.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8577"
},
{
"id": "CVE-2016-8578",
"summary": "The v9fs_iov_vunmarshal function in fsdev/9p-iov-marshal.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) by sending an empty string parameter to a 9P operation.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8578"
},
{
"id": "CVE-2016-8667",
"summary": "The rc4030_write function in hw/dma/rc4030.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8667"
},
{
"id": "CVE-2016-8668",
"summary": "The rocker_io_writel function in hw/net/rocker/rocker.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging failure to limit DMA buffer size.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8668"
},
{
"id": "CVE-2016-8669",
"summary": "The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8669"
},
{
"id": "CVE-2016-8909",
"summary": "The intel_hda_xfer function in hw/audio/intel-hda.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8909"
},
{
"id": "CVE-2016-8910",
"summary": "The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8910"
},
{
"id": "CVE-2016-9101",
"summary": "Memory leak in hw/net/eepro100.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by repeatedly unplugging an i8255x (PRO100) NIC device.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9101"
},
{
"id": "CVE-2016-9102",
"summary": "Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9102"
},
{
"id": "CVE-2016-9103",
"summary": "The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values before writing to them.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9103"
},
{
"id": "CVE-2016-9104",
"summary": "Multiple integer overflows in the (1) v9fs_xattr_read and (2) v9fs_xattr_write functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via a crafted offset, which triggers an out-of-bounds access.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9104"
},
{
"id": "CVE-2016-9105",
"summary": "Memory leak in the v9fs_link function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors involving a reference to the source fid object.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9105"
},
{
"id": "CVE-2016-9106",
"summary": "Memory leak in the v9fs_write function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) by leveraging failure to free an IO vector.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9106"
},
{
"id": "CVE-2016-9381",
"summary": "Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a \"double fetch\" vulnerability.",
"scorev2": "6.9",
"scorev3": "7.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9381"
},
{
"id": "CVE-2016-9602",
"summary": "Qemu before version 2.9 is vulnerable to an improper link following when built with the VirtFS. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.",
"scorev2": "9.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9602"
},
{
"id": "CVE-2016-9603",
"summary": "A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support before 2.9; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the host with privileges of the QEMU process.",
"scorev2": "9.0",
"scorev3": "9.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9603"
},
{
"id": "CVE-2016-9776",
"summary": "QEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet Controller emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could use this issue to crash the QEMU process on the host leading to DoS.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9776"
},
{
"id": "CVE-2016-9845",
"summary": "QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest user/process could use this flaw to leak contents of the host memory bytes.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9845"
},
{
"id": "CVE-2016-9846",
"summary": "QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while updating the cursor data in update_cursor_data_virgl. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9846"
},
{
"id": "CVE-2016-9907",
"summary": "Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9907"
},
{
"id": "CVE-2016-9908",
"summary": "Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to leak contents of the host memory bytes.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9908"
},
{
"id": "CVE-2016-9911",
"summary": "Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9911"
},
{
"id": "CVE-2016-9912",
"summary": "Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while destroying gpu resource object in 'virtio_gpu_resource_destroy'. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9912"
},
{
"id": "CVE-2016-9913",
"summary": "Memory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) via vectors involving the order of resource cleanup.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9913"
},
{
"id": "CVE-2016-9914",
"summary": "Memory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in FileOperations.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9914"
},
{
"id": "CVE-2016-9915",
"summary": "Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the handle backend.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9915"
},
{
"id": "CVE-2016-9916",
"summary": "Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the proxy backend.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9916"
},
{
"id": "CVE-2016-9921",
"summary": "Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting in DoS.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9921"
},
{
"id": "CVE-2016-9922",
"summary": "The cirrus_do_copy function in hw/display/cirrus_vga.c in QEMU (aka Quick Emulator), when cirrus graphics mode is VGA, allows local guest OS privileged users to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving blit pitch values.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9922"
},
{
"id": "CVE-2016-9923",
"summary": "Quick Emulator (Qemu) built with the 'chardev' backend support is vulnerable to a use after free issue. It could occur while hotplug and unplugging the device in the guest. A guest user/process could use this flaw to crash a Qemu process on the host resulting in DoS.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9923"
},
{
"id": "CVE-2017-10664",
"summary": "qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10664"
},
{
"id": "CVE-2017-10806",
"summary": "Stack-based buffer overflow in hw/usb/redirect.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10806"
},
{
"id": "CVE-2017-11334",
"summary": "The address_space_write_continue function in exec.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11334"
},
{
"id": "CVE-2017-11434",
"summary": "The dhcp_decode function in slirp/bootp.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) via a crafted DHCP options string.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11434"
},
{
"id": "CVE-2017-12809",
"summary": "QEMU (aka Quick Emulator), when built with the IDE disk and CD/DVD-ROM Emulator support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12809"
},
{
"id": "CVE-2017-13672",
"summary": "QEMU (aka Quick Emulator), when built with the VGA display emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13672"
},
{
"id": "CVE-2017-13673",
"summary": "The vga display update in mis-calculated the region for the dirty bitmap snapshot in case split screen mode is used causing a denial of service (assertion failure) in the cpu_physical_memory_snapshot_get_dirty function.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13673"
},
{
"id": "CVE-2017-13711",
"summary": "Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (aka Quick Emulator) allows attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear ifq_so from pending packets.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13711"
},
{
"id": "CVE-2017-14167",
"summary": "Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (aka Quick Emulator) allows local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write.",
"scorev2": "7.2",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14167"
},
{
"id": "CVE-2017-15038",
"summary": "Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes.",
"scorev2": "1.9",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15038"
},
{
"id": "CVE-2017-15118",
"summary": "A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15118"
},
{
"id": "CVE-2017-15119",
"summary": "The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS.",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15119"
},
{
"id": "CVE-2017-15124",
"summary": "VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15124"
},
{
"id": "CVE-2017-15268",
"summary": "Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15268"
},
{
"id": "CVE-2017-15289",
"summary": "The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15289"
},
{
"id": "CVE-2017-16845",
"summary": "hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access.",
"scorev2": "6.4",
"scorev3": "10.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16845"
},
{
"id": "CVE-2017-17381",
"summary": "The Virtio Vring implementation in QEMU allows local OS guest users to cause a denial of service (divide-by-zero error and QEMU process crash) by unsetting vring alignment while updating Virtio rings.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17381"
},
{
"id": "CVE-2017-18030",
"summary": "The cirrus_invalidate_region function in hw/display/cirrus_vga.c in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors related to negative pitch.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18030"
},
{
"id": "CVE-2017-18043",
"summary": "Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) allows a user to cause a denial of service (Qemu process crash).",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18043"
},
{
"id": "CVE-2017-2615",
"summary": "Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host.",
"scorev2": "9.0",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2615"
},
{
"id": "CVE-2017-2620",
"summary": "Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process.",
"scorev2": "9.0",
"scorev3": "9.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2620"
},
{
"id": "CVE-2017-2630",
"summary": "A stack buffer overflow flaw was found in the Quick Emulator (QEMU) before 2.9 built with the Network Block Device (NBD) client support. The flaw could occur while processing server's response to a 'NBD_OPT_LIST' request. A malicious NBD server could use this issue to crash a remote NBD client resulting in DoS or potentially execute arbitrary code on client host with privileges of the QEMU process.",
"scorev2": "6.5",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2630"
},
{
"id": "CVE-2017-2633",
"summary": "An out-of-bounds memory access issue was found in Quick Emulator (QEMU) before 1.7.2 in the VNC display driver. This flaw could occur while refreshing the VNC display surface area in the 'vnc_refresh_server_surface'. A user inside a guest could use this flaw to crash the QEMU process.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2633"
},
{
"id": "CVE-2017-5525",
"summary": "Memory leak in hw/audio/ac97.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5525"
},
{
"id": "CVE-2017-5526",
"summary": "Memory leak in hw/audio/es1370.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5526"
},
{
"id": "CVE-2017-5552",
"summary": "Memory leak in the virgl_resource_attach_backing function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING commands.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5552"
},
{
"id": "CVE-2017-5578",
"summary": "Memory leak in the virtio_gpu_resource_attach_backing function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING commands.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5578"
},
{
"id": "CVE-2017-5579",
"summary": "Memory leak in the serial_exit_core function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5579"
},
{
"id": "CVE-2017-5667",
"summary": "The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds heap access and crash) or execute arbitrary code on the QEMU host via vectors involving the data transfer length.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5667"
},
{
"id": "CVE-2017-5856",
"summary": "Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) via MegaRAID Firmware Interface (MFI) commands with the sglist size set to a value over 2 Gb.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5856"
},
{
"id": "CVE-2017-5857",
"summary": "Memory leak in the virgl_cmd_resource_unref function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_UNREF commands sent without detaching the backing storage beforehand.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5857"
},
{
"id": "CVE-2017-5898",
"summary": "Integer overflow in the emulated_apdu_from_guest function in usb/dev-smartcard-reader.c in Quick Emulator (Qemu), when built with the CCID Card device emulator support, allows local users to cause a denial of service (application crash) via a large Application Protocol Data Units (APDU) unit.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5898"
},
{
"id": "CVE-2017-5931",
"summary": "Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code on the host via a crafted virtio-crypto request, which triggers a heap-based buffer overflow.",
"scorev2": "7.2",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5931"
},
{
"id": "CVE-2017-5973",
"summary": "The xhci_kick_epctx function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors related to control transfer descriptor sequence.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5973"
},
{
"id": "CVE-2017-5987",
"summary": "The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5987"
},
{
"id": "CVE-2017-6058",
"summary": "Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU (aka Quick Emulator), when the VLANSTRIP feature is enabled on the vmxnet3 device, allows remote attackers to cause a denial of service (out-of-bounds access and QEMU process crash) via vectors related to VLAN stripping.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6058"
},
{
"id": "CVE-2017-6505",
"summary": "The ohci_service_ed_list function in hw/usb/hcd-ohci.c in QEMU (aka Quick Emulator) before 2.9.0 allows local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors, a different vulnerability than CVE-2017-9330.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6505"
},
{
"id": "CVE-2017-7377",
"summary": "The (1) v9fs_create and (2) v9fs_lcreate functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS privileged users to cause a denial of service (file descriptor or memory consumption) via vectors related to an already in-use fid.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7377"
},
{
"id": "CVE-2017-7471",
"summary": "Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System (9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.",
"scorev2": "7.7",
"scorev3": "9.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7471"
},
{
"id": "CVE-2017-7493",
"summary": "Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to escalate their privileges inside guest.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7493"
},
{
"id": "CVE-2017-7539",
"summary": "An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A remote user or process could use this flaw to crash the qemu-nbd server resulting in denial of service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7539"
},
{
"id": "CVE-2017-7718",
"summary": "hw/display/cirrus_vga_rop.h in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7718"
},
{
"id": "CVE-2017-7980",
"summary": "Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick Emulator (Qemu) 2.8 and earlier allows local guest OS users to execute arbitrary code or cause a denial of service (crash) via vectors related to a VNC client updating its display after a VGA operation.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7980"
},
{
"id": "CVE-2017-8086",
"summary": "Memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8086"
},
{
"id": "CVE-2017-8112",
"summary": "hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8112"
},
{
"id": "CVE-2017-8284",
"summary": "The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic block that injects code into a setuid program, as demonstrated by procmail. NOTE: the vendor has stated \"this bug does not violate any security guarantees QEMU makes.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8284"
},
{
"id": "CVE-2017-8309",
"summary": "Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8309"
},
{
"id": "CVE-2017-8379",
"summary": "Memory leak in the keyboard input event handlers support in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large keyboard events.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8379"
},
{
"id": "CVE-2017-8380",
"summary": "Buffer overflow in the \"megasas_mmio_write\" function in Qemu 2.9.0 allows remote attackers to have unspecified impact via unknown vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8380"
},
{
"id": "CVE-2017-9060",
"summary": "Memory leak in the virtio_gpu_set_scanout function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (memory consumption) via a large number of \"VIRTIO_GPU_CMD_SET_SCANOUT:\" commands.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9060"
},
{
"id": "CVE-2017-9310",
"summary": "QEMU (aka Quick Emulator), when built with the e1000e NIC emulation support, allows local guest OS privileged users to cause a denial of service (infinite loop) via vectors related to setting the initial receive / transmit descriptor head (TDH/RDH) outside the allocated descriptor buffer.",
"scorev2": "1.9",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9310"
},
{
"id": "CVE-2017-9330",
"summary": "QEMU (aka Quick Emulator) before 2.9.0, when built with the USB OHCI Emulation support, allows local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value, a different vulnerability than CVE-2017-6505.",
"scorev2": "1.9",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9330"
},
{
"id": "CVE-2017-9373",
"summary": "Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the AHCI device.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9373"
},
{
"id": "CVE-2017-9374",
"summary": "Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the device.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9374"
},
{
"id": "CVE-2017-9375",
"summary": "QEMU (aka Quick Emulator), when built with USB xHCI controller emulator support, allows local guest OS privileged users to cause a denial of service (infinite recursive call) via vectors involving control transfer descriptors sequencing.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9375"
},
{
"id": "CVE-2017-9503",
"summary": "QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving megasas command processing.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9503"
},
{
"id": "CVE-2017-9524",
"summary": "The qemu-nbd server in QEMU (aka Quick Emulator), when built with the Network Block Device (NBD) Server support, allows remote attackers to cause a denial of service (segmentation fault and server crash) by leveraging failure to ensure that all initialization occurs before talking to a client in the nbd_negotiate function.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9524"
},
{
"id": "CVE-2018-10839",
"summary": "Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10839"
},
{
"id": "CVE-2018-11806",
"summary": "m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams.",
"scorev2": "7.2",
"scorev3": "8.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11806"
},
{
"id": "CVE-2018-12617",
"summary": "qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12617"
},
{
"id": "CVE-2018-15746",
"summary": "qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15746"
},
{
"id": "CVE-2018-16847",
"summary": "An OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process.",
"scorev2": "4.6",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16847"
},
{
"id": "CVE-2018-16867",
"summary": "A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A path traversal in the in usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write arbitrary files which may lead do DoS scenario OR possibly lead to code execution on the host.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16867"
},
{
"id": "CVE-2018-16872",
"summary": "A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS.",
"scorev2": "3.5",
"scorev3": "5.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16872"
},
{
"id": "CVE-2018-17958",
"summary": "Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17958"
},
{
"id": "CVE-2018-17962",
"summary": "Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17962"
},
{
"id": "CVE-2018-17963",
"summary": "qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17963"
},
{
"id": "CVE-2018-18438",
"summary": "Qemu has integer overflows because IOReadHandler and its associated functions use a signed integer data type for a size value.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18438",
"detail": "disputed",
"description": "The issues identified by this CVE were determined to not constitute a vulnerability."
},
{
"id": "CVE-2018-18849",
"summary": "In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18849"
},
{
"id": "CVE-2018-18954",
"summary": "The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1 allows out-of-bounds write or read access to PowerNV memory.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18954"
},
{
"id": "CVE-2018-19364",
"summary": "hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second thread, leading to (for example) a use-after-free outcome.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19364"
},
{
"id": "CVE-2018-19489",
"summary": "v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS users to cause a denial of service (crash) because of a race condition during file renaming.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19489"
},
{
"id": "CVE-2018-19665",
"summary": "The Bluetooth subsystem in QEMU mishandles negative values for length variables, leading to memory corruption.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19665"
},
{
"id": "CVE-2018-20123",
"summary": "pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak after an initialisation error.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20123"
},
{
"id": "CVE-2018-20124",
"summary": "hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20124"
},
{
"id": "CVE-2018-20125",
"summary": "hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20125"
},
{
"id": "CVE-2018-20126",
"summary": "hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are mishandled.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20126"
},
{
"id": "CVE-2018-20191",
"summary": "hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20191"
},
{
"id": "CVE-2018-20216",
"summary": "QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and -1 is mishandled).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20216"
},
{
"id": "CVE-2018-20815",
"summary": "In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20815"
},
{
"id": "CVE-2018-5683",
"summary": "The vga_draw_text function in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5683"
},
{
"id": "CVE-2018-7550",
"summary": "The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access.",
"scorev2": "4.6",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7550"
},
{
"id": "CVE-2018-7858",
"summary": "Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds access and QEMU process crash) by leveraging incorrect region calculation when updating VGA display.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7858"
},
{
"id": "CVE-2019-12067",
"summary": "The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12067"
},
{
"id": "CVE-2019-12068",
"summary": "In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.",
"scorev2": "2.1",
"scorev3": "3.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12068"
},
{
"id": "CVE-2019-12155",
"summary": "interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12155"
},
{
"id": "CVE-2019-12247",
"summary": "QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12247"
},
{
"id": "CVE-2019-12928",
"summary": "The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12928"
},
{
"id": "CVE-2019-12929",
"summary": "The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12929"
},
{
"id": "CVE-2019-13164",
"summary": "qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13164"
},
{
"id": "CVE-2019-15034",
"summary": "hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading to a buffer overflow involving the PCIe extended config space.",
"scorev2": "4.4",
"scorev3": "5.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15034"
},
{
"id": "CVE-2019-15890",
"summary": "libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15890"
},
{
"id": "CVE-2019-20175",
"summary": "An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a multiple of 512 (the size of a sector). NOTE: a member of the QEMU security team disputes the significance of this issue because a \"privileged guest user has many ways to cause similar DoS effect, without triggering this assert.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20175"
},
{
"id": "CVE-2019-20382",
"summary": "QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd.",
"scorev2": "2.7",
"scorev3": "3.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20382"
},
{
"id": "CVE-2019-20808",
"summary": "In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA implementation. It occurs in the ati_cursor_define() routine while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20808"
},
{
"id": "CVE-2019-3812",
"summary": "QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3812"
},
{
"id": "CVE-2019-5008",
"summary": "hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, which allows the attacker to cause a denial of service via a device driver.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5008"
},
{
"id": "CVE-2019-6501",
"summary": "In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-bounds write and read operations.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6501"
},
{
"id": "CVE-2019-6778",
"summary": "In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6778"
},
{
"id": "CVE-2019-8934",
"summary": "hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8934"
},
{
"id": "CVE-2019-9824",
"summary": "tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9824"
},
{
"id": "CVE-2020-10702",
"summary": "A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all programs running on QEMU.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10702"
},
{
"id": "CVE-2020-10717",
"summary": "A potential DoS flaw was found in the virtio-fs shared file system daemon (virtiofsd) implementation of the QEMU version >= v5.0. Virtio-fs is meant to share a host file system directory with a guest via virtio-fs device. If the guest opens the maximum number of file descriptors under the shared directory, a denial of service may occur. This flaw allows a guest user/process to cause this denial of service on the host.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10717"
},
{
"id": "CVE-2020-10761",
"summary": "An assertion failure issue was found in the Network Block Device(NBD) Server in all QEMU versions before QEMU 5.0.1. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A remote nbd-client could use this flaw to crash the qemu-nbd server resulting in a denial of service.",
"scorev2": "4.0",
"scorev3": "5.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10761"
},
{
"id": "CVE-2020-11102",
"summary": "hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length.",
"scorev2": "6.8",
"scorev3": "5.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11102"
},
{
"id": "CVE-2020-11869",
"summary": "An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11869"
},
{
"id": "CVE-2020-11947",
"summary": "iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose unrelated information from process memory to an attacker.",
"scorev2": "2.1",
"scorev3": "3.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11947"
},
{
"id": "CVE-2020-12829",
"summary": "In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service.",
"scorev2": "2.1",
"scorev3": "3.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12829"
},
{
"id": "CVE-2020-13253",
"summary": "sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13253"
},
{
"id": "CVE-2020-13361",
"summary": "In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.",
"scorev2": "3.3",
"scorev3": "3.9",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13361"
},
{
"id": "CVE-2020-13362",
"summary": "In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user.",
"scorev2": "2.1",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13362"
},
{
"id": "CVE-2020-13659",
"summary": "address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer.",
"scorev2": "1.9",
"scorev3": "2.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13659"
},
{
"id": "CVE-2020-13754",
"summary": "hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13754"
},
{
"id": "CVE-2020-13765",
"summary": "rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation.",
"scorev2": "6.8",
"scorev3": "5.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13765"
},
{
"id": "CVE-2020-13791",
"summary": "hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13791"
},
{
"id": "CVE-2020-13800",
"summary": "ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call.",
"scorev2": "4.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13800"
},
{
"id": "CVE-2020-14364",
"summary": "An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host.",
"scorev2": "4.4",
"scorev3": "5.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14364"
},
{
"id": "CVE-2020-14394",
"summary": "An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service.",
"scorev2": "0.0",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14394"
},
{
"id": "CVE-2020-14415",
"summary": "oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14415"
},
{
"id": "CVE-2020-15469",
"summary": "In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.",
"scorev2": "2.1",
"scorev3": "2.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15469"
},
{
"id": "CVE-2020-15859",
"summary": "QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15859"
},
{
"id": "CVE-2020-15863",
"summary": "hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential privileged code execution. This was fixed in commit 5519724a13664b43e225ca05351c60b4468e4555.",
"scorev2": "4.4",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15863"
},
{
"id": "CVE-2020-16092",
"summary": "In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in hw/net/net_tx_pkt.c.",
"scorev2": "2.1",
"scorev3": "3.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16092"
},
{
"id": "CVE-2020-1711",
"summary": "An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host.",
"scorev2": "6.0",
"scorev3": "6.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1711"
},
{
"id": "CVE-2020-17380",
"summary": "A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.",
"scorev2": "4.6",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17380"
},
{
"id": "CVE-2020-24165",
"summary": "An issue was discovered in TCG Accelerator in QEMU 4.2.0, allows local attackers to execute arbitrary code, escalate privileges, and cause a denial of service (DoS). Note: This is disputed as a bug and not a valid security issue by multiple third parties.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24165"
},
{
"id": "CVE-2020-24352",
"summary": "An issue was discovered in QEMU through 5.1.0. An out-of-bounds memory access was found in the ATI VGA device implementation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati_2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24352"
},
{
"id": "CVE-2020-25084",
"summary": "QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.",
"scorev2": "2.1",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25084"
},
{
"id": "CVE-2020-25085",
"summary": "QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case.",
"scorev2": "4.4",
"scorev3": "5.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25085"
},
{
"id": "CVE-2020-25624",
"summary": "hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.",
"scorev2": "4.4",
"scorev3": "5.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25624"
},
{
"id": "CVE-2020-25625",
"summary": "hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop.",
"scorev2": "4.7",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25625"
},
{
"id": "CVE-2020-25723",
"summary": "A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service.",
"scorev2": "2.1",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25723"
},
{
"id": "CVE-2020-25741",
"summary": "fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.",
"scorev2": "2.1",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25741"
},
{
"id": "CVE-2020-25742",
"summary": "pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.",
"scorev2": "2.1",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25742"
},
{
"id": "CVE-2020-25743",
"summary": "hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.",
"scorev2": "2.1",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25743"
},
{
"id": "CVE-2020-27616",
"summary": "ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a calculation. A guest can crash the QEMU process.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27616"
},
{
"id": "CVE-2020-27617",
"summary": "eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27617"
},
{
"id": "CVE-2020-27661",
"summary": "A divide-by-zero issue was found in dwc2_handle_packet in hw/usb/hcd-dwc2.c in the hcd-dwc2 USB host controller emulation of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27661"
},
{
"id": "CVE-2020-27821",
"summary": "A flaw was found in the memory management API of QEMU during the initialization of a memory region cache. This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27821"
},
{
"id": "CVE-2020-28916",
"summary": "hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28916"
},
{
"id": "CVE-2020-29443",
"summary": "ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated.",
"scorev2": "3.3",
"scorev3": "3.9",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29443"
},
{
"id": "CVE-2020-35503",
"summary": "A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35503"
},
{
"id": "CVE-2020-35504",
"summary": "A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35504"
},
{
"id": "CVE-2020-35505",
"summary": "A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35505"
},
{
"id": "CVE-2020-35506",
"summary": "A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35506"
},
{
"id": "CVE-2020-35517",
"summary": "A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices.",
"scorev2": "4.6",
"scorev3": "8.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35517"
},
{
"id": "CVE-2020-7039",
"summary": "tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code.",
"scorev2": "6.8",
"scorev3": "5.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-7039"
},
{
"id": "CVE-2020-7211",
"summary": "tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\\ directory traversal on Windows.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-7211"
},
{
"id": "CVE-2021-20181",
"summary": "A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.",
"scorev2": "6.9",
"scorev3": "7.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20181"
},
{
"id": "CVE-2021-20196",
"summary": "A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20196"
},
{
"id": "CVE-2021-20203",
"summary": "An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.",
"scorev2": "2.1",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20203"
},
{
"id": "CVE-2021-20221",
"summary": "An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20221"
},
{
"id": "CVE-2021-20255",
"summary": "A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20255"
},
{
"id": "CVE-2021-20257",
"summary": "An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20257"
},
{
"id": "CVE-2021-20263",
"summary": "A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20263"
},
{
"id": "CVE-2021-20295",
"summary": "It was discovered that the update for the virt:rhel module in the RHSA-2020:4676 (https://access.redhat.com/errata/RHSA-2020:4676) erratum released as part of Red Hat Enterprise Linux 8.3 failed to include the fix for the qemu-kvm component issue CVE-2020-10756, which was previously corrected in virt:rhel/qemu-kvm via erratum RHSA-2020:4059 (https://access.redhat.com/errata/RHSA-2020:4059). CVE-2021-20295 was assigned to that Red Hat specific security regression. For more details about the original security issue CVE-2020-10756, refer to bug 1835986 or the CVE page: https://access.redhat.com/security/cve/CVE-2020-10756.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20295"
},
{
"id": "CVE-2021-3392",
"summary": "A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.",
"scorev2": "2.1",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3392"
},
{
"id": "CVE-2021-3409",
"summary": "The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this.",
"scorev2": "4.6",
"scorev3": "5.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3409"
},
{
"id": "CVE-2021-3416",
"summary": "A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3416"
},
{
"id": "CVE-2021-3507",
"summary": "A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory.",
"scorev2": "3.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3507"
},
{
"id": "CVE-2021-3527",
"summary": "A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3527"
},
{
"id": "CVE-2021-3544",
"summary": "Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3544"
},
{
"id": "CVE-2021-3545",
"summary": "An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3545"
},
{
"id": "CVE-2021-3546",
"summary": "An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process.",
"scorev2": "4.6",
"scorev3": "8.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3546"
},
{
"id": "CVE-2021-3582",
"summary": "A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a \"PVRDMA_CMD_CREATE_MR\" command due to improper memory remapping (mremap). This flaw allows a malicious guest to crash the QEMU process on the host. The highest threat from this vulnerability is to system availability.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3582"
},
{
"id": "CVE-2021-3607",
"summary": "An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a \"PVRDMA_REG_DSRHIGH\" write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability.",
"scorev2": "4.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3607"
},
{
"id": "CVE-2021-3608",
"summary": "A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a \"PVRDMA_REG_DSRHIGH\" write from the guest and may result in a crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest threat from this vulnerability is to system availability.",
"scorev2": "4.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3608"
},
{
"id": "CVE-2021-3611",
"summary": "A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. This flaw affects QEMU versions prior to 7.0.0.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3611"
},
{
"id": "CVE-2021-3638",
"summary": "An out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for the destination display parameters. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3638"
},
{
"id": "CVE-2021-3682",
"summary": "A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.",
"scorev2": "6.0",
"scorev3": "8.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3682"
},
{
"id": "CVE-2021-3713",
"summary": "An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host.",
"scorev2": "4.6",
"scorev3": "7.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3713"
},
{
"id": "CVE-2021-3735",
"summary": "A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3735"
},
{
"id": "CVE-2021-3748",
"summary": "A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.",
"scorev2": "6.9",
"scorev3": "7.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3748"
},
{
"id": "CVE-2021-3750",
"summary": "A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.",
"scorev2": "4.6",
"scorev3": "8.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3750"
},
{
"id": "CVE-2021-3929",
"summary": "A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.",
"scorev2": "0.0",
"scorev3": "8.2",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3929"
},
{
"id": "CVE-2021-3930",
"summary": "An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3930"
},
{
"id": "CVE-2021-3947",
"summary": "A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist() where a malicious guest controlling certain input can read out of bounds memory. A malicious user could use this flaw leading to disclosure of sensitive information.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3947"
},
{
"id": "CVE-2021-4145",
"summary": "A NULL pointer dereference issue was found in the block mirror layer of QEMU in versions prior to 6.2.0. The `self` pointer is dereferenced in mirror_wait_on_conflicts() without ensuring that it's not NULL. A malicious unprivileged user within the guest could use this flaw to crash the QEMU process on the host when writing data reaches the threshold of mirroring node.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4145"
},
{
"id": "CVE-2021-4158",
"summary": "A NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.",
"scorev2": "0.0",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4158"
},
{
"id": "CVE-2021-4206",
"summary": "A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.",
"scorev2": "4.6",
"scorev3": "8.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4206"
},
{
"id": "CVE-2021-4207",
"summary": "A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.",
"scorev2": "4.6",
"scorev3": "8.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4207"
},
{
"id": "CVE-2022-0216",
"summary": "A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0216"
},
{
"id": "CVE-2022-0358",
"summary": "A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0358"
},
{
"id": "CVE-2022-1050",
"summary": "A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.",
"scorev2": "4.6",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1050"
},
{
"id": "CVE-2022-26353",
"summary": "A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26353"
},
{
"id": "CVE-2022-26354",
"summary": "A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.",
"scorev2": "2.1",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26354"
},
{
"id": "CVE-2022-2962",
"summary": "A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2962"
},
{
"id": "CVE-2022-3165",
"summary": "An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3165"
},
{
"id": "CVE-2022-35414",
"summary": "softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash. NOTE: a third party states that the Non-virtualization Use Case in the qemu.org reference applies here, i.e., \"Bugs affecting the non-virtualization use case are not considered security bugs at this time.",
"scorev2": "6.1",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-35414"
},
{
"id": "CVE-2022-36648",
"summary": "The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS. Note: This has been disputed by multiple third parties as not a valid vulnerability due to the rocker device not falling within the virtualization use case.",
"scorev2": "0.0",
"scorev3": "10.0",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-36648"
},
{
"id": "CVE-2022-3872",
"summary": "An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.",
"scorev2": "0.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3872"
},
{
"id": "CVE-2022-4144",
"summary": "An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4144"
},
{
"id": "CVE-2022-4172",
"summary": "An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4172"
},
{
"id": "CVE-2023-0330",
"summary": "A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free.",
"scorev2": "0.0",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0330"
},
{
"id": "CVE-2023-0664",
"summary": "A flaw was found in the QEMU Guest Agent service for Windows. A local unprivileged user may be able to manipulate the QEMU Guest Agent's Windows installer via repair custom actions to elevate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0664",
"detail": "not-applicable-platform",
"description": "Issue only applies on Windows"
},
{
"id": "CVE-2023-1386",
"summary": "A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1386"
},
{
"id": "CVE-2023-1544",
"summary": "A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.",
"scorev2": "0.0",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1544"
},
{
"id": "CVE-2023-2680",
"summary": "This CVE exists because of an incomplete fix for CVE-2021-3750. More specifically, the qemu-kvm package as released for Red Hat Enterprise Linux 9.1 via RHSA-2022:7967 included a version of qemu-kvm that was actually missing the fix for CVE-2021-3750.",
"scorev2": "0.0",
"scorev3": "8.2",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2680",
"detail": "not-applicable-platform",
"description": "RHEL specific issue."
},
{
"id": "CVE-2023-2861",
"summary": "A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host side, potentially allowing a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared folder.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2861"
},
{
"id": "CVE-2023-3019",
"summary": "A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3019",
"detail": "cpe-incorrect",
"description": "Applies only against versions before 8.2.0"
},
{
"id": "CVE-2023-3180",
"summary": "A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3180"
},
{
"id": "CVE-2023-3255",
"summary": "A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3255"
},
{
"id": "CVE-2023-3301",
"summary": "A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this time window to trigger an assertion and cause a denial of service.",
"scorev2": "0.0",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3301"
},
{
"id": "CVE-2023-3354",
"summary": "A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3354"
},
{
"id": "CVE-2023-40360",
"summary": "QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive in hw/nvme/ctrl.c because there is no check for whether an endurance group is configured before checking whether Flexible Data Placement is enabled.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-40360"
},
{
"id": "CVE-2023-4135",
"summary": "A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process does not validate an offset provided by the guest before computing a host heap pointer, which is used for copying data back to the guest. Arbitrary heap memory relative to an allocated buffer can be disclosed.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4135"
},
{
"id": "CVE-2023-42467",
"summary": "QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-42467"
},
{
"id": "CVE-2023-5088",
"summary": "A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5088",
"detail": "cpe-incorrect",
"description": "Applies only against version 8.2.0 and earlier"
},
{
"id": "CVE-2023-6683",
"summary": "A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6683"
},
{
"id": "CVE-2023-6693",
"summary": "A stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6693",
"detail": "cpe-incorrect",
"description": "Applies only against version 8.2.0 and earlier"
},
{
"id": "CVE-2024-3567",
"summary": "A flaw was found in QEMU. An assertion failure was present in the update_sctp_checksum() function in hw/net/net_tx_pkt.c when trying to calculate the checksum of a short-sized fragmented packet. This flaw allows a malicious guest to crash QEMU and cause a denial of service condition.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-3567"
},
{
"id": "CVE-2024-6505",
"summary": "A flaw was found in the virtio-net device in QEMU. When enabling the RSS feature on the virtio-net network card, the indirections_table data within RSS becomes controllable. Setting excessively large values may cause an index out-of-bounds issue, potentially resulting in heap overflow access. This flaw allows a privileged user in the guest to crash the QEMU process on the host.",
"scorev2": "0.0",
"scorev3": "6.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-6505"
}
]
},
{
"name": "nativesdk-qemu-helper",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "qemu-helper",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-qemuwrapper-cross",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "qemuwrapper",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-qtbase",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtbase",
"cvesInRecord": "Yes"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2019-18281",
"summary": "An out-of-bounds memory access in the generateDirectionalRuns() function in qtextengine.cpp in Qt qtbase 5.11.x and 5.12.x before 5.12.5 allows attackers to cause a denial of service by crashing an application via a text file containing many directional characters.",
"scorev2": "4.3",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18281"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "nativesdk-qtdeclarative",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtdeclarative",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "nativesdk-qttools",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qttools",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "nativesdk-qtwayland",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtwayland",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "nativesdk-qtxmlpatterns",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtxmlpatterns",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "nativesdk-re2",
"layer": "meta-oe",
"version": "2024.03.01",
"products": [
{
"product": "re2",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-readline",
"layer": "meta",
"version": "8.2",
"products": [
{
"product": "readline",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2014-2524",
"summary": "The _rl_tropen function in util.c in GNU readline before 6.3 patch 3 allows local users to create or overwrite arbitrary files via a symlink attack on a /var/tmp/rltrace.[PID] file.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2524"
}
]
},
{
"name": "nativesdk-rpm",
"layer": "meta",
"version": "1_4.19.1.1",
"products": [
{
"product": "rpm",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2005-4889",
"summary": "lib/fsm.c in RPM before 4.4.3 does not properly reset the metadata of an executable file during deletion of the file in an RPM package removal, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file, a related issue to CVE-2010-2059.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4889"
},
{
"id": "CVE-2010-2059",
"summary": "lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and RPM before 4.4.3, does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2059"
},
{
"id": "CVE-2010-2197",
"summary": "rpmbuild in RPM 4.8.0 and earlier does not properly parse the syntax of spec files, which allows user-assisted remote attackers to remove home directories via vectors involving a ;~ (semicolon tilde) sequence in a Name tag.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2197"
},
{
"id": "CVE-2010-2198",
"summary": "lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade or deletion of the file in an RPM package removal, which might allow local users to gain privileges or bypass intended access restrictions by creating a hard link to a vulnerable file that has (1) POSIX file capabilities or (2) SELinux context information, a related issue to CVE-2010-2059.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2198"
},
{
"id": "CVE-2010-2199",
"summary": "lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade or deletion of the file in an RPM package removal, which might allow local users to bypass intended access restrictions by creating a hard link to a vulnerable file that has a POSIX ACL, a related issue to CVE-2010-2059.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2199"
},
{
"id": "CVE-2011-3378",
"summary": "RPM 4.4.x through 4.9.x, probably before 4.9.1.2, allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via an rpm package with crafted headers and offsets that are not properly handled when a package is queried or installed, related to (1) the regionSwab function, (2) the headerLoad function, and (3) multiple functions in rpmio/rpmpgp.c.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3378"
},
{
"id": "CVE-2012-0060",
"summary": "RPM before 4.9.1.3 does not properly validate region tags, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an invalid region tag in a package header to the (1) headerLoad, (2) rpmReadSignature, or (3) headerVerify function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0060"
},
{
"id": "CVE-2012-0061",
"summary": "The headerLoad function in lib/header.c in RPM before 4.9.1.3 does not properly validate region tags, which allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large region size in a package header.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0061"
},
{
"id": "CVE-2012-0815",
"summary": "The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0815"
},
{
"id": "CVE-2012-6088",
"summary": "The rpmpkgRead function in lib/package.c in RPM 4.10.x before 4.10.2 does not return an error code in certain situations involving an \"unparseable signature,\" which allows remote attackers to bypass RPM signature checks via a crafted package.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6088"
},
{
"id": "CVE-2013-6435",
"summary": "Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbitrary code via a crafted RPM file whose installation extracts the contents to temporary files before validating the signature, as demonstrated by installing a file in the /etc/cron.d directory.",
"scorev2": "7.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6435"
},
{
"id": "CVE-2014-8118",
"summary": "Integer overflow in RPM 4.12 and earlier allows remote attackers to execute arbitrary code via a crafted CPIO header in the payload section of an RPM file, which triggers a stack-based buffer overflow.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8118"
},
{
"id": "CVE-2017-7500",
"summary": "It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7500"
},
{
"id": "CVE-2017-7501",
"summary": "It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7501"
},
{
"id": "CVE-2021-20266",
"summary": "A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.",
"scorev2": "4.0",
"scorev3": "4.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20266"
},
{
"id": "CVE-2021-20271",
"summary": "A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.",
"scorev2": "5.1",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20271"
},
{
"id": "CVE-2021-3421",
"summary": "A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3421"
},
{
"id": "CVE-2021-3521",
"summary": "There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a \"binding signature.\" RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3521"
},
{
"id": "CVE-2021-35937",
"summary": "A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"scorev2": "0.0",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-35937"
},
{
"id": "CVE-2021-35938",
"summary": "A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-35938"
},
{
"id": "CVE-2021-35939",
"summary": "It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-35939"
}
]
},
{
"name": "nativesdk-sdk-provides-dummy",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "sdk-provides-dummy",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-shadow",
"layer": "meta",
"version": "4.14.2",
"products": [
{
"product": "shadow",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-1001",
"summary": "Unknown vulnerability in the passwd_check function in Shadow 4.0.4.1, and possibly other versions before 4.0.5, allows local users to conduct unauthorized activities when an error from a pam_chauthtok function call is not properly handled.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1001"
},
{
"id": "CVE-2005-4890",
"summary": "There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via \"su - user -c program\". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4890"
},
{
"id": "CVE-2006-1174",
"summary": "useradd in shadow-utils before 4.0.3, and possibly other versions before 4.0.8, does not provide a required argument to the open function when creating a new user mailbox, which causes the mailbox to be created with unpredictable permissions and possibly allows attackers to read or modify the mailbox.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1174"
},
{
"id": "CVE-2006-1844",
"summary": "The Debian installer for the (1) shadow 4.0.14 and (2) base-config 2.53.10 packages includes sensitive information in world-readable log files, including preseeded passwords and pppoeconf passwords, which might allow local users to gain privileges.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1844"
},
{
"id": "CVE-2008-5394",
"summary": "/bin/login in shadow 4.0.18.1 in Debian GNU/Linux, and probably other Linux distributions, allows local users in the utmp group to overwrite arbitrary files via a symlink attack on a temporary file referenced in a line (aka ut_line) field in a utmp entry.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5394"
},
{
"id": "CVE-2011-0721",
"summary": "Multiple CRLF injection vulnerabilities in (1) chfn and (2) chsh in shadow 1:4.1.4 allow local users to add new users or groups to /etc/passwd via the GECOS field.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0721"
},
{
"id": "CVE-2013-4235",
"summary": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees",
"scorev2": "3.3",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4235",
"detail": "upstream-wontfix",
"description": "Severity is low and marked as closed and won't fix."
},
{
"id": "CVE-2016-6252",
"summary": "Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6252"
},
{
"id": "CVE-2017-12424",
"summary": "In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12424"
},
{
"id": "CVE-2017-20002",
"summary": "The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty. This allows local users to login as password-less users even if they are connected by non-physical means such as SSH (hence bypassing PAM's nullok_secure configuration). This notably affects environments such as virtual machines automatically generated with a default blank root password, allowing all local users to escalate privileges.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-20002"
},
{
"id": "CVE-2018-16588",
"summary": "Privilege escalation can occur in the SUSE useradd.c code in useradd, as distributed in the SUSE shadow package through 4.2.1-27.9.1 for SUSE Linux Enterprise 12 (SLE-12) and through 4.5-5.39 for SUSE Linux Enterprise 15 (SLE-15). Non-existing intermediate directories are created with mode 0777 during user creation. Given that they are world-writable, local attackers might use this for privilege escalation and other unspecified attacks. NOTE: this would affect non-SUSE users who took useradd.c code from a 2014-04-02 upstream pull request; however, no non-SUSE distribution is known to be affected.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16588"
},
{
"id": "CVE-2018-7169",
"summary": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7169"
},
{
"id": "CVE-2019-16110",
"summary": "The network protocol of Blade Shadow though 2.13.3 allows remote attackers to take control of a Shadow instance and execute arbitrary code by only knowing the victim's IP address, because packet data can be injected into the unencrypted UDP packet stream.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16110"
},
{
"id": "CVE-2019-19882",
"summary": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19882"
},
{
"id": "CVE-2023-29383",
"summary": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account.",
"scorev2": "0.0",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29383"
}
]
},
{
"name": "nativesdk-shared-mime-info",
"layer": "meta",
"version": "2.4",
"products": [
{
"product": "shared-mime-info",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-sqlite3",
"layer": "meta",
"version": "3_3.45.1",
"products": [
{
"product": "sqlite",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2008-6589",
"summary": "Multiple cross-site scripting (XSS) vulnerabilities in LightNEasy \"no database\" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) index.php and (2) LightNEasy.php.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-6589"
},
{
"id": "CVE-2008-6590",
"summary": "Multiple directory traversal vulnerabilities in LightNEasy \"no database\" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allow remote attackers to read arbitrary files via a .. (dot dot) in the page parameter to (1) index.php and (2) LightNEasy.php.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-6590"
},
{
"id": "CVE-2008-6592",
"summary": "thumbsup.php in Thumbs-Up 1.12, as used in LightNEasy \"no database\" (aka flat) and SQLite 1.2.2 and earlier, allows remote attackers to copy, rename, and read arbitrary files via directory traversal sequences in the image parameter with a modified cache_dir parameter containing a %00 (encoded null byte).",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-6592"
},
{
"id": "CVE-2008-6593",
"summary": "SQL injection vulnerability in LightNEasy/lightneasy.php in LightNEasy SQLite 1.2.2 and earlier allows remote attackers to inject arbitrary PHP code into comments.dat via the dlid parameter to index.php.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-6593"
},
{
"id": "CVE-2013-7443",
"summary": "Buffer overflow in the skip-scan optimization in SQLite 3.8.2 allows remote attackers to cause a denial of service (crash) via crafted SQL statements.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7443"
},
{
"id": "CVE-2015-3414",
"summary": "SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE\"\"\"\"\"\"\"\" at the end of a SELECT statement.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3414"
},
{
"id": "CVE-2015-3415",
"summary": "The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3415"
},
{
"id": "CVE-2015-3416",
"summary": "The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3416"
},
{
"id": "CVE-2015-3717",
"summary": "Multiple buffer overflows in the printf functionality in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3717"
},
{
"id": "CVE-2015-5895",
"summary": "Multiple unspecified vulnerabilities in SQLite before 3.8.10.2, as used in Apple iOS before 9, have unknown impact and attack vectors.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5895"
},
{
"id": "CVE-2015-6607",
"summary": "SQLite before 3.8.9, as used in Android before 5.1.1 LMY48T, allows attackers to gain privileges via a crafted application, aka internal bug 20099586.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6607"
},
{
"id": "CVE-2016-6153",
"summary": "os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files.",
"scorev2": "4.6",
"scorev3": "5.9",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6153"
},
{
"id": "CVE-2017-10989",
"summary": "The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10989"
},
{
"id": "CVE-2017-13685",
"summary": "The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13685"
},
{
"id": "CVE-2017-15286",
"summary": "SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in shell.c because it fails to consider certain cases where `sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never initialized.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15286"
},
{
"id": "CVE-2018-20346",
"summary": "SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20346"
},
{
"id": "CVE-2018-20505",
"summary": "SQLite 3.25.2, when queries are run on a table with a malformed PRIMARY KEY, allows remote attackers to cause a denial of service (application crash) by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20505"
},
{
"id": "CVE-2018-20506",
"summary": "SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a \"merge\" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20506"
},
{
"id": "CVE-2018-8740",
"summary": "In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8740"
},
{
"id": "CVE-2019-16168",
"summary": "In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16168"
},
{
"id": "CVE-2019-19242",
"summary": "SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19242"
},
{
"id": "CVE-2019-19244",
"summary": "sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19244"
},
{
"id": "CVE-2019-19317",
"summary": "lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19317"
},
{
"id": "CVE-2019-19603",
"summary": "SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19603"
},
{
"id": "CVE-2019-19645",
"summary": "alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19645"
},
{
"id": "CVE-2019-19646",
"summary": "pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19646"
},
{
"id": "CVE-2019-19880",
"summary": "exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19880"
},
{
"id": "CVE-2019-19923",
"summary": "flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19923"
},
{
"id": "CVE-2019-19924",
"summary": "SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19924"
},
{
"id": "CVE-2019-19925",
"summary": "zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19925"
},
{
"id": "CVE-2019-19926",
"summary": "multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19926"
},
{
"id": "CVE-2019-19959",
"summary": "ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19959"
},
{
"id": "CVE-2019-20218",
"summary": "selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20218"
},
{
"id": "CVE-2019-5018",
"summary": "An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5018"
},
{
"id": "CVE-2019-8457",
"summary": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8457"
},
{
"id": "CVE-2019-9936",
"summary": "In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9936"
},
{
"id": "CVE-2019-9937",
"summary": "In SQLite 3.27.2, interleaving reads and writes in a single transaction with an fts5 virtual table will lead to a NULL Pointer Dereference in fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and ext/fts5/fts5_index.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9937"
},
{
"id": "CVE-2020-11655",
"summary": "SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11655"
},
{
"id": "CVE-2020-11656",
"summary": "In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11656"
},
{
"id": "CVE-2020-13434",
"summary": "SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13434"
},
{
"id": "CVE-2020-13435",
"summary": "SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13435"
},
{
"id": "CVE-2020-13630",
"summary": "ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13630"
},
{
"id": "CVE-2020-13631",
"summary": "SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13631"
},
{
"id": "CVE-2020-13632",
"summary": "ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13632"
},
{
"id": "CVE-2020-13871",
"summary": "SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13871"
},
{
"id": "CVE-2020-15358",
"summary": "In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15358"
},
{
"id": "CVE-2020-35525",
"summary": "In SQlite 3.31.1, a potential null pointer derreference was found in the INTERSEC query processing.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35525"
},
{
"id": "CVE-2020-35527",
"summary": "In SQLite 3.31.1, there is an out of bounds access problem through ALTER TABLE for views that have a nested FROM clause.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35527"
},
{
"id": "CVE-2020-9327",
"summary": "In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-9327"
},
{
"id": "CVE-2021-20227",
"summary": "A flaw was found in SQLite's SELECT query functionality (src/select.c). This flaw allows an attacker who is capable of running SQL queries locally on the SQLite database to cause a denial of service or possible code execution by triggering a use-after-free. The highest threat from this vulnerability is to system availability.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20227"
},
{
"id": "CVE-2021-31239",
"summary": "An issue found in SQLite SQLite3 v.3.35.4 that allows a remote attacker to cause a denial of service via the appendvfs.c function.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-31239"
},
{
"id": "CVE-2021-36690",
"summary": "A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is intentionally allowed to execute commands). This report does NOT imply any problem in the SQLite library.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-36690"
},
{
"id": "CVE-2021-45346",
"summary": "A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.",
"scorev2": "4.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45346"
},
{
"id": "CVE-2022-35737",
"summary": "SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-35737"
},
{
"id": "CVE-2022-46908",
"summary": "SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.",
"scorev2": "0.0",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-46908"
},
{
"id": "CVE-2023-7104",
"summary": "A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.",
"scorev2": "5.2",
"scorev3": "7.3",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-7104"
},
{
"id": "CVE-2024-0232",
"summary": "A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a crash and leading to a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0232"
}
]
},
{
"name": "nativesdk-unfs3",
"layer": "meta",
"version": "0.10.0",
"products": [
{
"product": "unfs3",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-unzip",
"layer": "meta",
"version": "1_6.0",
"products": [
{
"product": "unzip",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2001-1268",
"summary": "Directory traversal vulnerability in Info-ZIP UnZip 5.42 and earlier allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1268"
},
{
"id": "CVE-2001-1269",
"summary": "Info-ZIP UnZip 5.42 and earlier allows attackers to overwrite arbitrary files during archive extraction via filenames in the archive that begin with the '/' (slash) character.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1269"
},
{
"id": "CVE-2003-0282",
"summary": "Directory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a \"..\" sequence.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0282"
},
{
"id": "CVE-2005-0602",
"summary": "Unzip 5.51 and earlier does not properly warn the user when extracting setuid or setgid files, which may allow local users to gain privileges.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0602"
},
{
"id": "CVE-2005-2475",
"summary": "Race condition in Unzip 5.52 allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by Unzip after the decompression is complete.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2475"
},
{
"id": "CVE-2005-4667",
"summary": "Buffer overflow in UnZip 5.50 and earlier allows user-assisted attackers to execute arbitrary code via a long filename command line argument. NOTE: since the overflow occurs in a non-setuid program, there are not many scenarios under which it poses a vulnerability, unless unzip is passed long arguments when it is invoked from other programs.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4667"
},
{
"id": "CVE-2008-0888",
"summary": "The NEEDBITS macro in the inflate_dynamic function in inflate.c for unzip can be invoked using invalid buffers, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a free of uninitialized or previously-freed data.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0888",
"detail": "fixed-version",
"description": "Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source"
},
{
"id": "CVE-2014-8139",
"summary": "Heap-based buffer overflow in the CRC32 verification in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8139"
},
{
"id": "CVE-2014-8140",
"summary": "Heap-based buffer overflow in the test_compr_eb function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8140"
},
{
"id": "CVE-2014-8141",
"summary": "Heap-based buffer overflow in the getZip64Data function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8141"
},
{
"id": "CVE-2014-9636",
"summary": "unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9636"
},
{
"id": "CVE-2014-9913",
"summary": "Buffer overflow in the list_files function in list.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via vectors related to the compression method.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9913"
},
{
"id": "CVE-2015-1315",
"summary": "Buffer overflow in the charset_to_intern function in unix/unix.c in Info-Zip UnZip 6.10b allows remote attackers to execute arbitrary code via a crafted string, as demonstrated by converting a string from CP866 to UTF-8.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1315"
},
{
"id": "CVE-2015-7696",
"summary": "Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly execute arbitrary code via a crafted password-protected ZIP archive, possibly related to an Extra-Field size value.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7696"
},
{
"id": "CVE-2015-7697",
"summary": "Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (infinite loop) via empty bzip2 data in a ZIP archive.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7697"
},
{
"id": "CVE-2016-9844",
"summary": "Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory file header.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9844"
},
{
"id": "CVE-2018-1000031",
"summary": "A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service or to possibly achieve code execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000031"
},
{
"id": "CVE-2018-1000032",
"summary": "A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service or to possibly achieve code execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000032"
},
{
"id": "CVE-2018-1000033",
"summary": "An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service and read sensitive memory.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000033"
},
{
"id": "CVE-2018-1000034",
"summary": "An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service and read sensitive memory.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000034"
},
{
"id": "CVE-2018-1000035",
"summary": "A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000035"
},
{
"id": "CVE-2018-18384",
"summary": "Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value, because a buffer size is 10 and is supposed to be 12.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18384"
},
{
"id": "CVE-2019-13232",
"summary": "Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a \"better zip bomb\" issue.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13232"
},
{
"id": "CVE-2020-36561",
"summary": "Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.",
"scorev2": "0.0",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36561"
},
{
"id": "CVE-2021-4217",
"summary": "A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.",
"scorev2": "0.0",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4217"
},
{
"id": "CVE-2022-0529",
"summary": "A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0529"
},
{
"id": "CVE-2022-0530",
"summary": "A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0530"
}
]
},
{
"name": "nativesdk-util-linux",
"layer": "meta",
"version": "2.39.3",
"products": [
{
"product": "util-linux",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2001-1147",
"summary": "The PAM implementation in /bin/login of the util-linux package before 2.11 causes a password entry to be rewritten across multiple PAM calls, which could provide the credentials of one user to a different user, when used in certain PAM modules such as pam_limits.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1147"
},
{
"id": "CVE-2001-1175",
"summary": "vipw in the util-linux package before 2.10 causes /etc/shadow to be world-readable in some cases, which would make it easier for local users to perform brute force password guessing.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1175"
},
{
"id": "CVE-2001-1494",
"summary": "script command in the util-linux package before 2.11n allows local users to overwrite arbitrary files by setting a hardlink from the typescript log file to any file on the system, then having root execute the script command.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1494"
},
{
"id": "CVE-2003-0094",
"summary": "A patch for mcookie in the util-linux package for Mandrake Linux 8.2 and 9.0 uses /dev/urandom instead of /dev/random, which causes mcookie to use an entropy source that is more predictable than expected, which may make it easier for certain types of attacks to succeed.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0094"
},
{
"id": "CVE-2004-0080",
"summary": "The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0080"
},
{
"id": "CVE-2005-2876",
"summary": "umount in util-linux 2.8 to 2.12q, 2.13-pre1, and 2.13-pre2, and other packages such as loop-aes-utils, allows local users with unmount permissions to gain privileges via the -r (remount) option, which causes the file system to be remounted with just the read-only flag, which effectively clears the nosuid, nodev, and other flags.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2876"
},
{
"id": "CVE-2006-7108",
"summary": "login in util-linux-2.12a skips pam_acct_mgmt and chauth_tok when authentication is skipped, such as when a Kerberos krlogin session has been established, which might allow users to bypass intended access policies that would be enforced by pam_acct_mgmt and chauth_tok.",
"scorev2": "4.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7108"
},
{
"id": "CVE-2007-5191",
"summary": "mount and umount in util-linux and loop-aes-utils call the setuid and setgid functions in the wrong order and do not check the return values, which might allow attackers to gain privileges via helpers such as mount.nfs.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5191"
},
{
"id": "CVE-2008-1926",
"summary": "Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an \"addr=\" statement to the login name, aka \"audit log injection.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1926"
},
{
"id": "CVE-2011-1675",
"summary": "mount in util-linux 2.19 and earlier attempts to append to the /etc/mtab.tmp file without first checking whether resource limits would interfere, which allows local users to trigger corruption of the /etc/mtab file via a process with a small RLIMIT_FSIZE value, a related issue to CVE-2011-1089.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1675"
},
{
"id": "CVE-2011-1676",
"summary": "mount in util-linux 2.19 and earlier does not remove the /etc/mtab.tmp file after a failed attempt to add a mount entry, which allows local users to trigger corruption of the /etc/mtab file via multiple invocations.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1676"
},
{
"id": "CVE-2011-1677",
"summary": "mount in util-linux 2.19 and earlier does not remove the /etc/mtab~ lock file after a failed attempt to add a mount entry, which has unspecified impact and local attack vectors.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1677"
},
{
"id": "CVE-2013-0157",
"summary": "(a) mount and (b) umount in util-linux 2.14.1, 2.17.2, and probably other versions allow local users to determine the existence of restricted directories by (1) using the --guess-fstype command-line option or (2) attempting to mount a non-existent device, which generates different error messages depending on whether the directory exists.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0157"
},
{
"id": "CVE-2014-9114",
"summary": "Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9114"
},
{
"id": "CVE-2015-5218",
"summary": "Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5218"
},
{
"id": "CVE-2015-5224",
"summary": "The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5224"
},
{
"id": "CVE-2016-2779",
"summary": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2779"
},
{
"id": "CVE-2016-5011",
"summary": "The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5011"
},
{
"id": "CVE-2017-2616",
"summary": "A race condition was found in util-linux before 2.32.1 in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2616"
},
{
"id": "CVE-2018-7738",
"summary": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7738"
},
{
"id": "CVE-2020-21583",
"summary": "An issue was discovered in hwclock.13-v2.27 allows attackers to gain escalated privlidges or execute arbitrary commands via the path parameter when setting the date.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-21583"
},
{
"id": "CVE-2021-37600",
"summary": "An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments.",
"scorev2": "1.2",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37600"
},
{
"id": "CVE-2021-3995",
"summary": "A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows an unprivileged local attacker to unmount FUSE filesystems that belong to certain other users who have a UID that is a prefix of the UID of the attacker in its string form. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3995"
},
{
"id": "CVE-2021-3996",
"summary": "A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows a local user on a vulnerable system to unmount other users' filesystems that are either world-writable themselves (like /tmp) or mounted in a world-writable directory. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3996"
},
{
"id": "CVE-2022-0563",
"summary": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0563"
}
]
},
{
"name": "nativesdk-util-linux-libuuid",
"layer": "meta",
"version": "2.39.3",
"products": [
{
"product": "util-linux-libuuid",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-util-macros",
"layer": "meta",
"version": "1_1.20.0",
"products": [
{
"product": "util-macros",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-virglrenderer",
"layer": "meta",
"version": "1.0.1",
"products": [
{
"product": "virglrenderer",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2016-10163",
"summary": "Memory leak in the vrend_renderer_context_create_internal function in vrend_decode.c in virglrenderer before 0.6.0 allows local guest OS users to cause a denial of service (host memory consumption) by repeatedly creating a decode context.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10163"
},
{
"id": "CVE-2016-10214",
"summary": "Memory leak in the virgl_resource_attach_backing function in virglrenderer before 0.6.0 allows local guest OS users to cause a denial of service (memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING commands.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10214"
},
{
"id": "CVE-2017-5580",
"summary": "The parse_instruction function in gallium/auxiliary/tgsi/tgsi_text.c in virglrenderer before 0.6.0 allows local guest OS users to cause a denial of service (out-of-bounds array access and process crash) via a crafted texture instruction.",
"scorev2": "2.1",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5580"
},
{
"id": "CVE-2017-5937",
"summary": "The util_format_is_pure_uint function in vrend_renderer.c in Virgil 3d project (aka virglrenderer) 0.6.0 and earlier allows local guest OS users to cause a denial of service (NULL pointer dereference) via a crafted VIRGL_CCMD_CLEAR command.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5937"
},
{
"id": "CVE-2017-5956",
"summary": "The vrend_draw_vbo function in virglrenderer before 0.6.0 allows local guest OS users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors involving vertext_buffer_index.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5956"
},
{
"id": "CVE-2017-5957",
"summary": "Stack-based buffer overflow in the vrend_decode_set_framebuffer_state function in vrend_decode.c in virglrenderer before 926b9b3460a48f6454d8bbe9e44313d86a65447f, as used in Quick Emulator (QEMU), allows a local guest users to cause a denial of service (application crash) via the \"nr_cbufs\" argument.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5957"
},
{
"id": "CVE-2017-5993",
"summary": "Memory leak in the vrend_renderer_init_blit_ctx function in vrend_blitter.c in virglrenderer before 0.6.0 allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRGL_CCMD_BLIT commands.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5993"
},
{
"id": "CVE-2017-5994",
"summary": "Heap-based buffer overflow in the vrend_create_vertex_elements_state function in vrend_renderer.c in virglrenderer before 0.6.0 allows local guest OS users to cause a denial of service (out-of-bounds array access and crash) via the num_elements parameter.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5994"
},
{
"id": "CVE-2017-6209",
"summary": "Stack-based buffer overflow in the parse_identifier function in tgsi_text.c in the TGSI auxiliary module in the Gallium driver in virglrenderer before 0.6.0 allows local guest OS users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors related to parsing properties.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6209"
},
{
"id": "CVE-2017-6210",
"summary": "The vrend_decode_reset function in vrend_decode.c in virglrenderer before 0.6.0 allows local guest OS users to cause a denial of service (NULL pointer dereference and QEMU process crash) by destroying context 0 (zero).",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6210"
},
{
"id": "CVE-2017-6317",
"summary": "Memory leak in the add_shader_program function in vrend_renderer.c in virglrenderer before 0.6.0 allows local guest OS users to cause a denial of service (host memory consumption) via vectors involving the sprog variable.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6317"
},
{
"id": "CVE-2017-6355",
"summary": "Integer overflow in the vrend_create_shader function in vrend_renderer.c in virglrenderer before 0.6.0 allows local guest OS users to cause a denial of service (process crash) via crafted pkt_length and offlen values, which trigger an out-of-bounds access.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6355"
},
{
"id": "CVE-2017-6386",
"summary": "Memory leak in the vrend_create_vertex_elements_state function in vrend_renderer.c in virglrenderer allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRGL_OBJECT_VERTEX_ELEMENTS commands.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6386"
},
{
"id": "CVE-2019-18388",
"summary": "A NULL pointer dereference in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service via malformed commands.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18388"
},
{
"id": "CVE-2019-18389",
"summary": "A heap-based buffer overflow in the vrend_renderer_transfer_write_iov function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service, or QEMU guest-to-host escape and code execution, via VIRGL_CCMD_RESOURCE_INLINE_WRITE commands.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18389"
},
{
"id": "CVE-2019-18390",
"summary": "An out-of-bounds read in the vrend_blit_need_swizzle function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service via VIRGL_CCMD_BLIT commands.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18390"
},
{
"id": "CVE-2019-18391",
"summary": "A heap-based buffer overflow in the vrend_renderer_transfer_write_iov function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service via VIRGL_CCMD_RESOURCE_INLINE_WRITE commands.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18391"
},
{
"id": "CVE-2020-8002",
"summary": "A NULL pointer dereference in vrend_renderer.c in virglrenderer through 0.8.1 allows attackers to cause a denial of service via commands that attempt to launch a grid without previously providing a Compute Shader (CS).",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8002"
},
{
"id": "CVE-2020-8003",
"summary": "A double-free vulnerability in vrend_renderer.c in virglrenderer through 0.8.1 allows attackers to cause a denial of service by triggering texture allocation failure, because vrend_renderer_resource_allocated_texture is not an appropriate place for a free.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8003"
},
{
"id": "CVE-2022-0135",
"summary": "An out-of-bounds write issue was found in the VirGL virtual OpenGL renderer (virglrenderer). This flaw allows a malicious guest to create a specially crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl, leading to a denial of service or possible code execution.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0135"
},
{
"id": "CVE-2022-0175",
"summary": "A flaw was found in the VirGL virtual OpenGL renderer (virglrenderer). The virgl did not properly initialize memory when allocating a host-backed memory resource. A malicious guest could use this flaw to mmap from the guest kernel and read this uninitialized memory from the host, possibly leading to information disclosure.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0175"
}
]
},
{
"name": "nativesdk-wayland",
"layer": "meta",
"version": "1.22.0",
"products": [
{
"product": "wayland",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2021-3782",
"summary": "An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wl_shm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time.",
"scorev2": "0.0",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3782"
}
]
},
{
"name": "nativesdk-wayland-protocols",
"layer": "meta",
"version": "1.33",
"products": [
{
"product": "wayland-protocols",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-xcb-proto",
"layer": "meta",
"version": "1.16.0",
"products": [
{
"product": "xcb-proto",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-xorgproto",
"layer": "meta",
"version": "2023.2",
"products": [
{
"product": "xorgproto",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-xrandr",
"layer": "meta",
"version": "1_1.5.2",
"products": [
{
"product": "xrandr",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-xtrans",
"layer": "meta",
"version": "1_1.5.0",
"products": [
{
"product": "xtrans",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nativesdk-xz",
"layer": "meta",
"version": "5.4.6",
"products": [
{
"product": "xz",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-4035",
"summary": "scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4035"
},
{
"id": "CVE-2020-22916",
"summary": "An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of \"endless output\" and \"denial of service\" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-22916"
},
{
"id": "CVE-2021-29482",
"summary": "xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29482"
},
{
"id": "CVE-2024-3094",
"summary": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. \r\nThrough a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.",
"scorev2": "0.0",
"scorev3": "10.0",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-3094"
}
]
},
{
"name": "nativesdk-zlib",
"layer": "meta",
"version": "1.3.1",
"products": [
{
"product": "zlib",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2002-0059",
"summary": "The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a \"double free\"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0059"
},
{
"id": "CVE-2003-0107",
"summary": "Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0107"
},
{
"id": "CVE-2004-0797",
"summary": "The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash).",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0797"
},
{
"id": "CVE-2005-1849",
"summary": "inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (application crash) via an invalid file that causes a large dynamic tree to be produced.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1849"
},
{
"id": "CVE-2005-2096",
"summary": "zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2096"
},
{
"id": "CVE-2016-9840",
"summary": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9840"
},
{
"id": "CVE-2016-9841",
"summary": "inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9841"
},
{
"id": "CVE-2016-9842",
"summary": "The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9842"
},
{
"id": "CVE-2016-9843",
"summary": "The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9843"
},
{
"id": "CVE-2018-25032",
"summary": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-25032"
},
{
"id": "CVE-2022-37434",
"summary": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434"
},
{
"id": "CVE-2023-45853",
"summary": "MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-45853",
"detail": "not-applicable-config",
"description": "we don't build minizip"
},
{
"id": "CVE-2023-6992",
"summary": "Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). The issues resulted from improper input validation and heap-based buffer overflow.\nA local attacker could exploit the problem during compression using a crafted malicious file potentially leading to denial of service of the software.\nPatches: The issue has been patched in commit 8352d10 https://github.com/cloudflare/zlib/commit/8352d108c05db1bdc5ac3bdf834dad641694c13c . The upstream repository is not affected.\n",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6992",
"detail": "cpe-incorrect",
"description": "this CVE is for cloudflare zlib"
}
]
},
{
"name": "nativesdk-zstd",
"layer": "meta",
"version": "1.5.5",
"products": [
{
"product": "zstandard",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2019-11922",
"summary": "A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11922"
},
{
"id": "CVE-2021-24031",
"summary": "In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-24031"
},
{
"id": "CVE-2021-24032",
"summary": "Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-24032"
},
{
"id": "CVE-2022-4899",
"summary": "A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4899"
}
]
},
{
"name": "nbd",
"layer": "meta-networking",
"version": "3.24",
"products": [
{
"product": "nbd",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2005-3534",
"summary": "Buffer overflow in the Network Block Device (nbd) server 2.7.5 and earlier, and 2.8.0 through 2.8.2, allows remote attackers to execute arbitrary code via a large request, which is written past the end of the buffer because nbd does not account for memory taken by the reply header.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3534"
},
{
"id": "CVE-2011-0530",
"summary": "Buffer overflow in the mainloop function in nbd-server.c in the server in Network Block Device (nbd) before 2.9.20 might allow remote attackers to execute arbitrary code via a long request. NOTE: this issue exists because of a CVE-2005-3534 regression.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0530"
},
{
"id": "CVE-2011-1925",
"summary": "nbd-server.c in Network Block Device (nbd-server) 2.9.21 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by causing a negotiation failure, as demonstrated by specifying a name for a non-existent export.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1925"
},
{
"id": "CVE-2013-6410",
"summary": "nbd-server in Network Block Device (nbd) before 3.5 does not properly check IP addresses, which might allow remote attackers to bypass intended access restrictions via an IP address that has a partial match in the authfile configuration file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6410"
},
{
"id": "CVE-2013-7441",
"summary": "The modern style negotiation in Network Block Device (nbd-server) 2.9.22 through 3.3 allows remote attackers to cause a denial of service (root process termination) by (1) closing the connection during negotiation or (2) specifying a name for a non-existent export.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7441"
},
{
"id": "CVE-2015-0847",
"summary": "nbd-server.c in Network Block Device (nbd-server) before 3.11 does not properly handle signals, which allows remote attackers to cause a denial of service (deadlock) via unspecified vectors.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0847"
}
]
},
{
"name": "ncurses",
"layer": "meta",
"version": "6.4",
"products": [
{
"product": "ncurses",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2000-0963",
"summary": "Buffer overflow in ncurses library allows local users to execute arbitrary commands via long environmental information such as TERM or TERMINFO_DIRS.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0963"
},
{
"id": "CVE-2002-0062",
"summary": "Buffer overflow in ncurses 5.0, and the ncurses4 compatibility package as used in Red Hat Linux, allows local users to gain privileges, related to \"routines for moving the physical cursor and scrolling.\"",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0062"
},
{
"id": "CVE-2017-10684",
"summary": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10684"
},
{
"id": "CVE-2017-10685",
"summary": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10685"
},
{
"id": "CVE-2017-11112",
"summary": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11112"
},
{
"id": "CVE-2017-11113",
"summary": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11113"
},
{
"id": "CVE-2017-13728",
"summary": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13728"
},
{
"id": "CVE-2017-13729",
"summary": "There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13729"
},
{
"id": "CVE-2017-13730",
"summary": "There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13730"
},
{
"id": "CVE-2017-13731",
"summary": "There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13731"
},
{
"id": "CVE-2017-13732",
"summary": "There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13732"
},
{
"id": "CVE-2017-13733",
"summary": "There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13733"
},
{
"id": "CVE-2017-13734",
"summary": "There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13734"
},
{
"id": "CVE-2017-16879",
"summary": "Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16879"
},
{
"id": "CVE-2018-19211",
"summary": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19211"
},
{
"id": "CVE-2018-19217",
"summary": "In ncurses, possibly a 6.x version, there is a NULL pointer dereference at the function _nc_name_match that will lead to a denial of service attack. NOTE: the original report stated version 6.1, but the issue did not reproduce for that version according to the maintainer or a reliable third-party",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19217"
},
{
"id": "CVE-2019-15547",
"summary": "An issue was discovered in the ncurses crate through 5.99.0 for Rust. There are format string issues in printw functions because C format arguments are mishandled.",
"scorev2": "6.4",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15547"
},
{
"id": "CVE-2019-15548",
"summary": "An issue was discovered in the ncurses crate through 5.99.0 for Rust. There are instr and mvwinstr buffer overflows because interaction with C functions is mishandled.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15548"
},
{
"id": "CVE-2019-17594",
"summary": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"scorev2": "4.6",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17594"
},
{
"id": "CVE-2019-17595",
"summary": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"scorev2": "5.8",
"scorev3": "5.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17595"
},
{
"id": "CVE-2020-19185",
"summary": "Buffer Overflow vulnerability in one_one_mapping function in progs/dump_entry.c:1373 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19185"
},
{
"id": "CVE-2020-19186",
"summary": "Buffer Overflow vulnerability in _nc_find_entry function in tinfo/comp_hash.c:66 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19186"
},
{
"id": "CVE-2020-19187",
"summary": "Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1100 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19187"
},
{
"id": "CVE-2020-19188",
"summary": "Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1116 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19188"
},
{
"id": "CVE-2020-19189",
"summary": "Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19189"
},
{
"id": "CVE-2020-19190",
"summary": "Buffer Overflow vulnerability in _nc_find_entry in tinfo/comp_hash.c:70 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19190"
},
{
"id": "CVE-2021-39537",
"summary": "An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-39537"
},
{
"id": "CVE-2022-29458",
"summary": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.",
"scorev2": "5.8",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29458"
},
{
"id": "CVE-2023-29491",
"summary": "ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29491"
},
{
"id": "CVE-2023-45918",
"summary": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-45918"
},
{
"id": "CVE-2023-50495",
"summary": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495"
}
]
},
{
"name": "ncurses-native",
"layer": "meta",
"version": "6.4",
"products": [
{
"product": "ncurses",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2000-0963",
"summary": "Buffer overflow in ncurses library allows local users to execute arbitrary commands via long environmental information such as TERM or TERMINFO_DIRS.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0963"
},
{
"id": "CVE-2002-0062",
"summary": "Buffer overflow in ncurses 5.0, and the ncurses4 compatibility package as used in Red Hat Linux, allows local users to gain privileges, related to \"routines for moving the physical cursor and scrolling.\"",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0062"
},
{
"id": "CVE-2017-10684",
"summary": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10684"
},
{
"id": "CVE-2017-10685",
"summary": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10685"
},
{
"id": "CVE-2017-11112",
"summary": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11112"
},
{
"id": "CVE-2017-11113",
"summary": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11113"
},
{
"id": "CVE-2017-13728",
"summary": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13728"
},
{
"id": "CVE-2017-13729",
"summary": "There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13729"
},
{
"id": "CVE-2017-13730",
"summary": "There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13730"
},
{
"id": "CVE-2017-13731",
"summary": "There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13731"
},
{
"id": "CVE-2017-13732",
"summary": "There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13732"
},
{
"id": "CVE-2017-13733",
"summary": "There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13733"
},
{
"id": "CVE-2017-13734",
"summary": "There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13734"
},
{
"id": "CVE-2017-16879",
"summary": "Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16879"
},
{
"id": "CVE-2018-19211",
"summary": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19211"
},
{
"id": "CVE-2018-19217",
"summary": "In ncurses, possibly a 6.x version, there is a NULL pointer dereference at the function _nc_name_match that will lead to a denial of service attack. NOTE: the original report stated version 6.1, but the issue did not reproduce for that version according to the maintainer or a reliable third-party",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19217"
},
{
"id": "CVE-2019-15547",
"summary": "An issue was discovered in the ncurses crate through 5.99.0 for Rust. There are format string issues in printw functions because C format arguments are mishandled.",
"scorev2": "6.4",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15547"
},
{
"id": "CVE-2019-15548",
"summary": "An issue was discovered in the ncurses crate through 5.99.0 for Rust. There are instr and mvwinstr buffer overflows because interaction with C functions is mishandled.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15548"
},
{
"id": "CVE-2019-17594",
"summary": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"scorev2": "4.6",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17594"
},
{
"id": "CVE-2019-17595",
"summary": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
"scorev2": "5.8",
"scorev3": "5.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17595"
},
{
"id": "CVE-2020-19185",
"summary": "Buffer Overflow vulnerability in one_one_mapping function in progs/dump_entry.c:1373 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19185"
},
{
"id": "CVE-2020-19186",
"summary": "Buffer Overflow vulnerability in _nc_find_entry function in tinfo/comp_hash.c:66 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19186"
},
{
"id": "CVE-2020-19187",
"summary": "Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1100 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19187"
},
{
"id": "CVE-2020-19188",
"summary": "Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1116 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19188"
},
{
"id": "CVE-2020-19189",
"summary": "Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19189"
},
{
"id": "CVE-2020-19190",
"summary": "Buffer Overflow vulnerability in _nc_find_entry in tinfo/comp_hash.c:70 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19190"
},
{
"id": "CVE-2021-39537",
"summary": "An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-39537"
},
{
"id": "CVE-2022-29458",
"summary": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.",
"scorev2": "5.8",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29458"
},
{
"id": "CVE-2023-29491",
"summary": "ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29491"
},
{
"id": "CVE-2023-45918",
"summary": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-45918"
},
{
"id": "CVE-2023-50495",
"summary": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495"
}
]
},
{
"name": "ndctl",
"layer": "meta-oe",
"version": "v78",
"products": [
{
"product": "ndctl",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "ne10",
"layer": "meta-oe",
"version": "1.2.1+git",
"products": [
{
"product": "ne10",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "neard",
"layer": "meta",
"version": "0.19",
"products": [
{
"product": "neard",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "netbase",
"layer": "meta",
"version": "1_6.4",
"products": [
{
"product": "netbase",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nettle",
"layer": "meta",
"version": "3.9.1",
"products": [
{
"product": "nettle",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-8803",
"summary": "The ecc_256_modp function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8805.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8803"
},
{
"id": "CVE-2015-8804",
"summary": "x86_64/ecc-384-modp.asm in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-384 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8804"
},
{
"id": "CVE-2015-8805",
"summary": "The ecc_256_modq function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8803.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8805"
},
{
"id": "CVE-2016-6489",
"summary": "The RSA and DSA decryption code in Nettle makes it easier for attackers to discover private keys via a cache side channel attack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6489"
},
{
"id": "CVE-2018-16869",
"summary": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
"scorev2": "3.3",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16869"
},
{
"id": "CVE-2021-20305",
"summary": "A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20305"
},
{
"id": "CVE-2021-3580",
"summary": "A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3580"
},
{
"id": "CVE-2023-36660",
"summary": "The OCB feature in libnettle in Nettle 3.9 before 3.9.1 allows memory corruption.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-36660"
}
]
},
{
"name": "nettle-native",
"layer": "meta",
"version": "3.9.1",
"products": [
{
"product": "nettle",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-8803",
"summary": "The ecc_256_modp function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8805.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8803"
},
{
"id": "CVE-2015-8804",
"summary": "x86_64/ecc-384-modp.asm in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-384 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8804"
},
{
"id": "CVE-2015-8805",
"summary": "The ecc_256_modq function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8803.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8805"
},
{
"id": "CVE-2016-6489",
"summary": "The RSA and DSA decryption code in Nettle makes it easier for attackers to discover private keys via a cache side channel attack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6489"
},
{
"id": "CVE-2018-16869",
"summary": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
"scorev2": "3.3",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16869"
},
{
"id": "CVE-2021-20305",
"summary": "A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20305"
},
{
"id": "CVE-2021-3580",
"summary": "A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3580"
},
{
"id": "CVE-2023-36660",
"summary": "The OCB feature in libnettle in Nettle 3.9 before 3.9.1 allows memory corruption.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-36660"
}
]
},
{
"name": "nghttp2",
"layer": "meta",
"version": "1.61.0",
"products": [
{
"product": "nghttp2",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-8659",
"summary": "The idle stream handling in nghttp2 before 1.6.0 allows attackers to have unspecified impact via unknown vectors, aka a heap-use-after-free bug.",
"scorev2": "10.0",
"scorev3": "10.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8659"
},
{
"id": "CVE-2016-1544",
"summary": "nghttp2 before 1.7.1 allows remote attackers to cause a denial of service (memory exhaustion).",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1544"
},
{
"id": "CVE-2018-1000168",
"summary": "nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000168"
},
{
"id": "CVE-2020-11080",
"summary": "In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11080"
},
{
"id": "CVE-2023-35945",
"summary": "Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy\u2019s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35945"
},
{
"id": "CVE-2023-44487",
"summary": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487"
}
]
},
{
"name": "ninja-native",
"layer": "meta",
"version": "1.11.1",
"products": [
{
"product": "ninja",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2014-4550",
"summary": "Cross-site scripting (XSS) vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the shortcode parameter.",
"scorev2": "4.3",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4550"
},
{
"id": "CVE-2021-4336",
"summary": "A vulnerability was found in ITRS Group monitor-ninja up to 2021.11.1. It has been rated as critical. Affected by this issue is some unknown functionality of the file modules/reports/models/scheduled_reports.php. The manipulation leads to sql injection. Upgrading to version 2021.11.30 is able to address this issue. The name of the patch is 6da9080faec9bca1ca5342386c0421dca0a6c0cc. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-230084.",
"scorev2": "5.2",
"scorev3": "9.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4336",
"detail": "cpe-incorrect",
"description": "This is a different Ninja"
}
]
},
{
"name": "npth",
"layer": "meta",
"version": "1.6",
"products": [
{
"product": "npth",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "nspr",
"layer": "meta-oe",
"version": "4.35",
"products": [
{
"product": "netscape_portable_runtime",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-5607",
"summary": "Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-5607"
},
{
"id": "CVE-2014-1545",
"summary": "Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via vectors involving the sprintf and console functions.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1545"
},
{
"id": "CVE-2016-1951",
"summary": "Multiple integer overflows in io/prprf.c in Mozilla Netscape Portable Runtime (NSPR) before 4.12 allow remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long string to a PR_*printf function.",
"scorev2": "7.5",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1951"
}
]
},
{
"name": "nspr-native",
"layer": "meta-oe",
"version": "4.35",
"products": [
{
"product": "netscape_portable_runtime",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-5607",
"summary": "Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-5607"
},
{
"id": "CVE-2014-1545",
"summary": "Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via vectors involving the sprintf and console functions.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1545"
},
{
"id": "CVE-2016-1951",
"summary": "Multiple integer overflows in io/prprf.c in Mozilla Netscape Portable Runtime (NSPR) before 4.12 allow remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long string to a PR_*printf function.",
"scorev2": "7.5",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1951"
}
]
},
{
"name": "nss",
"layer": "meta-oe",
"version": "3.98",
"products": [
{
"product": "network_security_services",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0826",
"summary": "Heap-based buffer overflow in Netscape Network Security Services (NSS) library allows remote attackers to execute arbitrary code via a modified record length field in an SSLv2 client hello message.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0826"
},
{
"id": "CVE-2006-4340",
"summary": "Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates, a similar vulnerability to CVE-2006-4339. NOTE: on 20061107, Mozilla released an advisory stating that these versions were not completely patched by MFSA2006-60. The newer fixes for 1.5.0.7 are covered by CVE-2006-5462.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4340"
},
{
"id": "CVE-2006-5462",
"summary": "Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.8, Thunderbird before 1.5.0.8, and SeaMonkey before 1.0.6, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates. NOTE: this identifier is for unpatched product versions that were originally intended to be addressed by CVE-2006-4340.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5462"
},
{
"id": "CVE-2007-0008",
"summary": "Integer underflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, SeaMonkey before 1.0.8, Thunderbird before 1.5.0.10, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via a crafted SSLv2 server message containing a public key that is too short to encrypt the \"Master Secret\", which results in a heap-based overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0008"
},
{
"id": "CVE-2007-0009",
"summary": "Stack-based buffer overflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, SeaMonkey before 1.0.8, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via invalid \"Client Master Key\" length values.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0009"
},
{
"id": "CVE-2009-2404",
"summary": "Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject's Common Name (CN) field of an X.509 certificate, related to the cert_TestHostName function.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2404"
},
{
"id": "CVE-2009-2408",
"summary": "Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.",
"scorev2": "6.8",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2408"
},
{
"id": "CVE-2011-5094",
"summary": "Mozilla Network Security Services (NSS) 3.x, with certain settings of the SSL_ENABLE_RENEGOTIATION option, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-1473. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-5094"
},
{
"id": "CVE-2012-0441",
"summary": "The ASN.1 decoder in the QuickDER decoder in Mozilla Network Security Services (NSS) before 3.13.4, as used in Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10, allows remote attackers to cause a denial of service (application crash) via a zero-length item, as demonstrated by (1) a zero-length basic constraint or (2) a zero-length field in an OCSP response.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0441"
},
{
"id": "CVE-2013-0791",
"summary": "The CERT_DecodeCertPackage function in Mozilla Network Security Services (NSS), as used in Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, SeaMonkey before 2.17, and other products, allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) via a crafted certificate.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0791"
},
{
"id": "CVE-2013-1620",
"summary": "The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1620"
},
{
"id": "CVE-2013-1739",
"summary": "Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1739"
},
{
"id": "CVE-2013-1740",
"summary": "The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1740"
},
{
"id": "CVE-2013-1741",
"summary": "Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1741"
},
{
"id": "CVE-2013-5605",
"summary": "Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid handshake packets.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-5605"
},
{
"id": "CVE-2013-5606",
"summary": "The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-5606"
},
{
"id": "CVE-2014-1490",
"summary": "Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1490"
},
{
"id": "CVE-2014-1491",
"summary": "Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1491"
},
{
"id": "CVE-2014-1492",
"summary": "The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1492"
},
{
"id": "CVE-2014-1544",
"summary": "Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1544"
},
{
"id": "CVE-2014-1568",
"summary": "Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124 on Windows and OS X, and Google Chrome OS before 37.0.2062.120, does not properly parse ASN.1 values in X.509 certificates, which makes it easier for remote attackers to spoof RSA signatures via a crafted certificate, aka a \"signature malleability\" issue.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1568"
},
{
"id": "CVE-2014-1569",
"summary": "The definite_length_decoder function in lib/util/quickder.c in Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding of an ASN.1 length is properly formed, which allows remote attackers to conduct data-smuggling attacks by using a long byte sequence for an encoding, as demonstrated by the SEC_QuickDERDecodeItem function's improper handling of an arbitrary-length encoding of 0x00.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1569"
},
{
"id": "CVE-2015-2721",
"summary": "Mozilla Network Security Services (NSS) before 3.19, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, Thunderbird before 38.1, and other products, does not properly determine state transitions for the TLS state machine, which allows man-in-the-middle attackers to defeat cryptographic protection mechanisms by blocking messages, as demonstrated by removing a forward-secrecy property by blocking a ServerKeyExchange message, aka a \"SMACK SKIP-TLS\" issue.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2721"
},
{
"id": "CVE-2015-2730",
"summary": "Mozilla Network Security Services (NSS) before 3.19.1, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and other products, does not properly perform Elliptical Curve Cryptography (ECC) multiplications, which makes it easier for remote attackers to spoof ECDSA signatures via unspecified vectors.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2730"
},
{
"id": "CVE-2015-4000",
"summary": "The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the \"Logjam\" issue.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4000"
},
{
"id": "CVE-2015-7181",
"summary": "The sec_asn1d_parse_leaf function in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, improperly restricts access to an unspecified data structure, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data, related to a \"use-after-poison\" issue.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7181"
},
{
"id": "CVE-2015-7182",
"summary": "Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7182"
},
{
"id": "CVE-2015-7183",
"summary": "Integer overflow in the PL_ARENA_ALLOCATE implementation in Netscape Portable Runtime (NSPR) in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7183"
},
{
"id": "CVE-2015-7575",
"summary": "Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7575"
},
{
"id": "CVE-2016-1950",
"summary": "Heap-based buffer overflow in Mozilla Network Security Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code via crafted ASN.1 data in an X.509 certificate.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1950"
},
{
"id": "CVE-2016-1978",
"summary": "Use-after-free vulnerability in the ssl3_HandleECDHServerKeyExchange function in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact by making an SSL (1) DHE or (2) ECDHE handshake at a time of high memory consumption.",
"scorev2": "7.5",
"scorev3": "7.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1978"
},
{
"id": "CVE-2016-1979",
"summary": "Use-after-free vulnerability in the PK11_ImportDERPrivateKeyInfoAndReturnKey function in Mozilla Network Security Services (NSS) before 3.21.1, as used in Mozilla Firefox before 45.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted key data with DER encoding.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1979"
},
{
"id": "CVE-2016-2834",
"summary": "Mozilla Network Security Services (NSS) before 3.23, as used in Mozilla Firefox before 47.0, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2834"
},
{
"id": "CVE-2016-8635",
"summary": "It was found that Diffie Hellman Client key exchange handling in NSS 3.21.x was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8635"
},
{
"id": "CVE-2016-9574",
"summary": "nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9574"
},
{
"id": "CVE-2017-11695",
"summary": "Heap-based buffer overflow in the alloc_segs function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11695",
"detail": "not-applicable-config",
"description": "This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db"
},
{
"id": "CVE-2017-11696",
"summary": "Heap-based buffer overflow in the __hash_open function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11696",
"detail": "not-applicable-config",
"description": "This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db"
},
{
"id": "CVE-2017-11697",
"summary": "The __hash_open function in hash.c:229 in Mozilla Network Security Services (NSS) allows context-dependent attackers to cause a denial of service (floating point exception and crash) via a crafted cert8.db file.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11697",
"detail": "not-applicable-config",
"description": "This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db"
},
{
"id": "CVE-2017-11698",
"summary": "Heap-based buffer overflow in the __get_page function in lib/dbm/src/h_page.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11698",
"detail": "not-applicable-config",
"description": "This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db"
},
{
"id": "CVE-2017-5461",
"summary": "Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5461"
},
{
"id": "CVE-2017-5462",
"summary": "A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox ESR 52.1 has been updated with NSS version 3.28.4. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5462"
},
{
"id": "CVE-2017-7502",
"summary": "Null pointer dereference vulnerability in NSS since 3.24.0 was found when server receives empty SSLv2 messages resulting into denial of service by remote attacker.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7502"
},
{
"id": "CVE-2018-12384",
"summary": "When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12384"
},
{
"id": "CVE-2018-12404",
"summary": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12404"
},
{
"id": "CVE-2018-18508",
"summary": "In Network Security Services (NSS) before 3.36.7 and before 3.41.1, a malformed signature can cause a crash due to a null dereference, resulting in a Denial of Service.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18508"
},
{
"id": "CVE-2019-17006",
"summary": "In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17006"
},
{
"id": "CVE-2019-17007",
"summary": "In Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17007"
},
{
"id": "CVE-2020-25648",
"summary": "A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25648"
},
{
"id": "CVE-2022-3479",
"summary": "A vulnerability found in nss. By this security vulnerability, nss client auth crash without a user certificate in the database and this can lead us to a segmentation fault or crash.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3479",
"detail": "not-applicable-config",
"description": "vulnerability was introduced in 3.77 and fixed in 3.87"
}
]
},
{
"name": "nss-native",
"layer": "meta-oe",
"version": "3.98",
"products": [
{
"product": "network_security_services",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0826",
"summary": "Heap-based buffer overflow in Netscape Network Security Services (NSS) library allows remote attackers to execute arbitrary code via a modified record length field in an SSLv2 client hello message.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0826"
},
{
"id": "CVE-2006-4340",
"summary": "Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates, a similar vulnerability to CVE-2006-4339. NOTE: on 20061107, Mozilla released an advisory stating that these versions were not completely patched by MFSA2006-60. The newer fixes for 1.5.0.7 are covered by CVE-2006-5462.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4340"
},
{
"id": "CVE-2006-5462",
"summary": "Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.8, Thunderbird before 1.5.0.8, and SeaMonkey before 1.0.6, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates. NOTE: this identifier is for unpatched product versions that were originally intended to be addressed by CVE-2006-4340.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5462"
},
{
"id": "CVE-2007-0008",
"summary": "Integer underflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, SeaMonkey before 1.0.8, Thunderbird before 1.5.0.10, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via a crafted SSLv2 server message containing a public key that is too short to encrypt the \"Master Secret\", which results in a heap-based overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0008"
},
{
"id": "CVE-2007-0009",
"summary": "Stack-based buffer overflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, SeaMonkey before 1.0.8, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via invalid \"Client Master Key\" length values.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0009"
},
{
"id": "CVE-2009-2404",
"summary": "Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject's Common Name (CN) field of an X.509 certificate, related to the cert_TestHostName function.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2404"
},
{
"id": "CVE-2009-2408",
"summary": "Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.",
"scorev2": "6.8",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2408"
},
{
"id": "CVE-2011-5094",
"summary": "Mozilla Network Security Services (NSS) 3.x, with certain settings of the SSL_ENABLE_RENEGOTIATION option, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-1473. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-5094"
},
{
"id": "CVE-2012-0441",
"summary": "The ASN.1 decoder in the QuickDER decoder in Mozilla Network Security Services (NSS) before 3.13.4, as used in Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10, allows remote attackers to cause a denial of service (application crash) via a zero-length item, as demonstrated by (1) a zero-length basic constraint or (2) a zero-length field in an OCSP response.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0441"
},
{
"id": "CVE-2013-0791",
"summary": "The CERT_DecodeCertPackage function in Mozilla Network Security Services (NSS), as used in Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, SeaMonkey before 2.17, and other products, allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) via a crafted certificate.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0791"
},
{
"id": "CVE-2013-1620",
"summary": "The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1620"
},
{
"id": "CVE-2013-1739",
"summary": "Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1739"
},
{
"id": "CVE-2013-1740",
"summary": "The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1740"
},
{
"id": "CVE-2013-1741",
"summary": "Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1741"
},
{
"id": "CVE-2013-5605",
"summary": "Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid handshake packets.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-5605"
},
{
"id": "CVE-2013-5606",
"summary": "The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-5606"
},
{
"id": "CVE-2014-1490",
"summary": "Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1490"
},
{
"id": "CVE-2014-1491",
"summary": "Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1491"
},
{
"id": "CVE-2014-1492",
"summary": "The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1492"
},
{
"id": "CVE-2014-1544",
"summary": "Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1544"
},
{
"id": "CVE-2014-1568",
"summary": "Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124 on Windows and OS X, and Google Chrome OS before 37.0.2062.120, does not properly parse ASN.1 values in X.509 certificates, which makes it easier for remote attackers to spoof RSA signatures via a crafted certificate, aka a \"signature malleability\" issue.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1568"
},
{
"id": "CVE-2014-1569",
"summary": "The definite_length_decoder function in lib/util/quickder.c in Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding of an ASN.1 length is properly formed, which allows remote attackers to conduct data-smuggling attacks by using a long byte sequence for an encoding, as demonstrated by the SEC_QuickDERDecodeItem function's improper handling of an arbitrary-length encoding of 0x00.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1569"
},
{
"id": "CVE-2015-2721",
"summary": "Mozilla Network Security Services (NSS) before 3.19, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, Thunderbird before 38.1, and other products, does not properly determine state transitions for the TLS state machine, which allows man-in-the-middle attackers to defeat cryptographic protection mechanisms by blocking messages, as demonstrated by removing a forward-secrecy property by blocking a ServerKeyExchange message, aka a \"SMACK SKIP-TLS\" issue.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2721"
},
{
"id": "CVE-2015-2730",
"summary": "Mozilla Network Security Services (NSS) before 3.19.1, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and other products, does not properly perform Elliptical Curve Cryptography (ECC) multiplications, which makes it easier for remote attackers to spoof ECDSA signatures via unspecified vectors.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2730"
},
{
"id": "CVE-2015-4000",
"summary": "The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the \"Logjam\" issue.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4000"
},
{
"id": "CVE-2015-7181",
"summary": "The sec_asn1d_parse_leaf function in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, improperly restricts access to an unspecified data structure, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data, related to a \"use-after-poison\" issue.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7181"
},
{
"id": "CVE-2015-7182",
"summary": "Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7182"
},
{
"id": "CVE-2015-7183",
"summary": "Integer overflow in the PL_ARENA_ALLOCATE implementation in Netscape Portable Runtime (NSPR) in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7183"
},
{
"id": "CVE-2015-7575",
"summary": "Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7575"
},
{
"id": "CVE-2016-1950",
"summary": "Heap-based buffer overflow in Mozilla Network Security Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code via crafted ASN.1 data in an X.509 certificate.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1950"
},
{
"id": "CVE-2016-1978",
"summary": "Use-after-free vulnerability in the ssl3_HandleECDHServerKeyExchange function in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact by making an SSL (1) DHE or (2) ECDHE handshake at a time of high memory consumption.",
"scorev2": "7.5",
"scorev3": "7.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1978"
},
{
"id": "CVE-2016-1979",
"summary": "Use-after-free vulnerability in the PK11_ImportDERPrivateKeyInfoAndReturnKey function in Mozilla Network Security Services (NSS) before 3.21.1, as used in Mozilla Firefox before 45.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted key data with DER encoding.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1979"
},
{
"id": "CVE-2016-2834",
"summary": "Mozilla Network Security Services (NSS) before 3.23, as used in Mozilla Firefox before 47.0, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2834"
},
{
"id": "CVE-2016-8635",
"summary": "It was found that Diffie Hellman Client key exchange handling in NSS 3.21.x was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8635"
},
{
"id": "CVE-2016-9574",
"summary": "nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9574"
},
{
"id": "CVE-2017-11695",
"summary": "Heap-based buffer overflow in the alloc_segs function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11695",
"detail": "not-applicable-config",
"description": "This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db"
},
{
"id": "CVE-2017-11696",
"summary": "Heap-based buffer overflow in the __hash_open function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11696",
"detail": "not-applicable-config",
"description": "This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db"
},
{
"id": "CVE-2017-11697",
"summary": "The __hash_open function in hash.c:229 in Mozilla Network Security Services (NSS) allows context-dependent attackers to cause a denial of service (floating point exception and crash) via a crafted cert8.db file.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11697",
"detail": "not-applicable-config",
"description": "This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db"
},
{
"id": "CVE-2017-11698",
"summary": "Heap-based buffer overflow in the __get_page function in lib/dbm/src/h_page.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11698",
"detail": "not-applicable-config",
"description": "This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db"
},
{
"id": "CVE-2017-5461",
"summary": "Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5461"
},
{
"id": "CVE-2017-5462",
"summary": "A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox ESR 52.1 has been updated with NSS version 3.28.4. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5462"
},
{
"id": "CVE-2017-7502",
"summary": "Null pointer dereference vulnerability in NSS since 3.24.0 was found when server receives empty SSLv2 messages resulting into denial of service by remote attacker.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7502"
},
{
"id": "CVE-2018-12384",
"summary": "When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12384"
},
{
"id": "CVE-2018-12404",
"summary": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12404"
},
{
"id": "CVE-2018-18508",
"summary": "In Network Security Services (NSS) before 3.36.7 and before 3.41.1, a malformed signature can cause a crash due to a null dereference, resulting in a Denial of Service.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18508"
},
{
"id": "CVE-2019-17006",
"summary": "In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17006"
},
{
"id": "CVE-2019-17007",
"summary": "In Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17007"
},
{
"id": "CVE-2020-25648",
"summary": "A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25648"
},
{
"id": "CVE-2022-3479",
"summary": "A vulnerability found in nss. By this security vulnerability, nss client auth crash without a user certificate in the database and this can lead us to a segmentation fault or crash.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3479",
"detail": "not-applicable-config",
"description": "vulnerability was introduced in 3.77 and fixed in 3.87"
}
]
},
{
"name": "ofono",
"layer": "meta",
"version": "2.4",
"products": [
{
"product": "ofono",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "ondemandnavi",
"layer": "meta-agl-demo",
"version": "2.0+git",
"products": [
{
"product": "ondemandnavi",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "ondemandnavi-config",
"layer": "meta-agl-demo",
"version": "1.0",
"products": [
{
"product": "ondemandnavi-config",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "openjtalk",
"layer": "meta-agl-demo",
"version": "1.09",
"products": [
{
"product": "openjtalk",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "openjtalk-native",
"layer": "meta-agl-demo",
"version": "1.09",
"products": [
{
"product": "openjtalk",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "openjtalk-voicedata",
"layer": "meta-agl-demo",
"version": "1.6",
"products": [
{
"product": "openjtalk-voicedata",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "openssh",
"layer": "meta",
"version": "9.6p1",
"products": [
{
"product": "openssh",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-1010",
"summary": "An SSH 1.2.27 server allows a client to use the \"none\" cipher, even if it is not allowed by the server policy.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1010"
},
{
"id": "CVE-2000-0143",
"summary": "The SSH protocol server sshd allows local users without shell access to redirect a TCP connection through a service that uses the standard system password database for authentication, such as POP or FTP.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0143"
},
{
"id": "CVE-2000-0217",
"summary": "The default configuration of SSH allows X forwarding, which could allow a remote attacker to control a client's X sessions via a malicious xauth program.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0217"
},
{
"id": "CVE-2000-0525",
"summary": "OpenSSH does not properly drop privileges when the UseLogin option is enabled, which allows local users to execute arbitrary commands by providing the command to the ssh daemon.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0525"
},
{
"id": "CVE-2000-0992",
"summary": "Directory traversal vulnerability in scp in sshd 1.2.xx allows a remote malicious scp server to overwrite arbitrary files via a .. (dot dot) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0992"
},
{
"id": "CVE-2000-0999",
"summary": "Format string vulnerabilities in OpenBSD ssh program (and possibly other BSD-based operating systems) allow attackers to gain root privileges.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0999"
},
{
"id": "CVE-2000-1169",
"summary": "OpenSSH SSH client before 2.3.0 does not properly disable X11 or agent forwarding, which could allow a malicious SSH server to gain access to the X11 display and sniff X11 events, or gain access to the ssh-agent.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-1169"
},
{
"id": "CVE-2001-0144",
"summary": "CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer overflow.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0144"
},
{
"id": "CVE-2001-0361",
"summary": "Implementations of SSH version 1.5, including (1) OpenSSH up to version 2.3.0, (2) AppGate, and (3) ssh-1 up to version 1.2.31, in certain configurations, allow a remote attacker to decrypt and/or alter traffic via a \"Bleichenbacher attack\" on PKCS#1 version 1.5.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0361"
},
{
"id": "CVE-2001-0529",
"summary": "OpenSSH version 2.9 and earlier, with X forwarding enabled, allows a local attacker to delete any file named 'cookies' via a symlink attack.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0529"
},
{
"id": "CVE-2001-0572",
"summary": "The SSH protocols 1 and 2 (aka SSH-2) as implemented in OpenSSH and other packages have various weaknesses which can allow a remote attacker to obtain the following information via sniffing: (1) password lengths or ranges of lengths, which simplifies brute force password guessing, (2) whether RSA or DSA authentication is being used, (3) the number of authorized_keys in RSA authentication, or (4) the lengths of shell commands.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0572"
},
{
"id": "CVE-2001-0816",
"summary": "OpenSSH before 2.9.9, when running sftp using sftp-server and using restricted keypairs, allows remote authenticated users to bypass authorized_keys2 command= restrictions using sftp commands.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0816"
},
{
"id": "CVE-2001-0872",
"summary": "OpenSSH 3.0.1 and earlier with UseLogin enabled does not properly cleanse critical environment variables such as LD_PRELOAD, which allows local users to gain root privileges.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0872"
},
{
"id": "CVE-2001-1029",
"summary": "libutil in OpenSSH on FreeBSD 4.4 and earlier does not drop privileges before verifying the capabilities for reading the copyright and welcome files, which allows local users to bypass the capabilities checks and read arbitrary files by specifying alternate copyright or welcome files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1029"
},
{
"id": "CVE-2001-1380",
"summary": "OpenSSH before 2.9.9, while using keypairs and multiple keys of different types in the ~/.ssh/authorized_keys2 file, may not properly handle the \"from\" option associated with a key, which could allow remote attackers to login from unauthorized IP addresses.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1380"
},
{
"id": "CVE-2001-1382",
"summary": "The \"echo simulation\" traffic analysis countermeasure in OpenSSH before 2.9.9p2 sends an additional echo packet after the password and carriage return is entered, which could allow remote attackers to determine that the countermeasure is being used.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1382"
},
{
"id": "CVE-2001-1459",
"summary": "OpenSSH 2.9 and earlier does not initiate a Pluggable Authentication Module (PAM) session if commands are executed with no pty, which allows local users to bypass resource limits (rlimits) set in pam.d.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1459"
},
{
"id": "CVE-2001-1507",
"summary": "OpenSSH before 3.0.1 with Kerberos V enabled does not properly authenticate users, which could allow remote attackers to login unchallenged.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1507"
},
{
"id": "CVE-2001-1585",
"summary": "SSH protocol 2 (aka SSH-2) public key authentication in the development snapshot of OpenSSH 2.3.1, available from 2001-01-18 through 2001-02-08, does not perform a challenge-response step to ensure that the client has the proper private key, which allows remote attackers to bypass authentication as other users by supplying a public key from that user's authorized_keys file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1585"
},
{
"id": "CVE-2002-0083",
"summary": "Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0083"
},
{
"id": "CVE-2002-0575",
"summary": "Buffer overflow in OpenSSH before 2.9.9, and 3.x before 3.2.1, with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing enabled, allows remote and local authenticated users to gain privileges.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0575"
},
{
"id": "CVE-2002-0639",
"summary": "Integer overflow in sshd in OpenSSH 2.9.9 through 3.3 allows remote attackers to execute arbitrary code during challenge response authentication (ChallengeResponseAuthentication) when OpenSSH is using SKEY or BSD_AUTH authentication.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0639"
},
{
"id": "CVE-2002-0640",
"summary": "Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt).",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0640"
},
{
"id": "CVE-2002-0765",
"summary": "sshd in OpenSSH 3.2.2, when using YP with netgroups and under certain conditions, may allow users to successfully authenticate and log in with another user's password.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0765"
},
{
"id": "CVE-2003-0190",
"summary": "OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0190"
},
{
"id": "CVE-2003-0386",
"summary": "OpenSSH 3.6.1 and earlier, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass \"from=\" and \"user@host\" address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0386"
},
{
"id": "CVE-2003-0682",
"summary": "\"Memory bugs\" in OpenSSH 3.7.1 and earlier, with unknown impact, a different set of vulnerabilities than CVE-2003-0693 and CVE-2003-0695.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0682"
},
{
"id": "CVE-2003-0693",
"summary": "A \"buffer management error\" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0693"
},
{
"id": "CVE-2003-0695",
"summary": "Multiple \"buffer management errors\" in OpenSSH before 3.7.1 may allow attackers to cause a denial of service or execute arbitrary code using (1) buffer_init in buffer.c, (2) buffer_free in buffer.c, or (3) a separate function in channels.c, a different vulnerability than CVE-2003-0693.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0695"
},
{
"id": "CVE-2003-0786",
"summary": "The SSH1 PAM challenge response authentication in OpenSSH 3.7.1 and 3.7.1p1, when Privilege Separation is disabled, does not check the result of the authentication attempt, which can allow remote attackers to gain privileges.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0786"
},
{
"id": "CVE-2003-0787",
"summary": "The PAM conversation function in OpenSSH 3.7.1 and 3.7.1p1 interprets an array of structures as an array of pointers, which allows attackers to modify the stack and possibly gain privileges.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0787"
},
{
"id": "CVE-2003-1562",
"summary": "sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using PAM keyboard-interactive authentication, does not insert a delay after a root login attempt with the correct password, which makes it easier for remote attackers to use timing differences to determine if the password step of a multi-step authentication is successful, a different vulnerability than CVE-2003-0190.",
"scorev2": "7.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-1562"
},
{
"id": "CVE-2004-0175",
"summary": "Directory traversal vulnerability in scp for OpenSSH before 3.4p1 allows remote malicious servers to overwrite arbitrary files. NOTE: this may be a rediscovery of CVE-2000-0992.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0175"
},
{
"id": "CVE-2004-1653",
"summary": "The default configuration for OpenSSH enables AllowTcpForwarding, which could allow remote authenticated users to perform a port bounce, when configured with an anonymous access program such as AnonCVS.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1653"
},
{
"id": "CVE-2004-2069",
"summary": "sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly other versions, when using privilege separation, does not properly signal the non-privileged process when a session has been terminated after exceeding the LoginGraceTime setting, which leaves the connection open and allows remote attackers to cause a denial of service (connection consumption).",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2069"
},
{
"id": "CVE-2004-2760",
"summary": "sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately closes the TCP connection after a root login attempt with the correct password, but leaves the connection open after an attempt with an incorrect password, which makes it easier for remote attackers to guess the password by observing the connection state, a different vulnerability than CVE-2003-0190. NOTE: it could be argued that in most environments, this does not cross privilege boundaries without requiring leverage of a separate vulnerability.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2760"
},
{
"id": "CVE-2005-2666",
"summary": "SSH, as implemented in OpenSSH before 4.0 and possibly other implementations, stores hostnames, IP addresses, and keys in plaintext in the known_hosts file, which makes it easier for an attacker that has compromised an SSH user's account to generate a list of additional targets that are more likely to have the same password or key.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2666"
},
{
"id": "CVE-2005-2797",
"summary": "OpenSSH 4.0, and other versions before 4.2, does not properly handle dynamic port forwarding (\"-D\" option) when a listen address is not provided, which may cause OpenSSH to enable the GatewayPorts functionality.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2797"
},
{
"id": "CVE-2005-2798",
"summary": "sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2798"
},
{
"id": "CVE-2006-0225",
"summary": "scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0225"
},
{
"id": "CVE-2006-0883",
"summary": "OpenSSH on FreeBSD 5.3 and 5.4, when used with OpenPAM, does not properly handle when a forked child process terminates during PAM authentication, which allows remote attackers to cause a denial of service (client connection refusal) by connecting multiple times to the SSH server, waiting for the password prompt, then disconnecting.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0883"
},
{
"id": "CVE-2006-4924",
"summary": "sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4924"
},
{
"id": "CVE-2006-4925",
"summary": "packet.c in ssh in OpenSSH allows remote attackers to cause a denial of service (crash) by sending an invalid protocol sequence with USERAUTH_SUCCESS before NEWKEYS, which causes newkeys[mode] to be NULL.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4925"
},
{
"id": "CVE-2006-5051",
"summary": "Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.",
"scorev2": "9.3",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5051"
},
{
"id": "CVE-2006-5052",
"summary": "Unspecified vulnerability in portable OpenSSH before 4.4, when running on some platforms, allows remote attackers to determine the validity of usernames via unknown vectors involving a GSSAPI \"authentication abort.\"",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5052"
},
{
"id": "CVE-2006-5229",
"summary": "OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies in which responses take longer for valid usernames than invalid ones, as demonstrated by sshtime. NOTE: as of 20061014, it appears that this issue is dependent on the use of manually-set passwords that causes delays when processing /etc/shadow due to an increased number of rounds.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5229"
},
{
"id": "CVE-2006-5794",
"summary": "Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5794"
},
{
"id": "CVE-2007-2243",
"summary": "OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2243"
},
{
"id": "CVE-2007-2768",
"summary": "OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2768",
"detail": "not-applicable-config",
"description": "This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
},
{
"id": "CVE-2007-3102",
"summary": "Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3102"
},
{
"id": "CVE-2007-4654",
"summary": "Unspecified vulnerability in SSHield 1.6.1 with OpenSSH 3.0.2p1 on Cisco WebNS 8.20.0.1 on Cisco Content Services Switch (CSS) series 11000 devices allows remote attackers to cause a denial of service (connection slot exhaustion and device crash) via a series of large packets designed to exploit the SSH CRC32 attack detection overflow (CVE-2001-0144), possibly a related issue to CVE-2002-1024.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4654"
},
{
"id": "CVE-2007-4752",
"summary": "ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4752"
},
{
"id": "CVE-2008-1483",
"summary": "OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1483"
},
{
"id": "CVE-2008-1657",
"summary": "OpenSSH 4.4 up to versions before 4.9 allows remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc session file.",
"scorev2": "6.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1657"
},
{
"id": "CVE-2008-3234",
"summary": "sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.",
"scorev2": "6.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3234"
},
{
"id": "CVE-2008-3259",
"summary": "OpenSSH before 5.1 sets the SO_REUSEADDR socket option when the X11UseLocalhost configuration setting is disabled, which allows local users on some platforms to hijack the X11 forwarding port via a bind to a single IP address, as demonstrated on the HP-UX platform.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3259"
},
{
"id": "CVE-2008-3844",
"summary": "Certain Red Hat Enterprise Linux (RHEL) 4 and 5 packages for OpenSSH, as signed in August 2008 using a legitimate Red Hat GPG key, contain an externally introduced modification (Trojan Horse) that allows the package authors to have an unknown impact. NOTE: since the malicious packages were not distributed from any official Red Hat sources, the scope of this issue is restricted to users who may have obtained these packages through unofficial distribution points. As of 20080827, no unofficial distributions of this software are known.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3844",
"detail": "not-applicable-platform",
"description": "Only applies to some distributed RHEL binaries."
},
{
"id": "CVE-2008-4109",
"summary": "A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 on sid and lenny; and on other distributions such as SUSE uses functions that are not async-signal-safe in the signal handler for login timeouts, which allows remote attackers to cause a denial of service (connection slot exhaustion) via multiple login attempts. NOTE: this issue exists because of an incorrect fix for CVE-2006-5051.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4109"
},
{
"id": "CVE-2008-5161",
"summary": "Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5161"
},
{
"id": "CVE-2009-2904",
"summary": "A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2904"
},
{
"id": "CVE-2010-4478",
"summary": "OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4478"
},
{
"id": "CVE-2010-4755",
"summary": "The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4755"
},
{
"id": "CVE-2010-5107",
"summary": "The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5107"
},
{
"id": "CVE-2011-0539",
"summary": "The key_certify function in usr.bin/ssh/key.c in OpenSSH 5.6 and 5.7, when generating legacy certificates using the -t command-line option in ssh-keygen, does not initialize the nonce field, which might allow remote attackers to obtain sensitive stack memory contents or make it easier to conduct hash collision attacks.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0539"
},
{
"id": "CVE-2011-4327",
"summary": "ssh-keysign.c in ssh-keysign in OpenSSH before 5.8p2 on certain platforms executes ssh-rand-helper with unintended open file descriptors, which allows local users to obtain sensitive key information via the ptrace system call.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4327"
},
{
"id": "CVE-2011-5000",
"summary": "The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and earlier, when gssapi-with-mic authentication is enabled, allows remote authenticated users to cause a denial of service (memory consumption) via a large value in a certain length field. NOTE: there may be limited scenarios in which this issue is relevant.",
"scorev2": "3.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-5000"
},
{
"id": "CVE-2012-0814",
"summary": "The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by the shared user account required by Gitolite. NOTE: this can cross privilege boundaries because a user account may intentionally have no shell or filesystem access, and therefore may have no supported way to read an authorized_keys file in its own home directory.",
"scorev2": "3.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0814"
},
{
"id": "CVE-2013-4548",
"summary": "The mm_newkeys_from_blob function in monitor_wrap.c in sshd in OpenSSH 6.2 and 6.3, when an AES-GCM cipher is used, does not properly initialize memory for a MAC context data structure, which allows remote authenticated users to bypass intended ForceCommand and login-shell restrictions via packet data that provides a crafted callback address.",
"scorev2": "6.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4548"
},
{
"id": "CVE-2014-1692",
"summary": "The hash_buffer function in schnorr.c in OpenSSH through 6.4, when Makefile.inc is modified to enable the J-PAKE protocol, does not initialize certain data structures, which might allow remote attackers to cause a denial of service (memory corruption) or have unspecified other impact via vectors that trigger an error condition.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1692"
},
{
"id": "CVE-2014-2532",
"summary": "sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.",
"scorev2": "5.8",
"scorev3": "4.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2532"
},
{
"id": "CVE-2014-2653",
"summary": "The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2653"
},
{
"id": "CVE-2014-9278",
"summary": "The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9278",
"detail": "not-applicable-platform",
"description": "This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
},
{
"id": "CVE-2015-5352",
"summary": "The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time window.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5352"
},
{
"id": "CVE-2015-5600",
"summary": "The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.",
"scorev2": "8.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5600"
},
{
"id": "CVE-2015-6563",
"summary": "The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6563"
},
{
"id": "CVE-2015-6564",
"summary": "Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms might allow local users to gain privileges by leveraging control of the sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6564"
},
{
"id": "CVE-2015-6565",
"summary": "sshd in OpenSSH 6.8 and 6.9 uses world-writable permissions for TTY devices, which allows local users to cause a denial of service (terminal disruption) or possibly have unspecified other impact by writing to a device, as demonstrated by writing an escape sequence.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6565"
},
{
"id": "CVE-2015-8325",
"summary": "The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8325"
},
{
"id": "CVE-2016-0777",
"summary": "The resend_bytes function in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2 allows remote servers to obtain sensitive information from process memory by requesting transmission of an entire buffer, as demonstrated by reading a private key.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0777"
},
{
"id": "CVE-2016-0778",
"summary": "The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly maintain connection file descriptors, which allows remote servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact by requesting many forwardings.",
"scorev2": "4.6",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0778"
},
{
"id": "CVE-2016-10009",
"summary": "Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.",
"scorev2": "7.5",
"scorev3": "7.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10009"
},
{
"id": "CVE-2016-10010",
"summary": "sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10010"
},
{
"id": "CVE-2016-10011",
"summary": "authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10011"
},
{
"id": "CVE-2016-10012",
"summary": "The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10012"
},
{
"id": "CVE-2016-10708",
"summary": "sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10708"
},
{
"id": "CVE-2016-1907",
"summary": "The ssh_packet_read_poll2 function in packet.c in OpenSSH before 7.1p2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted network traffic.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1907"
},
{
"id": "CVE-2016-1908",
"summary": "The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1908"
},
{
"id": "CVE-2016-20012",
"summary": "OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product",
"scorev2": "4.3",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-20012"
},
{
"id": "CVE-2016-3115",
"summary": "Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.",
"scorev2": "5.5",
"scorev3": "6.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3115"
},
{
"id": "CVE-2016-6210",
"summary": "sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6210"
},
{
"id": "CVE-2016-6515",
"summary": "The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6515"
},
{
"id": "CVE-2016-8858",
"summary": "The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that \"OpenSSH upstream does not consider this as a security issue.\"",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8858"
},
{
"id": "CVE-2017-15906",
"summary": "The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15906"
},
{
"id": "CVE-2018-15473",
"summary": "OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15473"
},
{
"id": "CVE-2018-15919",
"summary": "Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15919"
},
{
"id": "CVE-2018-20685",
"summary": "In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.",
"scorev2": "2.6",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20685"
},
{
"id": "CVE-2019-16905",
"summary": "OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.",
"scorev2": "4.4",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16905"
},
{
"id": "CVE-2019-6109",
"summary": "An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.",
"scorev2": "4.0",
"scorev3": "6.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6109"
},
{
"id": "CVE-2019-6110",
"summary": "In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.",
"scorev2": "4.0",
"scorev3": "6.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6110"
},
{
"id": "CVE-2019-6111",
"summary": "An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).",
"scorev2": "5.8",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6111"
},
{
"id": "CVE-2020-12062",
"summary": "The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that \"this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol\" and \"utimes does not fail under normal circumstances.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12062"
},
{
"id": "CVE-2020-14145",
"summary": "The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14145"
},
{
"id": "CVE-2020-15778",
"summary": "scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of \"anomalous argument transfers\" because that could \"stand a great chance of breaking existing workflows.\"",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15778"
},
{
"id": "CVE-2021-28041",
"summary": "ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.",
"scorev2": "4.6",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28041"
},
{
"id": "CVE-2021-36368",
"summary": "An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is \"this is not an authentication bypass, since nothing is being bypassed.",
"scorev2": "2.6",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-36368"
},
{
"id": "CVE-2021-41617",
"summary": "sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41617"
},
{
"id": "CVE-2023-25136",
"summary": "OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states \"remote code execution is theoretically possible.\"",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25136"
},
{
"id": "CVE-2023-28531",
"summary": "ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-28531"
},
{
"id": "CVE-2023-38408",
"summary": "The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38408"
},
{
"id": "CVE-2023-48795",
"summary": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795"
},
{
"id": "CVE-2023-51384",
"summary": "In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51384"
},
{
"id": "CVE-2023-51385",
"summary": "In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51385"
},
{
"id": "CVE-2023-51767",
"summary": "OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51767"
},
{
"id": "CVE-2024-6387",
"summary": "A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-6387"
}
]
},
{
"name": "openssl",
"layer": "meta",
"version": "3.2.1",
"products": [
{
"product": "openssl",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-0428",
"summary": "OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0428"
},
{
"id": "CVE-2000-0535",
"summary": "OpenSSL 0.9.4 and OpenSSH for FreeBSD do not properly check for the existence of the /dev/random or /dev/urandom devices, which are absent on FreeBSD Alpha systems, which causes them to produce weak keys which may be more easily broken.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0535"
},
{
"id": "CVE-2000-1254",
"summary": "crypto/rsa/rsa_gen.c in OpenSSL before 0.9.6 mishandles C bitwise-shift operations that exceed the size of an expression, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging improper RSA key generation on 64-bit HP-UX platforms.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-1254"
},
{
"id": "CVE-2001-1141",
"summary": "The Pseudo-Random Number Generator (PRNG) in SSLeay and OpenSSL before 0.9.6b allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1141"
},
{
"id": "CVE-2002-0655",
"summary": "OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, does not properly handle ASCII representations of integers on 64 bit platforms, which could allow attackers to cause a denial of service and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0655"
},
{
"id": "CVE-2002-0656",
"summary": "Buffer overflows in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allow remote attackers to execute arbitrary code via (1) a large client master key in SSL2 or (2) a large session ID in SSL3.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0656"
},
{
"id": "CVE-2002-0657",
"summary": "Buffer overflow in OpenSSL 0.9.7 before 0.9.7-beta3, with Kerberos enabled, allows attackers to execute arbitrary code via a long master key.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0657"
},
{
"id": "CVE-2002-0659",
"summary": "The ASN1 library in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allows remote attackers to cause a denial of service via invalid encodings.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0659"
},
{
"id": "CVE-2002-1568",
"summary": "OpenSSL 0.9.6e uses assertions when detecting buffer overflow attacks instead of less severe mechanisms, which allows remote attackers to cause a denial of service (crash) via certain messages that cause OpenSSL to abort from a failed assertion, as demonstrated using SSLv2 CLIENT_MASTER_KEY messages, which are not properly handled in s2_srvr.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1568"
},
{
"id": "CVE-2003-0078",
"summary": "ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the \"Vaudenay timing attack.\"",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0078"
},
{
"id": "CVE-2003-0131",
"summary": "The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the \"Klima-Pokorny-Rosa attack.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0131"
},
{
"id": "CVE-2003-0147",
"summary": "OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms (\"Karatsuba\" and normal).",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0147"
},
{
"id": "CVE-2003-0543",
"summary": "Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0543"
},
{
"id": "CVE-2003-0544",
"summary": "OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0544"
},
{
"id": "CVE-2003-0545",
"summary": "Double free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0545"
},
{
"id": "CVE-2003-0851",
"summary": "OpenSSL 0.9.6k allows remote attackers to cause a denial of service (crash via large recursion) via malformed ASN.1 sequences.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0851"
},
{
"id": "CVE-2004-0079",
"summary": "The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0079"
},
{
"id": "CVE-2004-0081",
"summary": "OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0081"
},
{
"id": "CVE-2004-0975",
"summary": "The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0975"
},
{
"id": "CVE-2005-1797",
"summary": "The design of Advanced Encryption Standard (AES), aka Rijndael, allows remote attackers to recover AES keys via timing attacks on S-box lookups, which are difficult to perform in constant time in AES implementations.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1797"
},
{
"id": "CVE-2005-2946",
"summary": "The default configuration on OpenSSL before 0.9.8 uses MD5 for creating message digests instead of a more cryptographically strong algorithm, which makes it easier for remote attackers to forge certificates with a valid certificate authority signature.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2946"
},
{
"id": "CVE-2005-2969",
"summary": "The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2969"
},
{
"id": "CVE-2006-2937",
"summary": "OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2937"
},
{
"id": "CVE-2006-2940",
"summary": "OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) \"public exponent\" or (2) \"public modulus\" values in X.509 certificates that require extra time to process when using RSA signature verification.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2940"
},
{
"id": "CVE-2006-3738",
"summary": "Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions has unspecified impact and remote attack vectors involving a long list of ciphers.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3738"
},
{
"id": "CVE-2006-4339",
"summary": "OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4339"
},
{
"id": "CVE-2006-4343",
"summary": "The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4343"
},
{
"id": "CVE-2006-7250",
"summary": "The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7250"
},
{
"id": "CVE-2007-3108",
"summary": "The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3108"
},
{
"id": "CVE-2007-4995",
"summary": "Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f allows remote attackers to execute arbitrary code via unspecified vectors.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4995"
},
{
"id": "CVE-2007-5135",
"summary": "Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5135"
},
{
"id": "CVE-2008-0166",
"summary": "OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0166"
},
{
"id": "CVE-2008-0891",
"summary": "Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS server name extensions are enabled, allows remote attackers to cause a denial of service (crash) via a malformed Client Hello packet. NOTE: some of these details are obtained from third party information.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0891"
},
{
"id": "CVE-2008-1672",
"summary": "OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of service (crash) via a TLS handshake that omits the Server Key Exchange message and uses \"particular cipher suites,\" which triggers a NULL pointer dereference.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1672"
},
{
"id": "CVE-2008-1678",
"summary": "Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1678"
},
{
"id": "CVE-2008-5077",
"summary": "OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5077"
},
{
"id": "CVE-2008-7270",
"summary": "OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-7270"
},
{
"id": "CVE-2009-0590",
"summary": "The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0590"
},
{
"id": "CVE-2009-0591",
"summary": "The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0591"
},
{
"id": "CVE-2009-0653",
"summary": "OpenSSL, probably 0.9.6, does not verify the Basic Constraints for an intermediate CA-signed certificate, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack, a related issue to CVE-2002-0970.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0653"
},
{
"id": "CVE-2009-0789",
"summary": "OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0789"
},
{
"id": "CVE-2009-1377",
"summary": "The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of \"future epoch\" DTLS records that are buffered in a queue, aka \"DTLS record buffer limitation bug.\"",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1377"
},
{
"id": "CVE-2009-1378",
"summary": "Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka \"DTLS fragment handling memory leak.\"",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1378"
},
{
"id": "CVE-2009-1379",
"summary": "Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1379"
},
{
"id": "CVE-2009-1386",
"summary": "ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1386"
},
{
"id": "CVE-2009-1387",
"summary": "The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a \"fragment bug.\"",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1387"
},
{
"id": "CVE-2009-2409",
"summary": "The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2409"
},
{
"id": "CVE-2009-3245",
"summary": "OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3245"
},
{
"id": "CVE-2009-3555",
"summary": "The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a \"plaintext injection\" attack, aka the \"Project Mogul\" issue.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3555"
},
{
"id": "CVE-2009-4355",
"summary": "Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4355"
},
{
"id": "CVE-2010-0433",
"summary": "The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0433"
},
{
"id": "CVE-2010-0740",
"summary": "The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f through 0.9.8m allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection that triggers a NULL pointer dereference, related to the minor version number. NOTE: some of these details are obtained from third party information.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0740"
},
{
"id": "CVE-2010-0742",
"summary": "The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0742"
},
{
"id": "CVE-2010-0928",
"summary": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0928"
},
{
"id": "CVE-2010-1633",
"summary": "RSA verification recovery in the EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other applications, returns uninitialized memory upon failure, which might allow context-dependent attackers to bypass intended key requirements or obtain sensitive information via unspecified vectors. NOTE: some of these details are obtained from third party information.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1633"
},
{
"id": "CVE-2010-2939",
"summary": "Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, when using ECDH, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted private key with an invalid prime. NOTE: some sources refer to this as a use-after-free issue.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2939"
},
{
"id": "CVE-2010-3864",
"summary": "Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography.",
"scorev2": "7.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3864"
},
{
"id": "CVE-2010-4180",
"summary": "OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4180"
},
{
"id": "CVE-2010-4252",
"summary": "OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4252"
},
{
"id": "CVE-2010-5298",
"summary": "Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5298"
},
{
"id": "CVE-2011-0014",
"summary": "ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-bounds memory access, aka \"OCSP stapling vulnerability.\"",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0014"
},
{
"id": "CVE-2011-1473",
"summary": "OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1473"
},
{
"id": "CVE-2011-1945",
"summary": "The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1945"
},
{
"id": "CVE-2011-3207",
"summary": "crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which makes it easier for remote attackers to bypass CRL validation by using a nextUpdate value corresponding to a time in the past.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3207"
},
{
"id": "CVE-2011-3210",
"summary": "The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages from clients, which allows remote attackers to cause a denial of service (daemon crash) via out-of-order messages that violate the TLS protocol.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3210"
},
{
"id": "CVE-2011-4108",
"summary": "The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4108"
},
{
"id": "CVE-2011-4109",
"summary": "Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4109"
},
{
"id": "CVE-2011-4354",
"summary": "crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as used in stunnel and other products, in certain circumstances involving ECDH or ECDHE cipher suites, uses an incorrect modular reduction algorithm in its implementation of the P-256 and P-384 NIST elliptic curves, which allows remote attackers to obtain the private key of a TLS server via multiple handshake attempts.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4354"
},
{
"id": "CVE-2011-4576",
"summary": "The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4576"
},
{
"id": "CVE-2011-4577",
"summary": "OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4577"
},
{
"id": "CVE-2011-4619",
"summary": "The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4619"
},
{
"id": "CVE-2011-5095",
"summary": "The Diffie-Hellman key-exchange implementation in OpenSSL 0.9.8, when FIPS mode is enabled, does not properly validate a public parameter, which makes it easier for man-in-the-middle attackers to obtain the shared secret key by modifying network traffic, a related issue to CVE-2011-1923.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-5095"
},
{
"id": "CVE-2012-0027",
"summary": "The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0027"
},
{
"id": "CVE-2012-0050",
"summary": "OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, which allows remote attackers to cause a denial of service (crash) via unspecified vectors related to an out-of-bounds read. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4108.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0050"
},
{
"id": "CVE-2012-0884",
"summary": "The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0884"
},
{
"id": "CVE-2012-1165",
"summary": "The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1165"
},
{
"id": "CVE-2012-2110",
"summary": "The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2110"
},
{
"id": "CVE-2012-2131",
"summary": "Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL 0.9.8v allow remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2110.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2131"
},
{
"id": "CVE-2012-2333",
"summary": "Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2333"
},
{
"id": "CVE-2012-2686",
"summary": "crypto/evp/e_aes_cbc_hmac_sha1.c in the AES-NI functionality in the TLS 1.1 and 1.2 implementations in OpenSSL 1.0.1 before 1.0.1d allows remote attackers to cause a denial of service (application crash) via crafted CBC data.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2686"
},
{
"id": "CVE-2013-0166",
"summary": "OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0166"
},
{
"id": "CVE-2013-0169",
"summary": "The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0169"
},
{
"id": "CVE-2013-4353",
"summary": "The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4353"
},
{
"id": "CVE-2013-6449",
"summary": "The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6449"
},
{
"id": "CVE-2013-6450",
"summary": "The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6450"
},
{
"id": "CVE-2014-0076",
"summary": "The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0076"
},
{
"id": "CVE-2014-0160",
"summary": "The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0160"
},
{
"id": "CVE-2014-0195",
"summary": "The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0195"
},
{
"id": "CVE-2014-0198",
"summary": "The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0198"
},
{
"id": "CVE-2014-0221",
"summary": "The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0221"
},
{
"id": "CVE-2014-0224",
"summary": "OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the \"CCS Injection\" vulnerability.",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0224"
},
{
"id": "CVE-2014-3470",
"summary": "The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3470"
},
{
"id": "CVE-2014-3505",
"summary": "Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3505"
},
{
"id": "CVE-2014-3506",
"summary": "d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3506"
},
{
"id": "CVE-2014-3507",
"summary": "Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3507"
},
{
"id": "CVE-2014-3508",
"summary": "The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\\0' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3508"
},
{
"id": "CVE-2014-3509",
"summary": "Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3509"
},
{
"id": "CVE-2014-3510",
"summary": "The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote DTLS servers to cause a denial of service (NULL pointer dereference and client application crash) via a crafted handshake message in conjunction with a (1) anonymous DH or (2) anonymous ECDH ciphersuite.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3510"
},
{
"id": "CVE-2014-3511",
"summary": "The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a \"protocol downgrade\" issue.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3511"
},
{
"id": "CVE-2014-3512",
"summary": "Multiple buffer overflows in crypto/srp/srp_lib.c in the SRP implementation in OpenSSL 1.0.1 before 1.0.1i allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid SRP (1) g, (2) A, or (3) B parameter.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3512"
},
{
"id": "CVE-2014-3513",
"summary": "Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted handshake message.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3513"
},
{
"id": "CVE-2014-3566",
"summary": "The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the \"POODLE\" issue.",
"scorev2": "4.3",
"scorev3": "3.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3566"
},
{
"id": "CVE-2014-3567",
"summary": "Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3567"
},
{
"id": "CVE-2014-3568",
"summary": "OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3568"
},
{
"id": "CVE-2014-3569",
"summary": "The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3569"
},
{
"id": "CVE-2014-3570",
"summary": "The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3570"
},
{
"id": "CVE-2014-3571",
"summary": "OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3571"
},
{
"id": "CVE-2014-3572",
"summary": "The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3572"
},
{
"id": "CVE-2014-5139",
"summary": "The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i allows remote SSL servers to cause a denial of service (NULL pointer dereference and client application crash) via a ServerHello message that includes an SRP ciphersuite without the required negotiation of that ciphersuite with the client.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5139"
},
{
"id": "CVE-2014-8176",
"summary": "The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without considering that application data can arrive between a ChangeCipherSpec message and a Finished message, which allows remote DTLS peers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unexpected application data.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8176"
},
{
"id": "CVE-2014-8275",
"summary": "OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8275"
},
{
"id": "CVE-2015-0204",
"summary": "The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the \"FREAK\" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0204"
},
{
"id": "CVE-2015-0205",
"summary": "The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0205"
},
{
"id": "CVE-2015-0206",
"summary": "Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0206"
},
{
"id": "CVE-2015-0207",
"summary": "The dtls1_listen function in d1_lib.c in OpenSSL 1.0.2 before 1.0.2a does not properly isolate the state information of independent data streams, which allows remote attackers to cause a denial of service (application crash) via crafted DTLS traffic, as demonstrated by DTLS 1.0 traffic to a DTLS 1.2 server.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0207"
},
{
"id": "CVE-2015-0208",
"summary": "The ASN.1 signature-verification implementation in the rsa_item_verify function in crypto/rsa/rsa_ameth.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted RSA PSS parameters to an endpoint that uses the certificate-verification feature.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0208"
},
{
"id": "CVE-2015-0209",
"summary": "Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0209"
},
{
"id": "CVE-2015-0285",
"summary": "The ssl3_client_hello function in s3_clnt.c in OpenSSL 1.0.2 before 1.0.2a does not ensure that the PRNG is seeded before proceeding with a handshake, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and then conducting a brute-force attack.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0285"
},
{
"id": "CVE-2015-0286",
"summary": "The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly perform boolean-type comparisons, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0286"
},
{
"id": "CVE-2015-0287",
"summary": "The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0287"
},
{
"id": "CVE-2015-0288",
"summary": "The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid certificate key.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0288"
},
{
"id": "CVE-2015-0289",
"summary": "The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0289"
},
{
"id": "CVE-2015-0290",
"summary": "The multi-block feature in the ssl3_write_bytes function in s3_pkt.c in OpenSSL 1.0.2 before 1.0.2a on 64-bit x86 platforms with AES NI support does not properly handle certain non-blocking I/O cases, which allows remote attackers to cause a denial of service (pointer corruption and application crash) via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0290"
},
{
"id": "CVE-2015-0291",
"summary": "The sigalgs implementation in t1_lib.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by using an invalid signature_algorithms extension in the ClientHello message during a renegotiation.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0291"
},
{
"id": "CVE-2015-0292",
"summary": "Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0292"
},
{
"id": "CVE-2015-0293",
"summary": "The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0293"
},
{
"id": "CVE-2015-1787",
"summary": "The ssl3_get_client_key_exchange function in s3_srvr.c in OpenSSL 1.0.2 before 1.0.2a, when client authentication and an ephemeral Diffie-Hellman ciphersuite are enabled, allows remote attackers to cause a denial of service (daemon crash) via a ClientKeyExchange message with a length of zero.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1787"
},
{
"id": "CVE-2015-1788",
"summary": "The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1788"
},
{
"id": "CVE-2015-1789",
"summary": "The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback.",
"scorev2": "4.3",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1789"
},
{
"id": "CVE-2015-1790",
"summary": "The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1790"
},
{
"id": "CVE-2015-1791",
"summary": "Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1791"
},
{
"id": "CVE-2015-1792",
"summary": "The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1792"
},
{
"id": "CVE-2015-1793",
"summary": "The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.",
"scorev2": "6.4",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1793"
},
{
"id": "CVE-2015-1794",
"summary": "The ssl3_get_key_exchange function in ssl/s3_clnt.c in OpenSSL 1.0.2 before 1.0.2e allows remote servers to cause a denial of service (segmentation fault) via a zero p value in an anonymous Diffie-Hellman (DH) ServerKeyExchange message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1794"
},
{
"id": "CVE-2015-3193",
"summary": "The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3193"
},
{
"id": "CVE-2015-3194",
"summary": "crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3194"
},
{
"id": "CVE-2015-3195",
"summary": "The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3195"
},
{
"id": "CVE-2015-3196",
"summary": "ssl/s3_clnt.c in OpenSSL 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1p, and 1.0.2 before 1.0.2d, when used for a multi-threaded client, writes the PSK identity hint to an incorrect data structure, which allows remote servers to cause a denial of service (race condition and double free) via a crafted ServerKeyExchange message.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3196"
},
{
"id": "CVE-2015-3197",
"summary": "ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3197"
},
{
"id": "CVE-2015-3216",
"summary": "Race condition in a certain Red Hat patch to the PRNG lock implementation in the ssleay_rand_bytes function in OpenSSL, as distributed in openssl-1.0.1e-25.el7 in Red Hat Enterprise Linux (RHEL) 7 and other products, allows remote attackers to cause a denial of service (application crash) by establishing many TLS sessions to a multithreaded server, leading to use of a negative value for a certain length field.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3216"
},
{
"id": "CVE-2015-4000",
"summary": "The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the \"Logjam\" issue.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4000"
},
{
"id": "CVE-2016-0701",
"summary": "The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file.",
"scorev2": "2.6",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0701"
},
{
"id": "CVE-2016-0702",
"summary": "The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a \"CacheBleed\" attack.",
"scorev2": "1.9",
"scorev3": "5.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0702"
},
{
"id": "CVE-2016-0703",
"summary": "The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0703"
},
{
"id": "CVE-2016-0704",
"summary": "An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0704"
},
{
"id": "CVE-2016-0705",
"summary": "Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0705"
},
{
"id": "CVE-2016-0797",
"summary": "Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0797"
},
{
"id": "CVE-2016-0798",
"summary": "Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto/srp/srp_vfy.c.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0798"
},
{
"id": "CVE-2016-0799",
"summary": "The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0799"
},
{
"id": "CVE-2016-0800",
"summary": "The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a \"DROWN\" attack.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0800"
},
{
"id": "CVE-2016-2105",
"summary": "Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2105"
},
{
"id": "CVE-2016-2106",
"summary": "Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2106"
},
{
"id": "CVE-2016-2107",
"summary": "The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.",
"scorev2": "2.6",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2107"
},
{
"id": "CVE-2016-2108",
"summary": "The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the \"negative zero\" issue.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2108"
},
{
"id": "CVE-2016-2109",
"summary": "The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2109"
},
{
"id": "CVE-2016-2176",
"summary": "The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.",
"scorev2": "6.4",
"scorev3": "8.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2176"
},
{
"id": "CVE-2016-2177",
"summary": "OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2177"
},
{
"id": "CVE-2016-2178",
"summary": "The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2178"
},
{
"id": "CVE-2016-2179",
"summary": "The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2179"
},
{
"id": "CVE-2016-2180",
"summary": "The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the \"openssl ts\" command.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2180"
},
{
"id": "CVE-2016-2181",
"summary": "The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2181"
},
{
"id": "CVE-2016-2182",
"summary": "The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2182"
},
{
"id": "CVE-2016-2183",
"summary": "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2183"
},
{
"id": "CVE-2016-2842",
"summary": "The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2842"
},
{
"id": "CVE-2016-6302",
"summary": "The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6302"
},
{
"id": "CVE-2016-6303",
"summary": "Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6303"
},
{
"id": "CVE-2016-6304",
"summary": "Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6304"
},
{
"id": "CVE-2016-6305",
"summary": "The ssl3_read_bytes function in record/rec_layer_s3.c in OpenSSL 1.1.0 before 1.1.0a allows remote attackers to cause a denial of service (infinite loop) by triggering a zero-length record in an SSL_peek call.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6305"
},
{
"id": "CVE-2016-6306",
"summary": "The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6306"
},
{
"id": "CVE-2016-6307",
"summary": "The state-machine implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted TLS messages, related to statem/statem.c and statem/statem_lib.c.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6307"
},
{
"id": "CVE-2016-6308",
"summary": "statem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted DTLS messages.",
"scorev2": "7.1",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6308"
},
{
"id": "CVE-2016-6309",
"summary": "statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6309"
},
{
"id": "CVE-2016-7052",
"summary": "crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7052"
},
{
"id": "CVE-2016-7053",
"summary": "In OpenSSL 1.1.0 before 1.1.0c, applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. Only CHOICE structures using a callback which do not handle NULL value are affected.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7053"
},
{
"id": "CVE-2016-7054",
"summary": "In OpenSSL 1.1.0 before 1.1.0c, TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7054"
},
{
"id": "CVE-2016-7055",
"summary": "There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected.",
"scorev2": "2.6",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7055"
},
{
"id": "CVE-2016-7056",
"summary": "A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7056"
},
{
"id": "CVE-2016-8610",
"summary": "A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8610"
},
{
"id": "CVE-2017-3730",
"summary": "In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3730"
},
{
"id": "CVE-2017-3731",
"summary": "If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3731"
},
{
"id": "CVE-2017-3732",
"summary": "There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3732"
},
{
"id": "CVE-2017-3733",
"summary": "During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3733"
},
{
"id": "CVE-2017-3735",
"summary": "While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3735"
},
{
"id": "CVE-2017-3736",
"summary": "There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3736"
},
{
"id": "CVE-2017-3737",
"summary": "OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \"error state\" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3737"
},
{
"id": "CVE-2017-3738",
"summary": "There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3738"
},
{
"id": "CVE-2018-0732",
"summary": "During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0732"
},
{
"id": "CVE-2018-0733",
"summary": "Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0733"
},
{
"id": "CVE-2018-0734",
"summary": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0734"
},
{
"id": "CVE-2018-0735",
"summary": "The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0735"
},
{
"id": "CVE-2018-0737",
"summary": "The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0737"
},
{
"id": "CVE-2018-0739",
"summary": "Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0739"
},
{
"id": "CVE-2018-5407",
"summary": "Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5407"
},
{
"id": "CVE-2019-1543",
"summary": "ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1c (Affected 1.1.1-1.1.1b). Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j).",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1543"
},
{
"id": "CVE-2019-1547",
"summary": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1547"
},
{
"id": "CVE-2019-1549",
"summary": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1549"
},
{
"id": "CVE-2019-1551",
"summary": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1551"
},
{
"id": "CVE-2019-1552",
"summary": "OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"scorev2": "1.9",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1552"
},
{
"id": "CVE-2019-1559",
"summary": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1559"
},
{
"id": "CVE-2019-1563",
"summary": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1563"
},
{
"id": "CVE-2020-1967",
"summary": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1967"
},
{
"id": "CVE-2020-1968",
"summary": "The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1968"
},
{
"id": "CVE-2020-1971",
"summary": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971"
},
{
"id": "CVE-2021-23839",
"summary": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23839"
},
{
"id": "CVE-2021-23840",
"summary": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23840"
},
{
"id": "CVE-2021-23841",
"summary": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23841"
},
{
"id": "CVE-2021-3449",
"summary": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3449"
},
{
"id": "CVE-2021-3450",
"summary": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3450"
},
{
"id": "CVE-2021-3711",
"summary": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3711"
},
{
"id": "CVE-2021-3712",
"summary": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712"
},
{
"id": "CVE-2021-4044",
"summary": "Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4044"
},
{
"id": "CVE-2021-4160",
"summary": "There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4160"
},
{
"id": "CVE-2022-0778",
"summary": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0778"
},
{
"id": "CVE-2022-1292",
"summary": "The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1292"
},
{
"id": "CVE-2022-1343",
"summary": "The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL \"ocsp\" application. When verifying an ocsp response with the \"-no_cert_checks\" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).",
"scorev2": "4.3",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1343"
},
{
"id": "CVE-2022-1434",
"summary": "The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and the connection will fail at that point. Many application protocols require data to be sent from the client to the server first. Therefore, in such a case, only an OpenSSL 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. If both endpoints are OpenSSL 3.0 then the attacker could modify data being sent in both directions. In this case both clients and servers could be affected, regardless of the application protocol. Note that in the absence of an attacker this bug means that an OpenSSL 3.0 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete the handshake when using this ciphersuite. The confidentiality of data is not impacted by this issue, i.e. an attacker cannot decrypt data that has been encrypted using this ciphersuite - they can only modify it. In order for this attack to work both endpoints must legitimately negotiate the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in OpenSSL 3.0, and is not available within the default provider or the default ciphersuite list. This ciphersuite will never be used if TLSv1.3 has been negotiated. In order for an OpenSSL 3.0 endpoint to use this ciphersuite the following must have occurred: 1) OpenSSL must have been compiled with the (non-default) compile time option enable-weak-ssl-ciphers 2) OpenSSL must have had the legacy provider explicitly loaded (either through application code or via configuration) 3) The ciphersuite must have been explicitly added to the ciphersuite list 4) The libssl security level must have been set to 0 (default is 1) 5) A version of SSL/TLS below TLSv1.3 must have been negotiated 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any others that both endpoints have in common Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1434"
},
{
"id": "CVE-2022-1473",
"summary": "The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1473"
},
{
"id": "CVE-2022-2068",
"summary": "In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2068"
},
{
"id": "CVE-2022-2097",
"summary": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2097"
},
{
"id": "CVE-2022-2274",
"summary": "The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2274"
},
{
"id": "CVE-2022-3358",
"summary": "OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5).",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3358"
},
{
"id": "CVE-2022-3602",
"summary": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3602"
},
{
"id": "CVE-2022-3786",
"summary": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3786"
},
{
"id": "CVE-2022-3996",
"summary": "If an X.509 certificate contains a malformed policy constraint and\npolicy processing is enabled, then a write lock will be taken twice\nrecursively. On some operating systems (most widely: Windows) this\nresults in a denial of service when the affected process hangs. Policy\nprocessing being enabled on a publicly facing server is not considered\nto be a common setup.\n\nPolicy processing is enabled by passing the `-policy'\nargument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.\n\nUpdate (31 March 2023): The description of the policy processing enablement\nwas corrected based on CVE-2023-0466.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3996"
},
{
"id": "CVE-2022-4203",
"summary": "A read buffer overrun can be triggered in X.509 certificate verification,\nspecifically in name constraint checking. Note that this occurs\nafter certificate chain signature verification and requires either a\nCA to have signed the malicious certificate or for the application to\ncontinue certificate verification despite failure to construct a path\nto a trusted issuer.\n\nThe read buffer overrun might result in a crash which could lead to\na denial of service attack. In theory it could also result in the disclosure\nof private memory contents (such as private keys, or sensitive plaintext)\nalthough we are not aware of any working exploit leading to memory\ncontents disclosure as of the time of release of this advisory.\n\nIn a TLS client, this can be triggered by connecting to a malicious\nserver. In a TLS server, this can be triggered if the server requests\nclient authentication and a malicious client connects.\n\n",
"scorev2": "0.0",
"scorev3": "4.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4203"
},
{
"id": "CVE-2022-4304",
"summary": "A timing based side channel exists in the OpenSSL RSA Decryption implementation\nwhich could be sufficient to recover a plaintext across a network in a\nBleichenbacher style attack. To achieve a successful decryption an attacker\nwould have to be able to send a very large number of trial messages for\ndecryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,\nRSA-OEAP and RSASVE.\n\nFor example, in a TLS connection, RSA is commonly used by a client to send an\nencrypted pre-master secret to the server. An attacker that had observed a\ngenuine connection between a client and a server could use this flaw to send\ntrial messages to the server and record the time taken to process them. After a\nsufficiently large number of messages the attacker could recover the pre-master\nsecret used for the original connection and thus be able to decrypt the\napplication data sent over that connection.\n\n",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4304"
},
{
"id": "CVE-2022-4450",
"summary": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and\ndecodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data.\nIf the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are\npopulated with pointers to buffers containing the relevant decoded data. The\ncaller is responsible for freeing those buffers. It is possible to construct a\nPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()\nwill return a failure code but will populate the header argument with a pointer\nto a buffer that has already been freed. If the caller also frees this buffer\nthen a double free will occur. This will most likely lead to a crash. This\ncould be exploited by an attacker who has the ability to supply malicious PEM\nfiles for parsing to achieve a denial of service attack.\n\nThe functions PEM_read_bio() and PEM_read() are simple wrappers around\nPEM_read_bio_ex() and therefore these functions are also directly affected.\n\nThese functions are also called indirectly by a number of other OpenSSL\nfunctions including PEM_X509_INFO_read_bio_ex() and\nSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal\nuses of these functions are not vulnerable because the caller does not free the\nheader argument if PEM_read_bio_ex() returns a failure code. These locations\ninclude the PEM_read_bio_TYPE() functions as well as the decoders introduced in\nOpenSSL 3.0.\n\nThe OpenSSL asn1parse command line application is also impacted by this issue.\n\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4450"
},
{
"id": "CVE-2023-0215",
"summary": "The public API function BIO_new_NDEF is a helper function used for streaming\nASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the\nSMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by\nend user applications.\n\nThe function receives a BIO from the caller, prepends a new BIO_f_asn1 filter\nBIO onto the front of it to form a BIO chain, and then returns the new head of\nthe BIO chain to the caller. Under certain conditions, for example if a CMS\nrecipient public key is invalid, the new filter BIO is freed and the function\nreturns a NULL result indicating a failure. However, in this case, the BIO chain\nis not properly cleaned up and the BIO passed by the caller still retains\ninternal pointers to the previously freed filter BIO. If the caller then goes on\nto call BIO_pop() on the BIO then a use-after-free will occur. This will most\nlikely result in a crash.\n\n\n\nThis scenario occurs directly in the internal function B64_write_ASN1() which\nmay cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on\nthe BIO. This internal function is in turn called by the public API functions\nPEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,\nSMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.\n\nOther public API functions that may be impacted by this include\ni2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and\ni2d_PKCS7_bio_stream.\n\nThe OpenSSL cms and smime command line applications are similarly affected.\n\n\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0215"
},
{
"id": "CVE-2023-0216",
"summary": "An invalid pointer dereference on read can be triggered when an\napplication tries to load malformed PKCS7 data with the\nd2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.\n\nThe result of the dereference is an application crash which could\nlead to a denial of service attack. The TLS implementation in OpenSSL\ndoes not call this function however third party applications might\ncall these functions on untrusted data.\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0216"
},
{
"id": "CVE-2023-0217",
"summary": "An invalid pointer dereference on read can be triggered when an\napplication tries to check a malformed DSA public key by the\nEVP_PKEY_public_check() function. This will most likely lead\nto an application crash. This function can be called on public\nkeys supplied from untrusted sources which could allow an attacker\nto cause a denial of service attack.\n\nThe TLS implementation in OpenSSL does not call this function\nbut applications might call the function if there are additional\nsecurity requirements imposed by standards such as FIPS 140-3.\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0217"
},
{
"id": "CVE-2023-0286",
"summary": "There is a type confusion vulnerability relating to X.400 address processing\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\nthe public structure definition for GENERAL_NAME incorrectly specified the type\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\nASN1_STRING.\n\nWhen CRL checking is enabled (i.e. the application sets the\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\narbitrary pointers to a memcmp call, enabling them to read memory contents or\nenact a denial of service. In most cases, the attack requires the attacker to\nprovide both the certificate chain and CRL, neither of which need to have a\nvalid signature. If the attacker only controls one of these inputs, the other\ninput must already contain an X.400 address as a CRL distribution point, which\nis uncommon. As such, this vulnerability is most likely to only affect\napplications which have implemented their own functionality for retrieving CRLs\nover a network.\n\n",
"scorev2": "0.0",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286"
},
{
"id": "CVE-2023-0401",
"summary": "A NULL pointer can be dereferenced when signatures are being\nverified on PKCS7 signed or signedAndEnveloped data. In case the hash\nalgorithm used for the signature is known to the OpenSSL library but\nthe implementation of the hash algorithm is not available the digest\ninitialization will fail. There is a missing check for the return\nvalue from the initialization function which later leads to invalid\nusage of the digest API most likely leading to a crash.\n\nThe unavailability of an algorithm can be caused by using FIPS\nenabled configuration of providers or more commonly by not loading\nthe legacy provider.\n\nPKCS7 data is processed by the SMIME library calls and also by the\ntime stamp (TS) library calls. The TLS implementation in OpenSSL does\nnot call these functions however third party applications would be\naffected if they call these functions to verify signatures on untrusted\ndata.\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0401"
},
{
"id": "CVE-2023-0464",
"summary": "A security vulnerability has been identified in all supported versions\n\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints. Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0464"
},
{
"id": "CVE-2023-0465",
"summary": "Applications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\n\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0465"
},
{
"id": "CVE-2023-0466",
"summary": "The function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\n\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\n\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\n\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0466"
},
{
"id": "CVE-2023-1255",
"summary": "Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\nplatform contains a bug that could cause it to read past the input buffer,\nleading to a crash.\n\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\nused for disk encryption.\n\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\nbuffer is unmapped, this will trigger a crash which results in a denial of\nservice.\n\nIf an attacker can control the size and location of the ciphertext buffer\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\napplication is affected. This is fairly unlikely making this issue\na Low severity one.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1255"
},
{
"id": "CVE-2023-2650",
"summary": "Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit. OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime. The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced. This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL. If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS. It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain. Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates. This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2650"
},
{
"id": "CVE-2023-2975",
"summary": "Issue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be mislead by removing\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2975"
},
{
"id": "CVE-2023-3446",
"summary": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3446"
},
{
"id": "CVE-2023-3817",
"summary": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817"
},
{
"id": "CVE-2023-4807",
"summary": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications on the\nWindows 64 platform when running on newer X86_64 processors supporting the\nAVX512-IFMA instructions.\n\nImpact summary: If in an application that uses the OpenSSL library an attacker\ncan influence whether the POLY1305 MAC algorithm is used, the application\nstate might be corrupted with various application dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL does\nnot save the contents of non-volatile XMM registers on Windows 64 platform\nwhen calculating the MAC of data larger than 64 bytes. Before returning to\nthe caller all the XMM registers are set to zero rather than restoring their\nprevious content. The vulnerable code is used only on newer x86_64 processors\nsupporting the AVX512-IFMA instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However given the contents of the registers are just zeroized so\nthe attacker cannot put arbitrary values inside, the most likely consequence,\nif any, would be an incorrect result of some application dependent\ncalculations or a crash leading to a denial of service.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3 and a malicious client can influence whether this AEAD\ncipher is used by the server. This implies that server applications using\nOpenSSL can be potentially impacted. However we are currently not aware of\nany concrete application that would be affected by this issue therefore we\nconsider this a Low severity security issue.\n\nAs a workaround the AVX512-IFMA instructions support can be disabled at\nruntime by setting the environment variable OPENSSL_ia32cap:\n\n OPENSSL_ia32cap=:~0x200000\n\nThe FIPS provider is not affected by this issue.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4807"
},
{
"id": "CVE-2023-5363",
"summary": "Issue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the \"keylen\" parameter or the IV length, via the \"ivlen\" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5363"
},
{
"id": "CVE-2023-5678",
"summary": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678"
},
{
"id": "CVE-2023-6129",
"summary": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129"
},
{
"id": "CVE-2024-0727",
"summary": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727"
},
{
"id": "CVE-2024-2511",
"summary": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511"
},
{
"id": "CVE-2024-4603",
"summary": "Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-4603"
}
]
},
{
"name": "openssl-native",
"layer": "meta",
"version": "3.2.1",
"products": [
{
"product": "openssl",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-0428",
"summary": "OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0428"
},
{
"id": "CVE-2000-0535",
"summary": "OpenSSL 0.9.4 and OpenSSH for FreeBSD do not properly check for the existence of the /dev/random or /dev/urandom devices, which are absent on FreeBSD Alpha systems, which causes them to produce weak keys which may be more easily broken.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0535"
},
{
"id": "CVE-2000-1254",
"summary": "crypto/rsa/rsa_gen.c in OpenSSL before 0.9.6 mishandles C bitwise-shift operations that exceed the size of an expression, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging improper RSA key generation on 64-bit HP-UX platforms.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-1254"
},
{
"id": "CVE-2001-1141",
"summary": "The Pseudo-Random Number Generator (PRNG) in SSLeay and OpenSSL before 0.9.6b allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1141"
},
{
"id": "CVE-2002-0655",
"summary": "OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, does not properly handle ASCII representations of integers on 64 bit platforms, which could allow attackers to cause a denial of service and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0655"
},
{
"id": "CVE-2002-0656",
"summary": "Buffer overflows in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allow remote attackers to execute arbitrary code via (1) a large client master key in SSL2 or (2) a large session ID in SSL3.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0656"
},
{
"id": "CVE-2002-0657",
"summary": "Buffer overflow in OpenSSL 0.9.7 before 0.9.7-beta3, with Kerberos enabled, allows attackers to execute arbitrary code via a long master key.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0657"
},
{
"id": "CVE-2002-0659",
"summary": "The ASN1 library in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allows remote attackers to cause a denial of service via invalid encodings.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0659"
},
{
"id": "CVE-2002-1568",
"summary": "OpenSSL 0.9.6e uses assertions when detecting buffer overflow attacks instead of less severe mechanisms, which allows remote attackers to cause a denial of service (crash) via certain messages that cause OpenSSL to abort from a failed assertion, as demonstrated using SSLv2 CLIENT_MASTER_KEY messages, which are not properly handled in s2_srvr.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1568"
},
{
"id": "CVE-2003-0078",
"summary": "ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the \"Vaudenay timing attack.\"",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0078"
},
{
"id": "CVE-2003-0131",
"summary": "The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the \"Klima-Pokorny-Rosa attack.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0131"
},
{
"id": "CVE-2003-0147",
"summary": "OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms (\"Karatsuba\" and normal).",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0147"
},
{
"id": "CVE-2003-0543",
"summary": "Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0543"
},
{
"id": "CVE-2003-0544",
"summary": "OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0544"
},
{
"id": "CVE-2003-0545",
"summary": "Double free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0545"
},
{
"id": "CVE-2003-0851",
"summary": "OpenSSL 0.9.6k allows remote attackers to cause a denial of service (crash via large recursion) via malformed ASN.1 sequences.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0851"
},
{
"id": "CVE-2004-0079",
"summary": "The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0079"
},
{
"id": "CVE-2004-0081",
"summary": "OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0081"
},
{
"id": "CVE-2004-0975",
"summary": "The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0975"
},
{
"id": "CVE-2005-1797",
"summary": "The design of Advanced Encryption Standard (AES), aka Rijndael, allows remote attackers to recover AES keys via timing attacks on S-box lookups, which are difficult to perform in constant time in AES implementations.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1797"
},
{
"id": "CVE-2005-2946",
"summary": "The default configuration on OpenSSL before 0.9.8 uses MD5 for creating message digests instead of a more cryptographically strong algorithm, which makes it easier for remote attackers to forge certificates with a valid certificate authority signature.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2946"
},
{
"id": "CVE-2005-2969",
"summary": "The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2969"
},
{
"id": "CVE-2006-2937",
"summary": "OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2937"
},
{
"id": "CVE-2006-2940",
"summary": "OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) \"public exponent\" or (2) \"public modulus\" values in X.509 certificates that require extra time to process when using RSA signature verification.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2940"
},
{
"id": "CVE-2006-3738",
"summary": "Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions has unspecified impact and remote attack vectors involving a long list of ciphers.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3738"
},
{
"id": "CVE-2006-4339",
"summary": "OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4339"
},
{
"id": "CVE-2006-4343",
"summary": "The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4343"
},
{
"id": "CVE-2006-7250",
"summary": "The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7250"
},
{
"id": "CVE-2007-3108",
"summary": "The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3108"
},
{
"id": "CVE-2007-4995",
"summary": "Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f allows remote attackers to execute arbitrary code via unspecified vectors.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4995"
},
{
"id": "CVE-2007-5135",
"summary": "Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5135"
},
{
"id": "CVE-2008-0166",
"summary": "OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0166"
},
{
"id": "CVE-2008-0891",
"summary": "Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS server name extensions are enabled, allows remote attackers to cause a denial of service (crash) via a malformed Client Hello packet. NOTE: some of these details are obtained from third party information.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0891"
},
{
"id": "CVE-2008-1672",
"summary": "OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of service (crash) via a TLS handshake that omits the Server Key Exchange message and uses \"particular cipher suites,\" which triggers a NULL pointer dereference.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1672"
},
{
"id": "CVE-2008-1678",
"summary": "Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1678"
},
{
"id": "CVE-2008-5077",
"summary": "OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5077"
},
{
"id": "CVE-2008-7270",
"summary": "OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-7270"
},
{
"id": "CVE-2009-0590",
"summary": "The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0590"
},
{
"id": "CVE-2009-0591",
"summary": "The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0591"
},
{
"id": "CVE-2009-0653",
"summary": "OpenSSL, probably 0.9.6, does not verify the Basic Constraints for an intermediate CA-signed certificate, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack, a related issue to CVE-2002-0970.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0653"
},
{
"id": "CVE-2009-0789",
"summary": "OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0789"
},
{
"id": "CVE-2009-1377",
"summary": "The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of \"future epoch\" DTLS records that are buffered in a queue, aka \"DTLS record buffer limitation bug.\"",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1377"
},
{
"id": "CVE-2009-1378",
"summary": "Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka \"DTLS fragment handling memory leak.\"",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1378"
},
{
"id": "CVE-2009-1379",
"summary": "Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1379"
},
{
"id": "CVE-2009-1386",
"summary": "ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1386"
},
{
"id": "CVE-2009-1387",
"summary": "The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a \"fragment bug.\"",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1387"
},
{
"id": "CVE-2009-2409",
"summary": "The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2409"
},
{
"id": "CVE-2009-3245",
"summary": "OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3245"
},
{
"id": "CVE-2009-3555",
"summary": "The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a \"plaintext injection\" attack, aka the \"Project Mogul\" issue.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3555"
},
{
"id": "CVE-2009-4355",
"summary": "Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4355"
},
{
"id": "CVE-2010-0433",
"summary": "The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0433"
},
{
"id": "CVE-2010-0740",
"summary": "The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f through 0.9.8m allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection that triggers a NULL pointer dereference, related to the minor version number. NOTE: some of these details are obtained from third party information.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0740"
},
{
"id": "CVE-2010-0742",
"summary": "The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0742"
},
{
"id": "CVE-2010-0928",
"summary": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0928"
},
{
"id": "CVE-2010-1633",
"summary": "RSA verification recovery in the EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other applications, returns uninitialized memory upon failure, which might allow context-dependent attackers to bypass intended key requirements or obtain sensitive information via unspecified vectors. NOTE: some of these details are obtained from third party information.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1633"
},
{
"id": "CVE-2010-2939",
"summary": "Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, when using ECDH, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted private key with an invalid prime. NOTE: some sources refer to this as a use-after-free issue.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2939"
},
{
"id": "CVE-2010-3864",
"summary": "Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography.",
"scorev2": "7.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3864"
},
{
"id": "CVE-2010-4180",
"summary": "OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4180"
},
{
"id": "CVE-2010-4252",
"summary": "OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4252"
},
{
"id": "CVE-2010-5298",
"summary": "Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5298"
},
{
"id": "CVE-2011-0014",
"summary": "ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-bounds memory access, aka \"OCSP stapling vulnerability.\"",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0014"
},
{
"id": "CVE-2011-1473",
"summary": "OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1473"
},
{
"id": "CVE-2011-1945",
"summary": "The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1945"
},
{
"id": "CVE-2011-3207",
"summary": "crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which makes it easier for remote attackers to bypass CRL validation by using a nextUpdate value corresponding to a time in the past.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3207"
},
{
"id": "CVE-2011-3210",
"summary": "The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages from clients, which allows remote attackers to cause a denial of service (daemon crash) via out-of-order messages that violate the TLS protocol.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3210"
},
{
"id": "CVE-2011-4108",
"summary": "The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4108"
},
{
"id": "CVE-2011-4109",
"summary": "Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4109"
},
{
"id": "CVE-2011-4354",
"summary": "crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as used in stunnel and other products, in certain circumstances involving ECDH or ECDHE cipher suites, uses an incorrect modular reduction algorithm in its implementation of the P-256 and P-384 NIST elliptic curves, which allows remote attackers to obtain the private key of a TLS server via multiple handshake attempts.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4354"
},
{
"id": "CVE-2011-4576",
"summary": "The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4576"
},
{
"id": "CVE-2011-4577",
"summary": "OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4577"
},
{
"id": "CVE-2011-4619",
"summary": "The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4619"
},
{
"id": "CVE-2011-5095",
"summary": "The Diffie-Hellman key-exchange implementation in OpenSSL 0.9.8, when FIPS mode is enabled, does not properly validate a public parameter, which makes it easier for man-in-the-middle attackers to obtain the shared secret key by modifying network traffic, a related issue to CVE-2011-1923.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-5095"
},
{
"id": "CVE-2012-0027",
"summary": "The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0027"
},
{
"id": "CVE-2012-0050",
"summary": "OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, which allows remote attackers to cause a denial of service (crash) via unspecified vectors related to an out-of-bounds read. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4108.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0050"
},
{
"id": "CVE-2012-0884",
"summary": "The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0884"
},
{
"id": "CVE-2012-1165",
"summary": "The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1165"
},
{
"id": "CVE-2012-2110",
"summary": "The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2110"
},
{
"id": "CVE-2012-2131",
"summary": "Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL 0.9.8v allow remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2110.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2131"
},
{
"id": "CVE-2012-2333",
"summary": "Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2333"
},
{
"id": "CVE-2012-2686",
"summary": "crypto/evp/e_aes_cbc_hmac_sha1.c in the AES-NI functionality in the TLS 1.1 and 1.2 implementations in OpenSSL 1.0.1 before 1.0.1d allows remote attackers to cause a denial of service (application crash) via crafted CBC data.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2686"
},
{
"id": "CVE-2013-0166",
"summary": "OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0166"
},
{
"id": "CVE-2013-0169",
"summary": "The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0169"
},
{
"id": "CVE-2013-4353",
"summary": "The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4353"
},
{
"id": "CVE-2013-6449",
"summary": "The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6449"
},
{
"id": "CVE-2013-6450",
"summary": "The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6450"
},
{
"id": "CVE-2014-0076",
"summary": "The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0076"
},
{
"id": "CVE-2014-0160",
"summary": "The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0160"
},
{
"id": "CVE-2014-0195",
"summary": "The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0195"
},
{
"id": "CVE-2014-0198",
"summary": "The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0198"
},
{
"id": "CVE-2014-0221",
"summary": "The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0221"
},
{
"id": "CVE-2014-0224",
"summary": "OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the \"CCS Injection\" vulnerability.",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0224"
},
{
"id": "CVE-2014-3470",
"summary": "The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3470"
},
{
"id": "CVE-2014-3505",
"summary": "Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3505"
},
{
"id": "CVE-2014-3506",
"summary": "d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3506"
},
{
"id": "CVE-2014-3507",
"summary": "Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3507"
},
{
"id": "CVE-2014-3508",
"summary": "The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\\0' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3508"
},
{
"id": "CVE-2014-3509",
"summary": "Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3509"
},
{
"id": "CVE-2014-3510",
"summary": "The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote DTLS servers to cause a denial of service (NULL pointer dereference and client application crash) via a crafted handshake message in conjunction with a (1) anonymous DH or (2) anonymous ECDH ciphersuite.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3510"
},
{
"id": "CVE-2014-3511",
"summary": "The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a \"protocol downgrade\" issue.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3511"
},
{
"id": "CVE-2014-3512",
"summary": "Multiple buffer overflows in crypto/srp/srp_lib.c in the SRP implementation in OpenSSL 1.0.1 before 1.0.1i allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid SRP (1) g, (2) A, or (3) B parameter.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3512"
},
{
"id": "CVE-2014-3513",
"summary": "Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted handshake message.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3513"
},
{
"id": "CVE-2014-3566",
"summary": "The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the \"POODLE\" issue.",
"scorev2": "4.3",
"scorev3": "3.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3566"
},
{
"id": "CVE-2014-3567",
"summary": "Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3567"
},
{
"id": "CVE-2014-3568",
"summary": "OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3568"
},
{
"id": "CVE-2014-3569",
"summary": "The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3569"
},
{
"id": "CVE-2014-3570",
"summary": "The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3570"
},
{
"id": "CVE-2014-3571",
"summary": "OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3571"
},
{
"id": "CVE-2014-3572",
"summary": "The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3572"
},
{
"id": "CVE-2014-5139",
"summary": "The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i allows remote SSL servers to cause a denial of service (NULL pointer dereference and client application crash) via a ServerHello message that includes an SRP ciphersuite without the required negotiation of that ciphersuite with the client.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5139"
},
{
"id": "CVE-2014-8176",
"summary": "The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without considering that application data can arrive between a ChangeCipherSpec message and a Finished message, which allows remote DTLS peers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unexpected application data.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8176"
},
{
"id": "CVE-2014-8275",
"summary": "OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8275"
},
{
"id": "CVE-2015-0204",
"summary": "The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the \"FREAK\" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0204"
},
{
"id": "CVE-2015-0205",
"summary": "The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0205"
},
{
"id": "CVE-2015-0206",
"summary": "Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0206"
},
{
"id": "CVE-2015-0207",
"summary": "The dtls1_listen function in d1_lib.c in OpenSSL 1.0.2 before 1.0.2a does not properly isolate the state information of independent data streams, which allows remote attackers to cause a denial of service (application crash) via crafted DTLS traffic, as demonstrated by DTLS 1.0 traffic to a DTLS 1.2 server.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0207"
},
{
"id": "CVE-2015-0208",
"summary": "The ASN.1 signature-verification implementation in the rsa_item_verify function in crypto/rsa/rsa_ameth.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted RSA PSS parameters to an endpoint that uses the certificate-verification feature.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0208"
},
{
"id": "CVE-2015-0209",
"summary": "Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0209"
},
{
"id": "CVE-2015-0285",
"summary": "The ssl3_client_hello function in s3_clnt.c in OpenSSL 1.0.2 before 1.0.2a does not ensure that the PRNG is seeded before proceeding with a handshake, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and then conducting a brute-force attack.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0285"
},
{
"id": "CVE-2015-0286",
"summary": "The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly perform boolean-type comparisons, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0286"
},
{
"id": "CVE-2015-0287",
"summary": "The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0287"
},
{
"id": "CVE-2015-0288",
"summary": "The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid certificate key.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0288"
},
{
"id": "CVE-2015-0289",
"summary": "The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0289"
},
{
"id": "CVE-2015-0290",
"summary": "The multi-block feature in the ssl3_write_bytes function in s3_pkt.c in OpenSSL 1.0.2 before 1.0.2a on 64-bit x86 platforms with AES NI support does not properly handle certain non-blocking I/O cases, which allows remote attackers to cause a denial of service (pointer corruption and application crash) via unspecified vectors.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0290"
},
{
"id": "CVE-2015-0291",
"summary": "The sigalgs implementation in t1_lib.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by using an invalid signature_algorithms extension in the ClientHello message during a renegotiation.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0291"
},
{
"id": "CVE-2015-0292",
"summary": "Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0292"
},
{
"id": "CVE-2015-0293",
"summary": "The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0293"
},
{
"id": "CVE-2015-1787",
"summary": "The ssl3_get_client_key_exchange function in s3_srvr.c in OpenSSL 1.0.2 before 1.0.2a, when client authentication and an ephemeral Diffie-Hellman ciphersuite are enabled, allows remote attackers to cause a denial of service (daemon crash) via a ClientKeyExchange message with a length of zero.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1787"
},
{
"id": "CVE-2015-1788",
"summary": "The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1788"
},
{
"id": "CVE-2015-1789",
"summary": "The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback.",
"scorev2": "4.3",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1789"
},
{
"id": "CVE-2015-1790",
"summary": "The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1790"
},
{
"id": "CVE-2015-1791",
"summary": "Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1791"
},
{
"id": "CVE-2015-1792",
"summary": "The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1792"
},
{
"id": "CVE-2015-1793",
"summary": "The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.",
"scorev2": "6.4",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1793"
},
{
"id": "CVE-2015-1794",
"summary": "The ssl3_get_key_exchange function in ssl/s3_clnt.c in OpenSSL 1.0.2 before 1.0.2e allows remote servers to cause a denial of service (segmentation fault) via a zero p value in an anonymous Diffie-Hellman (DH) ServerKeyExchange message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1794"
},
{
"id": "CVE-2015-3193",
"summary": "The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3193"
},
{
"id": "CVE-2015-3194",
"summary": "crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3194"
},
{
"id": "CVE-2015-3195",
"summary": "The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3195"
},
{
"id": "CVE-2015-3196",
"summary": "ssl/s3_clnt.c in OpenSSL 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1p, and 1.0.2 before 1.0.2d, when used for a multi-threaded client, writes the PSK identity hint to an incorrect data structure, which allows remote servers to cause a denial of service (race condition and double free) via a crafted ServerKeyExchange message.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3196"
},
{
"id": "CVE-2015-3197",
"summary": "ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3197"
},
{
"id": "CVE-2015-3216",
"summary": "Race condition in a certain Red Hat patch to the PRNG lock implementation in the ssleay_rand_bytes function in OpenSSL, as distributed in openssl-1.0.1e-25.el7 in Red Hat Enterprise Linux (RHEL) 7 and other products, allows remote attackers to cause a denial of service (application crash) by establishing many TLS sessions to a multithreaded server, leading to use of a negative value for a certain length field.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3216"
},
{
"id": "CVE-2015-4000",
"summary": "The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the \"Logjam\" issue.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4000"
},
{
"id": "CVE-2016-0701",
"summary": "The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file.",
"scorev2": "2.6",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0701"
},
{
"id": "CVE-2016-0702",
"summary": "The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a \"CacheBleed\" attack.",
"scorev2": "1.9",
"scorev3": "5.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0702"
},
{
"id": "CVE-2016-0703",
"summary": "The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0703"
},
{
"id": "CVE-2016-0704",
"summary": "An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0704"
},
{
"id": "CVE-2016-0705",
"summary": "Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0705"
},
{
"id": "CVE-2016-0797",
"summary": "Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0797"
},
{
"id": "CVE-2016-0798",
"summary": "Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto/srp/srp_vfy.c.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0798"
},
{
"id": "CVE-2016-0799",
"summary": "The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0799"
},
{
"id": "CVE-2016-0800",
"summary": "The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a \"DROWN\" attack.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0800"
},
{
"id": "CVE-2016-2105",
"summary": "Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2105"
},
{
"id": "CVE-2016-2106",
"summary": "Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2106"
},
{
"id": "CVE-2016-2107",
"summary": "The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.",
"scorev2": "2.6",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2107"
},
{
"id": "CVE-2016-2108",
"summary": "The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the \"negative zero\" issue.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2108"
},
{
"id": "CVE-2016-2109",
"summary": "The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2109"
},
{
"id": "CVE-2016-2176",
"summary": "The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.",
"scorev2": "6.4",
"scorev3": "8.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2176"
},
{
"id": "CVE-2016-2177",
"summary": "OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2177"
},
{
"id": "CVE-2016-2178",
"summary": "The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2178"
},
{
"id": "CVE-2016-2179",
"summary": "The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2179"
},
{
"id": "CVE-2016-2180",
"summary": "The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the \"openssl ts\" command.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2180"
},
{
"id": "CVE-2016-2181",
"summary": "The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2181"
},
{
"id": "CVE-2016-2182",
"summary": "The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2182"
},
{
"id": "CVE-2016-2183",
"summary": "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2183"
},
{
"id": "CVE-2016-2842",
"summary": "The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2842"
},
{
"id": "CVE-2016-6302",
"summary": "The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6302"
},
{
"id": "CVE-2016-6303",
"summary": "Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6303"
},
{
"id": "CVE-2016-6304",
"summary": "Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6304"
},
{
"id": "CVE-2016-6305",
"summary": "The ssl3_read_bytes function in record/rec_layer_s3.c in OpenSSL 1.1.0 before 1.1.0a allows remote attackers to cause a denial of service (infinite loop) by triggering a zero-length record in an SSL_peek call.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6305"
},
{
"id": "CVE-2016-6306",
"summary": "The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6306"
},
{
"id": "CVE-2016-6307",
"summary": "The state-machine implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted TLS messages, related to statem/statem.c and statem/statem_lib.c.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6307"
},
{
"id": "CVE-2016-6308",
"summary": "statem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted DTLS messages.",
"scorev2": "7.1",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6308"
},
{
"id": "CVE-2016-6309",
"summary": "statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6309"
},
{
"id": "CVE-2016-7052",
"summary": "crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7052"
},
{
"id": "CVE-2016-7053",
"summary": "In OpenSSL 1.1.0 before 1.1.0c, applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. Only CHOICE structures using a callback which do not handle NULL value are affected.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7053"
},
{
"id": "CVE-2016-7054",
"summary": "In OpenSSL 1.1.0 before 1.1.0c, TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7054"
},
{
"id": "CVE-2016-7055",
"summary": "There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected.",
"scorev2": "2.6",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7055"
},
{
"id": "CVE-2016-7056",
"summary": "A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7056"
},
{
"id": "CVE-2016-8610",
"summary": "A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8610"
},
{
"id": "CVE-2017-3730",
"summary": "In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3730"
},
{
"id": "CVE-2017-3731",
"summary": "If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3731"
},
{
"id": "CVE-2017-3732",
"summary": "There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3732"
},
{
"id": "CVE-2017-3733",
"summary": "During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3733"
},
{
"id": "CVE-2017-3735",
"summary": "While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3735"
},
{
"id": "CVE-2017-3736",
"summary": "There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3736"
},
{
"id": "CVE-2017-3737",
"summary": "OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \"error state\" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3737"
},
{
"id": "CVE-2017-3738",
"summary": "There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-3738"
},
{
"id": "CVE-2018-0732",
"summary": "During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0732"
},
{
"id": "CVE-2018-0733",
"summary": "Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0733"
},
{
"id": "CVE-2018-0734",
"summary": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0734"
},
{
"id": "CVE-2018-0735",
"summary": "The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0735"
},
{
"id": "CVE-2018-0737",
"summary": "The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0737"
},
{
"id": "CVE-2018-0739",
"summary": "Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-0739"
},
{
"id": "CVE-2018-5407",
"summary": "Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5407"
},
{
"id": "CVE-2019-1543",
"summary": "ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1c (Affected 1.1.1-1.1.1b). Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j).",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1543"
},
{
"id": "CVE-2019-1547",
"summary": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1547"
},
{
"id": "CVE-2019-1549",
"summary": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1549"
},
{
"id": "CVE-2019-1551",
"summary": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1551"
},
{
"id": "CVE-2019-1552",
"summary": "OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"scorev2": "1.9",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1552"
},
{
"id": "CVE-2019-1559",
"summary": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1559"
},
{
"id": "CVE-2019-1563",
"summary": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1563"
},
{
"id": "CVE-2020-1967",
"summary": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1967"
},
{
"id": "CVE-2020-1968",
"summary": "The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1968"
},
{
"id": "CVE-2020-1971",
"summary": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971"
},
{
"id": "CVE-2021-23839",
"summary": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23839"
},
{
"id": "CVE-2021-23840",
"summary": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23840"
},
{
"id": "CVE-2021-23841",
"summary": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23841"
},
{
"id": "CVE-2021-3449",
"summary": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3449"
},
{
"id": "CVE-2021-3450",
"summary": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3450"
},
{
"id": "CVE-2021-3711",
"summary": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3711"
},
{
"id": "CVE-2021-3712",
"summary": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712"
},
{
"id": "CVE-2021-4044",
"summary": "Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4044"
},
{
"id": "CVE-2021-4160",
"summary": "There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4160"
},
{
"id": "CVE-2022-0778",
"summary": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0778"
},
{
"id": "CVE-2022-1292",
"summary": "The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1292"
},
{
"id": "CVE-2022-1343",
"summary": "The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL \"ocsp\" application. When verifying an ocsp response with the \"-no_cert_checks\" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).",
"scorev2": "4.3",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1343"
},
{
"id": "CVE-2022-1434",
"summary": "The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and the connection will fail at that point. Many application protocols require data to be sent from the client to the server first. Therefore, in such a case, only an OpenSSL 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. If both endpoints are OpenSSL 3.0 then the attacker could modify data being sent in both directions. In this case both clients and servers could be affected, regardless of the application protocol. Note that in the absence of an attacker this bug means that an OpenSSL 3.0 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete the handshake when using this ciphersuite. The confidentiality of data is not impacted by this issue, i.e. an attacker cannot decrypt data that has been encrypted using this ciphersuite - they can only modify it. In order for this attack to work both endpoints must legitimately negotiate the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in OpenSSL 3.0, and is not available within the default provider or the default ciphersuite list. This ciphersuite will never be used if TLSv1.3 has been negotiated. In order for an OpenSSL 3.0 endpoint to use this ciphersuite the following must have occurred: 1) OpenSSL must have been compiled with the (non-default) compile time option enable-weak-ssl-ciphers 2) OpenSSL must have had the legacy provider explicitly loaded (either through application code or via configuration) 3) The ciphersuite must have been explicitly added to the ciphersuite list 4) The libssl security level must have been set to 0 (default is 1) 5) A version of SSL/TLS below TLSv1.3 must have been negotiated 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any others that both endpoints have in common Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1434"
},
{
"id": "CVE-2022-1473",
"summary": "The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1473"
},
{
"id": "CVE-2022-2068",
"summary": "In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2068"
},
{
"id": "CVE-2022-2097",
"summary": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2097"
},
{
"id": "CVE-2022-2274",
"summary": "The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2274"
},
{
"id": "CVE-2022-3358",
"summary": "OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5).",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3358"
},
{
"id": "CVE-2022-3602",
"summary": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3602"
},
{
"id": "CVE-2022-3786",
"summary": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3786"
},
{
"id": "CVE-2022-3996",
"summary": "If an X.509 certificate contains a malformed policy constraint and\npolicy processing is enabled, then a write lock will be taken twice\nrecursively. On some operating systems (most widely: Windows) this\nresults in a denial of service when the affected process hangs. Policy\nprocessing being enabled on a publicly facing server is not considered\nto be a common setup.\n\nPolicy processing is enabled by passing the `-policy'\nargument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.\n\nUpdate (31 March 2023): The description of the policy processing enablement\nwas corrected based on CVE-2023-0466.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3996"
},
{
"id": "CVE-2022-4203",
"summary": "A read buffer overrun can be triggered in X.509 certificate verification,\nspecifically in name constraint checking. Note that this occurs\nafter certificate chain signature verification and requires either a\nCA to have signed the malicious certificate or for the application to\ncontinue certificate verification despite failure to construct a path\nto a trusted issuer.\n\nThe read buffer overrun might result in a crash which could lead to\na denial of service attack. In theory it could also result in the disclosure\nof private memory contents (such as private keys, or sensitive plaintext)\nalthough we are not aware of any working exploit leading to memory\ncontents disclosure as of the time of release of this advisory.\n\nIn a TLS client, this can be triggered by connecting to a malicious\nserver. In a TLS server, this can be triggered if the server requests\nclient authentication and a malicious client connects.\n\n",
"scorev2": "0.0",
"scorev3": "4.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4203"
},
{
"id": "CVE-2022-4304",
"summary": "A timing based side channel exists in the OpenSSL RSA Decryption implementation\nwhich could be sufficient to recover a plaintext across a network in a\nBleichenbacher style attack. To achieve a successful decryption an attacker\nwould have to be able to send a very large number of trial messages for\ndecryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,\nRSA-OEAP and RSASVE.\n\nFor example, in a TLS connection, RSA is commonly used by a client to send an\nencrypted pre-master secret to the server. An attacker that had observed a\ngenuine connection between a client and a server could use this flaw to send\ntrial messages to the server and record the time taken to process them. After a\nsufficiently large number of messages the attacker could recover the pre-master\nsecret used for the original connection and thus be able to decrypt the\napplication data sent over that connection.\n\n",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4304"
},
{
"id": "CVE-2022-4450",
"summary": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and\ndecodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data.\nIf the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are\npopulated with pointers to buffers containing the relevant decoded data. The\ncaller is responsible for freeing those buffers. It is possible to construct a\nPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()\nwill return a failure code but will populate the header argument with a pointer\nto a buffer that has already been freed. If the caller also frees this buffer\nthen a double free will occur. This will most likely lead to a crash. This\ncould be exploited by an attacker who has the ability to supply malicious PEM\nfiles for parsing to achieve a denial of service attack.\n\nThe functions PEM_read_bio() and PEM_read() are simple wrappers around\nPEM_read_bio_ex() and therefore these functions are also directly affected.\n\nThese functions are also called indirectly by a number of other OpenSSL\nfunctions including PEM_X509_INFO_read_bio_ex() and\nSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal\nuses of these functions are not vulnerable because the caller does not free the\nheader argument if PEM_read_bio_ex() returns a failure code. These locations\ninclude the PEM_read_bio_TYPE() functions as well as the decoders introduced in\nOpenSSL 3.0.\n\nThe OpenSSL asn1parse command line application is also impacted by this issue.\n\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4450"
},
{
"id": "CVE-2023-0215",
"summary": "The public API function BIO_new_NDEF is a helper function used for streaming\nASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the\nSMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by\nend user applications.\n\nThe function receives a BIO from the caller, prepends a new BIO_f_asn1 filter\nBIO onto the front of it to form a BIO chain, and then returns the new head of\nthe BIO chain to the caller. Under certain conditions, for example if a CMS\nrecipient public key is invalid, the new filter BIO is freed and the function\nreturns a NULL result indicating a failure. However, in this case, the BIO chain\nis not properly cleaned up and the BIO passed by the caller still retains\ninternal pointers to the previously freed filter BIO. If the caller then goes on\nto call BIO_pop() on the BIO then a use-after-free will occur. This will most\nlikely result in a crash.\n\n\n\nThis scenario occurs directly in the internal function B64_write_ASN1() which\nmay cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on\nthe BIO. This internal function is in turn called by the public API functions\nPEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,\nSMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.\n\nOther public API functions that may be impacted by this include\ni2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and\ni2d_PKCS7_bio_stream.\n\nThe OpenSSL cms and smime command line applications are similarly affected.\n\n\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0215"
},
{
"id": "CVE-2023-0216",
"summary": "An invalid pointer dereference on read can be triggered when an\napplication tries to load malformed PKCS7 data with the\nd2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.\n\nThe result of the dereference is an application crash which could\nlead to a denial of service attack. The TLS implementation in OpenSSL\ndoes not call this function however third party applications might\ncall these functions on untrusted data.\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0216"
},
{
"id": "CVE-2023-0217",
"summary": "An invalid pointer dereference on read can be triggered when an\napplication tries to check a malformed DSA public key by the\nEVP_PKEY_public_check() function. This will most likely lead\nto an application crash. This function can be called on public\nkeys supplied from untrusted sources which could allow an attacker\nto cause a denial of service attack.\n\nThe TLS implementation in OpenSSL does not call this function\nbut applications might call the function if there are additional\nsecurity requirements imposed by standards such as FIPS 140-3.\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0217"
},
{
"id": "CVE-2023-0286",
"summary": "There is a type confusion vulnerability relating to X.400 address processing\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\nthe public structure definition for GENERAL_NAME incorrectly specified the type\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\nASN1_STRING.\n\nWhen CRL checking is enabled (i.e. the application sets the\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\narbitrary pointers to a memcmp call, enabling them to read memory contents or\nenact a denial of service. In most cases, the attack requires the attacker to\nprovide both the certificate chain and CRL, neither of which need to have a\nvalid signature. If the attacker only controls one of these inputs, the other\ninput must already contain an X.400 address as a CRL distribution point, which\nis uncommon. As such, this vulnerability is most likely to only affect\napplications which have implemented their own functionality for retrieving CRLs\nover a network.\n\n",
"scorev2": "0.0",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286"
},
{
"id": "CVE-2023-0401",
"summary": "A NULL pointer can be dereferenced when signatures are being\nverified on PKCS7 signed or signedAndEnveloped data. In case the hash\nalgorithm used for the signature is known to the OpenSSL library but\nthe implementation of the hash algorithm is not available the digest\ninitialization will fail. There is a missing check for the return\nvalue from the initialization function which later leads to invalid\nusage of the digest API most likely leading to a crash.\n\nThe unavailability of an algorithm can be caused by using FIPS\nenabled configuration of providers or more commonly by not loading\nthe legacy provider.\n\nPKCS7 data is processed by the SMIME library calls and also by the\ntime stamp (TS) library calls. The TLS implementation in OpenSSL does\nnot call these functions however third party applications would be\naffected if they call these functions to verify signatures on untrusted\ndata.\n\n",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0401"
},
{
"id": "CVE-2023-0464",
"summary": "A security vulnerability has been identified in all supported versions\n\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints. Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0464"
},
{
"id": "CVE-2023-0465",
"summary": "Applications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\n\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0465"
},
{
"id": "CVE-2023-0466",
"summary": "The function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\n\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\n\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\n\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0466"
},
{
"id": "CVE-2023-1255",
"summary": "Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\nplatform contains a bug that could cause it to read past the input buffer,\nleading to a crash.\n\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\nused for disk encryption.\n\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\nbuffer is unmapped, this will trigger a crash which results in a denial of\nservice.\n\nIf an attacker can control the size and location of the ciphertext buffer\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\napplication is affected. This is fairly unlikely making this issue\na Low severity one.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1255"
},
{
"id": "CVE-2023-2650",
"summary": "Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit. OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime. The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced. This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL. If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS. It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain. Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates. This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2650"
},
{
"id": "CVE-2023-2975",
"summary": "Issue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be mislead by removing\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2975"
},
{
"id": "CVE-2023-3446",
"summary": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3446"
},
{
"id": "CVE-2023-3817",
"summary": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817"
},
{
"id": "CVE-2023-4807",
"summary": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications on the\nWindows 64 platform when running on newer X86_64 processors supporting the\nAVX512-IFMA instructions.\n\nImpact summary: If in an application that uses the OpenSSL library an attacker\ncan influence whether the POLY1305 MAC algorithm is used, the application\nstate might be corrupted with various application dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL does\nnot save the contents of non-volatile XMM registers on Windows 64 platform\nwhen calculating the MAC of data larger than 64 bytes. Before returning to\nthe caller all the XMM registers are set to zero rather than restoring their\nprevious content. The vulnerable code is used only on newer x86_64 processors\nsupporting the AVX512-IFMA instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However given the contents of the registers are just zeroized so\nthe attacker cannot put arbitrary values inside, the most likely consequence,\nif any, would be an incorrect result of some application dependent\ncalculations or a crash leading to a denial of service.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3 and a malicious client can influence whether this AEAD\ncipher is used by the server. This implies that server applications using\nOpenSSL can be potentially impacted. However we are currently not aware of\nany concrete application that would be affected by this issue therefore we\nconsider this a Low severity security issue.\n\nAs a workaround the AVX512-IFMA instructions support can be disabled at\nruntime by setting the environment variable OPENSSL_ia32cap:\n\n OPENSSL_ia32cap=:~0x200000\n\nThe FIPS provider is not affected by this issue.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4807"
},
{
"id": "CVE-2023-5363",
"summary": "Issue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the \"keylen\" parameter or the IV length, via the \"ivlen\" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5363"
},
{
"id": "CVE-2023-5678",
"summary": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678"
},
{
"id": "CVE-2023-6129",
"summary": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129"
},
{
"id": "CVE-2024-0727",
"summary": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727"
},
{
"id": "CVE-2024-2511",
"summary": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511"
},
{
"id": "CVE-2024-4603",
"summary": "Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.",
"scorev2": "0.0",
"scorev3": "0.0",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-4603"
}
]
},
{
"name": "opkg-utils",
"layer": "meta",
"version": "0.6.3",
"products": [
{
"product": "opkg-utils",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "opkg-utils-native",
"layer": "meta",
"version": "0.6.3",
"products": [
{
"product": "opkg-utils",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "orc",
"layer": "meta",
"version": "0.4.38",
"products": [
{
"product": "orc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2018-8015",
"summary": "In Apache ORC 1.0.0 to 1.4.3 a malformed ORC file can trigger an endlessly recursive function call in the C++ or Java parser. The impact of this bug is most likely denial-of-service against software that uses the ORC file parser. With the C++ parser, the stack overflow might possibly corrupt the stack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8015"
}
]
},
{
"name": "orc-native",
"layer": "meta",
"version": "0.4.38",
"products": [
{
"product": "orc",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2018-8015",
"summary": "In Apache ORC 1.0.0 to 1.4.3 a malformed ORC file can trigger an endlessly recursive function call in the C++ or Java parser. The impact of this bug is most likely denial-of-service against software that uses the ORC file parser. With the C++ parser, the stack overflow might possibly corrupt the stack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8015"
}
]
},
{
"name": "os-release",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "os-release",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "packagegroup-selinux-minimal",
"layer": "meta-selinux",
"version": "1.0",
"products": [
{
"product": "packagegroup-selinux-minimal",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "pango",
"layer": "meta",
"version": "1.52.1",
"products": [
{
"product": "pango",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2009-1194",
"summary": "Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1194"
},
{
"id": "CVE-2010-0421",
"summary": "Array index error in the hb_ot_layout_build_glyph_classes function in pango/opentype/hb-ot-layout.cc in Pango before 1.27.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted font file, related to building a synthetic Glyph Definition (aka GDEF) table by using this font's charmap and the Unicode property database.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0421"
},
{
"id": "CVE-2011-0020",
"summary": "Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object.",
"scorev2": "7.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0020"
},
{
"id": "CVE-2011-0064",
"summary": "The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0064"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2018-15120",
"summary": "libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted text with invalid Unicode sequences.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15120"
},
{
"id": "CVE-2019-1010238",
"summary": "Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010238"
}
]
},
{
"name": "pango-native",
"layer": "meta",
"version": "1.52.1",
"products": [
{
"product": "pango",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2009-1194",
"summary": "Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1194"
},
{
"id": "CVE-2010-0421",
"summary": "Array index error in the hb_ot_layout_build_glyph_classes function in pango/opentype/hb-ot-layout.cc in Pango before 1.27.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted font file, related to building a synthetic Glyph Definition (aka GDEF) table by using this font's charmap and the Unicode property database.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0421"
},
{
"id": "CVE-2011-0020",
"summary": "Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object.",
"scorev2": "7.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0020"
},
{
"id": "CVE-2011-0064",
"summary": "The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0064"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2018-15120",
"summary": "libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted text with invalid Unicode sequences.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15120"
},
{
"id": "CVE-2019-1010238",
"summary": "Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010238"
}
]
},
{
"name": "parted",
"layer": "meta",
"version": "3.6",
"products": [
{
"product": "parted",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "patch-native",
"layer": "meta",
"version": "2.7.6",
"products": [
{
"product": "patch",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2014-9637",
"summary": "GNU patch 2.7.2 and earlier allows remote attackers to cause a denial of service (memory consumption and segmentation fault) via a crafted diff file.",
"scorev2": "7.1",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9637"
},
{
"id": "CVE-2015-1196",
"summary": "GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1196"
},
{
"id": "CVE-2015-1395",
"summary": "Directory traversal vulnerability in GNU patch versions which support Git-style patching before 2.7.3 allows remote attackers to write to arbitrary files with the permissions of the target user via a .. (dot dot) in a diff file name.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:C/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1395"
},
{
"id": "CVE-2015-1396",
"summary": "A Directory Traversal vulnerability exists in the GNU patch before 2.7.4. A remote attacker can write to arbitrary files via a symlink attack in a patch file. NOTE: this issue exists because of an incomplete fix for CVE-2015-1196.",
"scorev2": "6.4",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1396"
},
{
"id": "CVE-2016-10713",
"summary": "An issue was discovered in GNU patch before 2.7.6. Out-of-bounds access within pch_write_line() in pch.c can possibly lead to DoS via a crafted input file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10713"
},
{
"id": "CVE-2018-1000156",
"summary": "GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can result in code execution. This attack appear to be exploitable via a patch file processed via the patch utility. This is similar to FreeBSD's CVE-2015-1418 however although they share a common ancestry the code bases have diverged over time.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000156"
},
{
"id": "CVE-2018-20969",
"summary": "do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20969"
},
{
"id": "CVE-2018-6951",
"summary": "An issue was discovered in GNU patch through 2.7.6. There is a segmentation fault, associated with a NULL pointer dereference, leading to a denial of service in the intuit_diff_type function in pch.c, aka a \"mangled rename\" issue.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6951"
},
{
"id": "CVE-2018-6952",
"summary": "A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6952"
},
{
"id": "CVE-2019-13636",
"summary": "In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c.",
"scorev2": "5.8",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13636"
},
{
"id": "CVE-2019-13638",
"summary": "GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13638"
},
{
"id": "CVE-2019-20633",
"summary": "GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. NOTE: this issue exists because of an incomplete fix for CVE-2018-6952.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20633"
},
{
"id": "CVE-2021-45261",
"summary": "An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45261"
}
]
},
{
"name": "pciutils",
"layer": "meta",
"version": "3.11.1",
"products": [
{
"product": "pciutils",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "perf",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "perf",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "perl",
"layer": "meta",
"version": "5.38.2",
"products": [
{
"product": "perl",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-0034",
"summary": "Buffer overflow in suidperl (sperl), Perl 4.x and 5.x.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0034"
},
{
"id": "CVE-1999-1386",
"summary": "Perl 5.004_04 and earlier follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack on the /tmp/perl-eaXXXXX file.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1386"
},
{
"id": "CVE-2000-0703",
"summary": "suidperl (aka sperl) does not properly cleanse the escape sequence \"~!\" before calling /bin/mail to send an error report, which allows local users to gain privileges by setting the \"interactive\" environmental variable and calling suidperl with a filename that contains the escape sequence.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0703"
},
{
"id": "CVE-2003-0900",
"summary": "Perl 5.8.1 on Fedora Core does not properly initialize the random number generator when forking, which makes it easier for attackers to predict random numbers.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0900"
},
{
"id": "CVE-2004-0377",
"summary": "Buffer overflow in the win32_stat function for (1) ActiveState's ActivePerl and (2) Larry Wall's Perl before 5.8.3 allows local or remote attackers to execute arbitrary commands via filenames that end in a backslash character.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0377"
},
{
"id": "CVE-2004-0452",
"summary": "Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0452"
},
{
"id": "CVE-2004-0976",
"summary": "Multiple scripts in the perl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0976"
},
{
"id": "CVE-2004-2286",
"summary": "Integer overflow in the duplication operator in ActivePerl allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large multiplier, which may trigger a buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2286"
},
{
"id": "CVE-2005-0155",
"summary": "The PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to create arbitrary files via the PERLIO_DEBUG variable.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0155"
},
{
"id": "CVE-2005-0156",
"summary": "Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0156"
},
{
"id": "CVE-2005-0448",
"summary": "Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0448"
},
{
"id": "CVE-2005-3962",
"summary": "Integer overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3962"
},
{
"id": "CVE-2005-4278",
"summary": "Untrusted search path vulnerability in Perl before 5.8.7-r1 on Gentoo Linux allows local users in the portage group to gain privileges via a malicious shared object in the Portage temporary build directory, which is part of the RUNPATH.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4278"
},
{
"id": "CVE-2007-5116",
"summary": "Buffer overflow in the polymorphic opcode support in the Regular Expression Engine (regcomp.c) in Perl 5.8 allows context-dependent attackers to execute arbitrary code by switching from byte to Unicode (UTF) characters in a regular expression.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5116"
},
{
"id": "CVE-2008-1927",
"summary": "Double free vulnerability in Perl 5.8.8 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a crafted regular expression containing UTF8 characters. NOTE: this issue might only be present on certain operating systems.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1927"
},
{
"id": "CVE-2008-2827",
"summary": "The rmtree function in lib/File/Path.pm in Perl 5.10 does not properly check permissions before performing a chmod, which allows local users to modify the permissions of arbitrary files via a symlink attack, a different vulnerability than CVE-2005-0448 and CVE-2004-0452.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2827"
},
{
"id": "CVE-2009-3626",
"summary": "Perl 5.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a UTF-8 character with a large, invalid codepoint, which is not properly handled during a regular-expression match.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3626"
},
{
"id": "CVE-2010-1158",
"summary": "Integer overflow in the regular expression engine in Perl 5.8.x allows context-dependent attackers to cause a denial of service (stack consumption and application crash) by matching a crafted regular expression against a long string.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1158"
},
{
"id": "CVE-2010-4777",
"summary": "The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4777"
},
{
"id": "CVE-2011-0761",
"summary": "Perl 5.10.x allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an ability to inject arguments into a (1) getpeername, (2) readdir, (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir function call.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0761"
},
{
"id": "CVE-2011-1487",
"summary": "The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1487"
},
{
"id": "CVE-2011-2728",
"summary": "The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2728"
},
{
"id": "CVE-2011-2939",
"summary": "Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2939"
},
{
"id": "CVE-2012-1151",
"summary": "Multiple format string vulnerabilities in dbdimp.c in DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.19.0 for Perl allow remote PostgreSQL database servers to cause a denial of service (process crash) via format string specifiers in (1) a crafted database warning to the pg_warn function or (2) a crafted DBD statement to the dbd_st_prepare function.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1151"
},
{
"id": "CVE-2012-5195",
"summary": "Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5195"
},
{
"id": "CVE-2012-6329",
"summary": "The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6329"
},
{
"id": "CVE-2013-1667",
"summary": "The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1667"
},
{
"id": "CVE-2013-7422",
"summary": "Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7422"
},
{
"id": "CVE-2014-4330",
"summary": "The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4330"
},
{
"id": "CVE-2015-8608",
"summary": "The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8608"
},
{
"id": "CVE-2015-8853",
"summary": "The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by \"a\\x80.\"",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8853"
},
{
"id": "CVE-2016-1238",
"summary": "(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1238"
},
{
"id": "CVE-2016-2381",
"summary": "Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2381"
},
{
"id": "CVE-2016-6185",
"summary": "The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6185"
},
{
"id": "CVE-2017-12814",
"summary": "Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 on Windows allows attackers to execute arbitrary code via a long environment variable.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12814"
},
{
"id": "CVE-2017-12837",
"summary": "Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\\N{}' escape and the case-insensitive modifier.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12837"
},
{
"id": "CVE-2017-12883",
"summary": "Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\\N{U+...}' escape.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12883"
},
{
"id": "CVE-2018-12015",
"summary": "In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.",
"scorev2": "6.4",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12015"
},
{
"id": "CVE-2018-18311",
"summary": "Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18311"
},
{
"id": "CVE-2018-18312",
"summary": "Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18312"
},
{
"id": "CVE-2018-18313",
"summary": "Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18313"
},
{
"id": "CVE-2018-18314",
"summary": "Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18314"
},
{
"id": "CVE-2018-6797",
"summary": "An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6797"
},
{
"id": "CVE-2018-6798",
"summary": "An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6798"
},
{
"id": "CVE-2018-6913",
"summary": "Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6913"
},
{
"id": "CVE-2020-10543",
"summary": "Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.",
"scorev2": "6.4",
"scorev3": "8.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10543"
},
{
"id": "CVE-2020-10878",
"summary": "Perl before 5.30.3 has an integer overflow related to mishandling of a \"PL_regkind[OP(n)] == NOTHING\" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.",
"scorev2": "7.5",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10878"
},
{
"id": "CVE-2020-12723",
"summary": "regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12723"
},
{
"id": "CVE-2022-48522",
"summary": "In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48522"
},
{
"id": "CVE-2023-31484",
"summary": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31484"
},
{
"id": "CVE-2023-31486",
"summary": "HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31486"
},
{
"id": "CVE-2023-47038",
"summary": "A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-47038"
},
{
"id": "CVE-2023-47039",
"summary": "A vulnerability was found in Perl. This security issue occurs while Perl for Windows relies on the system path environment variable to find the shell (`cmd.exe`). When running an executable that uses the Windows Perl interpreter, Perl attempts to find and execute `cmd.exe` within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. This flaw allows an attacker with limited privileges to place`cmd.exe` in locations with weak permissions, such as `C:\\ProgramData`. By doing so, arbitrary code can be executed when an administrator attempts to use this executable from these compromised locations.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-47039"
},
{
"id": "CVE-2023-47100",
"summary": "In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \\p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-47100"
}
]
},
{
"name": "perl-native",
"layer": "meta",
"version": "5.38.2",
"products": [
{
"product": "perl",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-0034",
"summary": "Buffer overflow in suidperl (sperl), Perl 4.x and 5.x.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0034"
},
{
"id": "CVE-1999-1386",
"summary": "Perl 5.004_04 and earlier follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack on the /tmp/perl-eaXXXXX file.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1386"
},
{
"id": "CVE-2000-0703",
"summary": "suidperl (aka sperl) does not properly cleanse the escape sequence \"~!\" before calling /bin/mail to send an error report, which allows local users to gain privileges by setting the \"interactive\" environmental variable and calling suidperl with a filename that contains the escape sequence.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0703"
},
{
"id": "CVE-2003-0900",
"summary": "Perl 5.8.1 on Fedora Core does not properly initialize the random number generator when forking, which makes it easier for attackers to predict random numbers.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0900"
},
{
"id": "CVE-2004-0377",
"summary": "Buffer overflow in the win32_stat function for (1) ActiveState's ActivePerl and (2) Larry Wall's Perl before 5.8.3 allows local or remote attackers to execute arbitrary commands via filenames that end in a backslash character.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0377"
},
{
"id": "CVE-2004-0452",
"summary": "Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0452"
},
{
"id": "CVE-2004-0976",
"summary": "Multiple scripts in the perl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0976"
},
{
"id": "CVE-2004-2286",
"summary": "Integer overflow in the duplication operator in ActivePerl allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large multiplier, which may trigger a buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2286"
},
{
"id": "CVE-2005-0155",
"summary": "The PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to create arbitrary files via the PERLIO_DEBUG variable.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0155"
},
{
"id": "CVE-2005-0156",
"summary": "Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0156"
},
{
"id": "CVE-2005-0448",
"summary": "Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0448"
},
{
"id": "CVE-2005-3962",
"summary": "Integer overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3962"
},
{
"id": "CVE-2005-4278",
"summary": "Untrusted search path vulnerability in Perl before 5.8.7-r1 on Gentoo Linux allows local users in the portage group to gain privileges via a malicious shared object in the Portage temporary build directory, which is part of the RUNPATH.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4278"
},
{
"id": "CVE-2007-5116",
"summary": "Buffer overflow in the polymorphic opcode support in the Regular Expression Engine (regcomp.c) in Perl 5.8 allows context-dependent attackers to execute arbitrary code by switching from byte to Unicode (UTF) characters in a regular expression.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5116"
},
{
"id": "CVE-2008-1927",
"summary": "Double free vulnerability in Perl 5.8.8 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a crafted regular expression containing UTF8 characters. NOTE: this issue might only be present on certain operating systems.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1927"
},
{
"id": "CVE-2008-2827",
"summary": "The rmtree function in lib/File/Path.pm in Perl 5.10 does not properly check permissions before performing a chmod, which allows local users to modify the permissions of arbitrary files via a symlink attack, a different vulnerability than CVE-2005-0448 and CVE-2004-0452.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2827"
},
{
"id": "CVE-2009-3626",
"summary": "Perl 5.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a UTF-8 character with a large, invalid codepoint, which is not properly handled during a regular-expression match.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3626"
},
{
"id": "CVE-2010-1158",
"summary": "Integer overflow in the regular expression engine in Perl 5.8.x allows context-dependent attackers to cause a denial of service (stack consumption and application crash) by matching a crafted regular expression against a long string.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1158"
},
{
"id": "CVE-2010-4777",
"summary": "The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4777"
},
{
"id": "CVE-2011-0761",
"summary": "Perl 5.10.x allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an ability to inject arguments into a (1) getpeername, (2) readdir, (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir function call.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0761"
},
{
"id": "CVE-2011-1487",
"summary": "The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1487"
},
{
"id": "CVE-2011-2728",
"summary": "The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2728"
},
{
"id": "CVE-2011-2939",
"summary": "Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2939"
},
{
"id": "CVE-2012-1151",
"summary": "Multiple format string vulnerabilities in dbdimp.c in DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.19.0 for Perl allow remote PostgreSQL database servers to cause a denial of service (process crash) via format string specifiers in (1) a crafted database warning to the pg_warn function or (2) a crafted DBD statement to the dbd_st_prepare function.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1151"
},
{
"id": "CVE-2012-5195",
"summary": "Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5195"
},
{
"id": "CVE-2012-6329",
"summary": "The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6329"
},
{
"id": "CVE-2013-1667",
"summary": "The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1667"
},
{
"id": "CVE-2013-7422",
"summary": "Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7422"
},
{
"id": "CVE-2014-4330",
"summary": "The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4330"
},
{
"id": "CVE-2015-8608",
"summary": "The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8608"
},
{
"id": "CVE-2015-8853",
"summary": "The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by \"a\\x80.\"",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8853"
},
{
"id": "CVE-2016-1238",
"summary": "(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1238"
},
{
"id": "CVE-2016-2381",
"summary": "Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2381"
},
{
"id": "CVE-2016-6185",
"summary": "The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6185"
},
{
"id": "CVE-2017-12814",
"summary": "Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 on Windows allows attackers to execute arbitrary code via a long environment variable.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12814"
},
{
"id": "CVE-2017-12837",
"summary": "Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\\N{}' escape and the case-insensitive modifier.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12837"
},
{
"id": "CVE-2017-12883",
"summary": "Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\\N{U+...}' escape.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12883"
},
{
"id": "CVE-2018-12015",
"summary": "In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.",
"scorev2": "6.4",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12015"
},
{
"id": "CVE-2018-18311",
"summary": "Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18311"
},
{
"id": "CVE-2018-18312",
"summary": "Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18312"
},
{
"id": "CVE-2018-18313",
"summary": "Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18313"
},
{
"id": "CVE-2018-18314",
"summary": "Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18314"
},
{
"id": "CVE-2018-6797",
"summary": "An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6797"
},
{
"id": "CVE-2018-6798",
"summary": "An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6798"
},
{
"id": "CVE-2018-6913",
"summary": "Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6913"
},
{
"id": "CVE-2020-10543",
"summary": "Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.",
"scorev2": "6.4",
"scorev3": "8.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10543"
},
{
"id": "CVE-2020-10878",
"summary": "Perl before 5.30.3 has an integer overflow related to mishandling of a \"PL_regkind[OP(n)] == NOTHING\" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.",
"scorev2": "7.5",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10878"
},
{
"id": "CVE-2020-12723",
"summary": "regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12723"
},
{
"id": "CVE-2022-48522",
"summary": "In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48522"
},
{
"id": "CVE-2023-31484",
"summary": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31484"
},
{
"id": "CVE-2023-31486",
"summary": "HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.",
"scorev2": "0.0",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31486"
},
{
"id": "CVE-2023-47038",
"summary": "A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-47038"
},
{
"id": "CVE-2023-47039",
"summary": "A vulnerability was found in Perl. This security issue occurs while Perl for Windows relies on the system path environment variable to find the shell (`cmd.exe`). When running an executable that uses the Windows Perl interpreter, Perl attempts to find and execute `cmd.exe` within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. This flaw allows an attacker with limited privileges to place`cmd.exe` in locations with weak permissions, such as `C:\\ProgramData`. By doing so, arbitrary code can be executed when an administrator attempts to use this executable from these compromised locations.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-47039"
},
{
"id": "CVE-2023-47100",
"summary": "In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \\p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-47100"
}
]
},
{
"name": "perlcross-native",
"layer": "meta",
"version": "1.5.2",
"products": [
{
"product": "perlcross",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "phone",
"layer": "meta-agl-demo",
"version": "1.0+git",
"products": [
{
"product": "phone",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2023-42545",
"summary": "Use of implicit intent for sensitive communication vulnerability in Phone prior to versions 12.7.20.12 in Android 11, 13.1.48, 13.5.28 in Android 12, and 14.7.38 in Android 13 allows attackers to access location data.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-42545"
}
]
},
{
"name": "pigz-native",
"layer": "meta",
"version": "2.8",
"products": [
{
"product": "pigz",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-0296",
"summary": "Race condition in pigz before 2.2.5 uses permissions derived from the umask when compressing a file before setting that file's permissions to match those of the original file, which might allow local users to bypass intended access permissions while compression is occurring.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0296"
},
{
"id": "CVE-2015-1191",
"summary": "Multiple directory traversal vulnerabilities in pigz 2.3.1 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1191"
}
]
},
{
"name": "pinentry",
"layer": "meta",
"version": "1.2.1",
"products": [
{
"product": "pinentry",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "pipewire",
"layer": "meta-multimedia",
"version": "1.0.5",
"products": [
{
"product": "pipewire",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "pixman",
"layer": "meta",
"version": "1_0.42.2",
"products": [
{
"product": "pixman",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-6424",
"summary": "Integer underflow in the xTrapezoidValid macro in render/picture.h in X.Org allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6424"
},
{
"id": "CVE-2013-6425",
"summary": "Integer underflow in the pixman_trapezoid_valid macro in pixman.h in Pixman before 0.32.0, as used in X.Org server and cairo, allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6425"
},
{
"id": "CVE-2014-9766",
"summary": "Integer overflow in the create_bits function in pixman-bits-image.c in Pixman before 0.32.6 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via large height and stride values.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9766"
},
{
"id": "CVE-2015-5297",
"summary": "An integer overflow issue has been reported in the general_composite_rect() function in pixman prior to version 0.32.8. An attacker could exploit this issue to cause an application using pixman to crash or, potentially, execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5297"
},
{
"id": "CVE-2022-44638",
"summary": "In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-44638"
},
{
"id": "CVE-2023-37769",
"summary": "stress-test master commit e4c878 was discovered to contain a FPE vulnerability via the component combine_inner at /pixman-combine-float.c.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37769",
"detail": "not-applicable-config",
"description": "stress-test is an uninstalled test"
}
]
},
{
"name": "pixman-native",
"layer": "meta",
"version": "1_0.42.2",
"products": [
{
"product": "pixman",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-6424",
"summary": "Integer underflow in the xTrapezoidValid macro in render/picture.h in X.Org allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6424"
},
{
"id": "CVE-2013-6425",
"summary": "Integer underflow in the pixman_trapezoid_valid macro in pixman.h in Pixman before 0.32.0, as used in X.Org server and cairo, allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6425"
},
{
"id": "CVE-2014-9766",
"summary": "Integer overflow in the create_bits function in pixman-bits-image.c in Pixman before 0.32.6 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via large height and stride values.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9766"
},
{
"id": "CVE-2015-5297",
"summary": "An integer overflow issue has been reported in the general_composite_rect() function in pixman prior to version 0.32.8. An attacker could exploit this issue to cause an application using pixman to crash or, potentially, execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5297"
},
{
"id": "CVE-2022-44638",
"summary": "In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-44638"
},
{
"id": "CVE-2023-37769",
"summary": "stress-test master commit e4c878 was discovered to contain a FPE vulnerability via the component combine_inner at /pixman-combine-float.c.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37769",
"detail": "not-applicable-config",
"description": "stress-test is an uninstalled test"
}
]
},
{
"name": "pkgconfig-native",
"layer": "meta",
"version": "0.29.2+git",
"products": [
{
"product": "pkgconfig",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "policycoreutils",
"layer": "meta-selinux",
"version": "3.6",
"products": [
{
"product": "selinux",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2020-10751",
"summary": "A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.",
"scorev2": "3.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10751"
}
]
},
{
"name": "policycoreutils-native",
"layer": "meta-selinux",
"version": "3.6",
"products": [
{
"product": "selinux",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2020-10751",
"summary": "A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.",
"scorev2": "3.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10751"
}
]
},
{
"name": "polkit",
"layer": "meta-oe",
"version": "124",
"products": [
{
"product": "polkit",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-4288",
"summary": "Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkexec process before the authorization check is performed, related to (1) the polkit_unix_process_new API function, (2) the dbus API, or (3) the --process (unix-process) option for authorization to pkcheck.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4288"
},
{
"id": "CVE-2015-3218",
"summary": "The authentication_agent_new function in polkitbackend/polkitbackendinteractiveauthority.c in PolicyKit (aka polkit) before 0.113 allows local users to cause a denial of service (NULL pointer dereference and polkitd daemon crash) by calling RegisterAuthenticationAgent with an invalid object path.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3218"
},
{
"id": "CVE-2015-3255",
"summary": "The polkit_backend_action_pool_init function in polkitbackend/polkitbackendactionpool.c in PolicyKit (aka polkit) before 0.113 might allow local users to gain privileges via duplicate action IDs in action descriptions.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3255"
},
{
"id": "CVE-2015-3256",
"summary": "PolicyKit (aka polkit) before 0.113 allows local users to cause a denial of service (memory corruption and polkitd daemon crash) and possibly gain privileges via unspecified vectors, related to \"javascript rule evaluation.\"",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3256"
},
{
"id": "CVE-2015-4625",
"summary": "Integer overflow in the authentication_agent_new_cookie function in PolicyKit (aka polkit) before 0.113 allows local users to gain privileges by creating a large number of connections, which triggers the issuance of a duplicate cookie value.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4625"
},
{
"id": "CVE-2016-2568",
"summary": "pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.",
"scorev2": "4.4",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2568"
},
{
"id": "CVE-2018-1116",
"summary": "A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger authentication of unrelated processes owned by other users. This may result in a local DoS and information disclosure.",
"scorev2": "3.6",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1116"
},
{
"id": "CVE-2018-19788",
"summary": "A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.",
"scorev2": "9.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19788"
},
{
"id": "CVE-2019-6133",
"summary": "In PolicyKit (aka polkit) 0.115, the \"start time\" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c.",
"scorev2": "4.4",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6133"
},
{
"id": "CVE-2021-3560",
"summary": "It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3560"
},
{
"id": "CVE-2021-4034",
"summary": "A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4034"
},
{
"id": "CVE-2021-4115",
"summary": "There is a flaw in polkit which can allow an unprivileged user to cause polkit to crash, due to process file descriptor exhaustion. The highest threat from this vulnerability is to availability. NOTE: Polkit process outage duration is tied to the failing process being reaped and a new one being spawned",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4115"
}
]
},
{
"name": "polkit-rule-agl-app",
"layer": "meta-app-framework",
"version": "1.0",
"products": [
{
"product": "polkit-rule-agl-app",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "popt",
"layer": "meta",
"version": "1.19",
"products": [
{
"product": "popt",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "popt-native",
"layer": "meta",
"version": "1.19",
"products": [
{
"product": "popt",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "powertop",
"layer": "meta",
"version": "2.15",
"products": [
{
"product": "powertop",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "ppp",
"layer": "meta",
"version": "2.5.0",
"products": [
{
"product": "ppp",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-1002",
"summary": "Integer underflow in pppd in cbcp.c for ppp 2.4.1 allows remote attackers to cause a denial of service (daemon crash) via a CBCP packet with an invalid length value that causes pppd to access an incorrect memory location.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1002"
},
{
"id": "CVE-2008-5366",
"summary": "The postinst script in ppp 2.4.4rel on Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/probe-finished or (2) /tmp/ppp-errors temporary file.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5366"
},
{
"id": "CVE-2020-15704",
"summary": "The modprobe child process in the ./debian/patches/load_ppp_generic_if_needed patch file incorrectly handled module loading. A local non-root attacker could exploit the MODPROBE_OPTIONS environment variable to read arbitrary root files. Fixed in 2.4.5-5ubuntu1.4, 2.4.5-5.1ubuntu2.3+esm2, 2.4.7-1+2ubuntu1.16.04.3, 2.4.7-2+2ubuntu1.3, 2.4.7-2+4.1ubuntu5.1, 2.4.7-2+4.1ubuntu6. Was ZDI-CAN-11504.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15704"
},
{
"id": "CVE-2022-4603",
"summary": "A vulnerability classified as problematic has been found in ppp. Affected is the function dumpppp of the file pppdump/pppdump.c of the component pppdump. The manipulation of the argument spkt.buf/rpkt.buf leads to improper validation of array index. The real existence of this vulnerability is still doubted at the moment. The name of the patch is a75fb7b198eed50d769c80c36629f38346882cbf. It is recommended to apply a patch to fix this issue. VDB-216198 is the identifier assigned to this vulnerability. NOTE: pppdump is not used in normal process of setting up a PPP connection, is not installed setuid-root, and is not invoked automatically in any scenario.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4603"
}
]
},
{
"name": "pps-tools",
"layer": "meta-oe",
"version": "1.0.3",
"products": [
{
"product": "pps-tools",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "procps",
"layer": "meta",
"version": "4.0.4",
"products": [
{
"product": "procps",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2018-1121",
"summary": "procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng's utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1121"
},
{
"id": "CVE-2023-4016",
"summary": "Under some circumstances, this weakness allows a user who has access to run the \u201cps\u201d utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.",
"scorev2": "0.0",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4016"
}
]
},
{
"name": "protobuf",
"layer": "meta-oe",
"version": "4.25.3",
"products": [
{
"product": "protobuf",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-5237",
"summary": "protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.",
"scorev2": "6.5",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5237"
},
{
"id": "CVE-2021-22570",
"summary": "Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22570"
},
{
"id": "CVE-2021-3121",
"summary": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.",
"scorev2": "7.5",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121"
},
{
"id": "CVE-2023-24535",
"summary": "Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24535"
}
]
},
{
"name": "protobuf-native",
"layer": "meta-oe",
"version": "4.25.3",
"products": [
{
"product": "protobuf",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-5237",
"summary": "protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.",
"scorev2": "6.5",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5237"
},
{
"id": "CVE-2021-22570",
"summary": "Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22570"
},
{
"id": "CVE-2021-3121",
"summary": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.",
"scorev2": "7.5",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121"
},
{
"id": "CVE-2023-24535",
"summary": "Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24535"
}
]
},
{
"name": "pseudo-native",
"layer": "meta",
"version": "1.9.0+git",
"products": [
{
"product": "pseudo",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "psmisc",
"layer": "meta",
"version": "23.6",
"products": [
{
"product": "psmisc",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "psplash",
"layer": "meta",
"version": "0.1+git",
"products": [
{
"product": "psplash",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "psplash-portrait-config",
"layer": "meta-agl-demo",
"version": "1.0",
"products": [
{
"product": "psplash-portrait-config",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "ptest-runner",
"layer": "meta",
"version": "2.4.4+git",
"products": [
{
"product": "ptest-runner",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3",
"layer": "meta",
"version": "3.12.3",
"products": [
{
"product": "python",
"cvesInRecord": "Yes"
},
{
"product": "cpython",
"cvesInRecord": "No"
}
],
"issue": [
{
"id": "CVE-2002-1119",
"summary": "os._execvpe from os.py in Python 2.2.1 and earlier creates temporary files with predictable names, which could allow local users to execute arbitrary code via a symlink attack.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1119"
},
{
"id": "CVE-2004-0150",
"summary": "Buffer overflow in the getaddrinfo function in Python 2.2 before 2.2.2, when IPv6 support is disabled, allows remote attackers to execute arbitrary code via an IPv6 address that is obtained using DNS.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0150"
},
{
"id": "CVE-2005-0089",
"summary": "The SimpleXMLRPCServer library module in Python 2.2, 2.3 before 2.3.5, and 2.4, when used by XML-RPC servers that use the register_instance method to register an object without a _dispatch method, allows remote attackers to read or modify globals of the associated module, and possibly execute arbitrary code, via dotted attributes.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0089"
},
{
"id": "CVE-2006-1542",
"summary": "Stack-based buffer overflow in Python 2.4.2 and earlier, running on Linux 2.6.12.5 under gcc 4.0.3 with libc 2.3.5, allows local users to cause a \"stack overflow,\" and possibly gain privileges, by running a script from a current working directory that has a long name, related to the realpath function. NOTE: this might not be a vulnerability. However, the fact that it appears in a programming language interpreter could mean that some applications are affected, although attack scenarios might be limited because the attacker might already need to cross privilege boundaries to cause an exploitable program to be placed in a directory with a long name; or, depending on the method that Python uses to determine the current working directory, setuid applications might be affected.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1542"
},
{
"id": "CVE-2006-4980",
"summary": "Buffer overflow in the repr function in Python 2.3 through 2.6 before 20060822 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via crafted wide character UTF-32/UCS-4 strings to certain scripts.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4980"
},
{
"id": "CVE-2007-1657",
"summary": "Stack-based buffer overflow in the file_compress function in minigzip (Modules/zlib) in Python 2.5 allows context-dependent attackers to execute arbitrary code via a long file argument.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1657"
},
{
"id": "CVE-2007-2052",
"summary": "Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2052"
},
{
"id": "CVE-2007-4559",
"summary": "Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4559",
"detail": "disputed",
"description": "Upstream consider this expected behaviour"
},
{
"id": "CVE-2007-4965",
"summary": "Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4965"
},
{
"id": "CVE-2008-1679",
"summary": "Multiple integer overflows in imageop.c in Python before 2.5.3 allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted images that trigger heap-based buffer overflows. NOTE: this issue is due to an incomplete fix for CVE-2007-4965.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1679"
},
{
"id": "CVE-2008-1721",
"summary": "Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1721"
},
{
"id": "CVE-2008-1887",
"summary": "Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1887"
},
{
"id": "CVE-2008-2315",
"summary": "Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules. NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2315"
},
{
"id": "CVE-2008-2316",
"summary": "Integer overflow in _hashopenssl.c in the hashlib module in Python 2.5.2 and earlier might allow context-dependent attackers to defeat cryptographic digests, related to \"partial hashlib hashing of data exceeding 4GB.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2316"
},
{
"id": "CVE-2008-3142",
"summary": "Multiple buffer overflows in Python 2.5.2 and earlier on 32bit platforms allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a long string that leads to incorrect memory allocation during Unicode string processing, related to the unicode_resize function and the PyMem_RESIZE macro.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3142"
},
{
"id": "CVE-2008-3143",
"summary": "Multiple integer overflows in Python before 2.5.2 might allow context-dependent attackers to have an unknown impact via vectors related to (1) Include/pymem.h; (2) _csv.c, (3) _struct.c, (4) arraymodule.c, (5) audioop.c, (6) binascii.c, (7) cPickle.c, (8) cStringIO.c, (9) cjkcodecs/multibytecodec.c, (10) datetimemodule.c, (11) md5.c, (12) rgbimgmodule.c, and (13) stropmodule.c in Modules/; (14) bufferobject.c, (15) listobject.c, and (16) obmalloc.c in Objects/; (17) Parser/node.c; and (18) asdl.c, (19) ast.c, (20) bltinmodule.c, and (21) compile.c in Python/, as addressed by \"checks for integer overflows, contributed by Google.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3143"
},
{
"id": "CVE-2008-3144",
"summary": "Multiple integer overflows in the PyOS_vsnprintf function in Python/mysnprintf.c in Python 2.5.2 and earlier allow context-dependent attackers to cause a denial of service (memory corruption) or have unspecified other impact via crafted input to string formatting operations. NOTE: the handling of certain integer values is also affected by related integer underflows and an off-by-one error.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3144"
},
{
"id": "CVE-2008-4108",
"summary": "Tools/faqwiz/move-faqwiz.sh (aka the generic FAQ wizard moving tool) in Python 2.4.5 might allow local users to overwrite arbitrary files via a symlink attack on a tmp$RANDOM.tmp temporary file. NOTE: there may not be common usage scenarios in which tmp$RANDOM.tmp is located in an untrusted directory.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4108"
},
{
"id": "CVE-2008-4864",
"summary": "Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4864"
},
{
"id": "CVE-2008-5031",
"summary": "Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5031"
},
{
"id": "CVE-2008-5983",
"summary": "Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5983"
},
{
"id": "CVE-2009-4134",
"summary": "Buffer underflow in the rgbimg module in Python 2.5 allows remote attackers to cause a denial of service (application crash) via a large ZSIZE value in a black-and-white (aka B/W) RGB image that triggers an invalid pointer dereference.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4134"
},
{
"id": "CVE-2010-1449",
"summary": "Integer overflow in rgbimgmodule.c in the rgbimg module in Python 2.5 allows remote attackers to have an unspecified impact via a large image that triggers a buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-3143.12.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1449"
},
{
"id": "CVE-2010-1450",
"summary": "Multiple buffer overflows in the RLE decoder in the rgbimg module in Python 2.5 allow remote attackers to have an unspecified impact via an image file containing crafted data that triggers improper processing within the (1) longimagedata or (2) expandrow function.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1450"
},
{
"id": "CVE-2010-1634",
"summary": "Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1634"
},
{
"id": "CVE-2010-2089",
"summary": "The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2089"
},
{
"id": "CVE-2010-3492",
"summary": "The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3492"
},
{
"id": "CVE-2010-3493",
"summary": "Multiple race conditions in smtpd.py in the smtpd module in Python 2.6, 2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername function having an ENOTCONN error, a related issue to CVE-2010-3492.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3493"
},
{
"id": "CVE-2011-1015",
"summary": "The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script source code via an HTTP GET request that lacks a / (slash) character at the beginning of the URI.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1015"
},
{
"id": "CVE-2011-1521",
"summary": "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1521"
},
{
"id": "CVE-2011-4940",
"summary": "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4940"
},
{
"id": "CVE-2011-4944",
"summary": "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4944"
},
{
"id": "CVE-2012-0845",
"summary": "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0845"
},
{
"id": "CVE-2012-0876",
"summary": "The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0876"
},
{
"id": "CVE-2012-1150",
"summary": "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1150"
},
{
"id": "CVE-2012-2135",
"summary": "The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2135"
},
{
"id": "CVE-2013-0340",
"summary": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0340"
},
{
"id": "CVE-2013-1753",
"summary": "The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1753"
},
{
"id": "CVE-2013-2099",
"summary": "Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2099"
},
{
"id": "CVE-2013-4238",
"summary": "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4238"
},
{
"id": "CVE-2013-7040",
"summary": "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7040"
},
{
"id": "CVE-2013-7338",
"summary": "Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7338"
},
{
"id": "CVE-2013-7440",
"summary": "The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7440"
},
{
"id": "CVE-2014-0224",
"summary": "OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the \"CCS Injection\" vulnerability.",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0224"
},
{
"id": "CVE-2014-1912",
"summary": "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1912"
},
{
"id": "CVE-2014-2667",
"summary": "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2667"
},
{
"id": "CVE-2014-4616",
"summary": "Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4616"
},
{
"id": "CVE-2014-4650",
"summary": "The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4650"
},
{
"id": "CVE-2014-7185",
"summary": "Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a \"buffer\" function.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7185"
},
{
"id": "CVE-2014-9365",
"summary": "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9365"
},
{
"id": "CVE-2015-1283",
"summary": "Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1283"
},
{
"id": "CVE-2015-20107",
"summary": "In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9",
"scorev2": "8.0",
"scorev3": "7.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:C/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-20107",
"detail": "upstream-wontfix",
"description": "The mailcap module is insecure by design, so this can't be fixed in a meaningful way"
},
{
"id": "CVE-2015-5652",
"summary": "Untrusted search path vulnerability in python.exe in Python through 3.5.0 on Windows allows local users to gain privileges via a Trojan horse readline.pyd file in the current working directory. NOTE: the vendor says \"It was determined that this is a longtime behavior of Python that cannot really be altered at this point.\"",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5652"
},
{
"id": "CVE-2016-0718",
"summary": "Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0718"
},
{
"id": "CVE-2016-0772",
"summary": "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"",
"scorev2": "5.8",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0772"
},
{
"id": "CVE-2016-1000110",
"summary": "The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.",
"scorev2": "5.8",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000110"
},
{
"id": "CVE-2016-2183",
"summary": "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2183"
},
{
"id": "CVE-2016-3189",
"summary": "Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3189"
},
{
"id": "CVE-2016-4472",
"summary": "The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4472"
},
{
"id": "CVE-2016-5636",
"summary": "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5636"
},
{
"id": "CVE-2016-5699",
"summary": "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.",
"scorev2": "4.3",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5699"
},
{
"id": "CVE-2016-9063",
"summary": "An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9063"
},
{
"id": "CVE-2017-1000158",
"summary": "CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000158"
},
{
"id": "CVE-2017-17522",
"summary": "Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17522"
},
{
"id": "CVE-2017-18207",
"summary": "The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4 does not ensure a nonzero channel value, which allows attackers to cause a denial of service (divide-by-zero and exception) via a crafted wav format audio file. NOTE: the vendor disputes this issue because Python applications \"need to be prepared to handle a wide variety of exceptions.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18207"
},
{
"id": "CVE-2017-20052",
"summary": "A vulnerability classified as problematic was found in Python 2.7.13. This vulnerability affects unknown code of the component pgAdmin4. The manipulation leads to uncontrolled search path. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.",
"scorev2": "4.4",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-20052"
},
{
"id": "CVE-2017-9233",
"summary": "XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9233"
},
{
"id": "CVE-2018-1000030",
"summary": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.",
"scorev2": "3.3",
"scorev3": "3.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000030"
},
{
"id": "CVE-2018-1000117",
"summary": "Python Software Foundation CPython version From 3.2 until 3.6.4 on Windows contains a Buffer Overflow vulnerability in os.symlink() function on Windows that can result in Arbitrary code execution, likely escalation of privilege. This attack appears to be exploitable via a python script that creates a symlink with an attacker controlled name or location. This vulnerability appears to have been fixed in 3.7.0 and 3.6.5.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000117"
},
{
"id": "CVE-2018-1000802",
"summary": "Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000802"
},
{
"id": "CVE-2018-1060",
"summary": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.",
"scorev2": "5.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1060"
},
{
"id": "CVE-2018-1061",
"summary": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1061"
},
{
"id": "CVE-2018-14647",
"summary": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14647"
},
{
"id": "CVE-2018-20406",
"summary": "Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a \"resize to twice the size\" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. This issue is fixed in: v3.4.10, v3.4.10rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.7rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.7, v3.6.7rc1, v3.6.7rc2, v3.6.8, v3.6.8rc1, v3.6.9, v3.6.9rc1; v3.7.1, v3.7.1rc1, v3.7.1rc2, v3.7.2, v3.7.2rc1, v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20406"
},
{
"id": "CVE-2018-20852",
"summary": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20852"
},
{
"id": "CVE-2018-25032",
"summary": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-25032"
},
{
"id": "CVE-2019-10160",
"summary": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.",
"scorev2": "5.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10160"
},
{
"id": "CVE-2019-12900",
"summary": "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12900"
},
{
"id": "CVE-2019-13404",
"summary": "The MSI installer for Python through 2.7.16 on Windows defaults to the C:\\Python27 directory, which makes it easier for local users to deploy Trojan horse code. (This also affects old 3.x releases before 3.5.) NOTE: the vendor's position is that it is the user's responsibility to ensure C:\\Python27 access control or choose a different directory, because backwards compatibility requires that C:\\Python27 remain the default for 2.7.x",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13404"
},
{
"id": "CVE-2019-15903",
"summary": "In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15903"
},
{
"id": "CVE-2019-16056",
"summary": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16056"
},
{
"id": "CVE-2019-16935",
"summary": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.",
"scorev2": "4.3",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16935"
},
{
"id": "CVE-2019-17514",
"summary": "library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated \"finds all the pathnames matching a specified pattern according to the rules used by the Unix shell,\" one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17514"
},
{
"id": "CVE-2019-18348",
"summary": "An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.",
"scorev2": "4.3",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18348",
"detail": "not-applicable-config",
"description": "This is not exploitable when glibc has CVE-2016-10739 fixed"
},
{
"id": "CVE-2019-20907",
"summary": "In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20907"
},
{
"id": "CVE-2019-5010",
"summary": "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.",
"scorev2": "5.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5010"
},
{
"id": "CVE-2019-9636",
"summary": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.",
"scorev2": "5.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9636"
},
{
"id": "CVE-2019-9674",
"summary": "Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9674"
},
{
"id": "CVE-2019-9740",
"summary": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.",
"scorev2": "4.3",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9740"
},
{
"id": "CVE-2019-9947",
"summary": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.",
"scorev2": "4.3",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9947"
},
{
"id": "CVE-2019-9948",
"summary": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9948"
},
{
"id": "CVE-2020-10735",
"summary": "A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int(\"text\"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10735"
},
{
"id": "CVE-2020-14422",
"summary": "Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14422"
},
{
"id": "CVE-2020-15523",
"summary": "In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15523",
"detail": "not-applicable-platform",
"description": "Issue only applies on Windows"
},
{
"id": "CVE-2020-15801",
"summary": "In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The ._pth file (e.g., the python._pth file) is not affected.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15801"
},
{
"id": "CVE-2020-26116",
"summary": "http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.",
"scorev2": "6.4",
"scorev3": "7.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-26116"
},
{
"id": "CVE-2020-27619",
"summary": "In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27619"
},
{
"id": "CVE-2020-8315",
"summary": "In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8315"
},
{
"id": "CVE-2020-8492",
"summary": "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.",
"scorev2": "7.1",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8492"
},
{
"id": "CVE-2021-23336",
"summary": "The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.",
"scorev2": "4.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23336"
},
{
"id": "CVE-2021-28861",
"summary": "Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states \"Warning: http.server is not recommended for production. It only implements basic security checks.\"",
"scorev2": "0.0",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28861"
},
{
"id": "CVE-2021-29921",
"summary": "In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29921"
},
{
"id": "CVE-2021-3177",
"summary": "Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3177"
},
{
"id": "CVE-2021-3426",
"summary": "There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3426"
},
{
"id": "CVE-2021-3733",
"summary": "There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3733"
},
{
"id": "CVE-2021-3737",
"summary": "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.",
"scorev2": "7.1",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3737"
},
{
"id": "CVE-2021-4189",
"summary": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4189"
},
{
"id": "CVE-2022-0391",
"summary": "A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\\r' and '\\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0391"
},
{
"id": "CVE-2022-26488",
"summary": "In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26488",
"detail": "not-applicable-platform",
"description": "Issue only applies on Windows"
},
{
"id": "CVE-2022-37454",
"summary": "The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-37454"
},
{
"id": "CVE-2022-42919",
"summary": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919"
},
{
"id": "CVE-2022-45061",
"summary": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061"
},
{
"id": "CVE-2022-48560",
"summary": "A use-after-free exists in Python through 3.9 via heappushpop in heapq.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48560"
},
{
"id": "CVE-2022-48564",
"summary": "read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48564"
},
{
"id": "CVE-2022-48565",
"summary": "An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48565"
},
{
"id": "CVE-2022-48566",
"summary": "An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48566"
},
{
"id": "CVE-2023-24329",
"summary": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329"
},
{
"id": "CVE-2023-27043",
"summary": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043"
},
{
"id": "CVE-2023-33595",
"summary": "CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-free via the function ascii_decode at /Objects/unicodeobject.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33595"
},
{
"id": "CVE-2023-36632",
"summary": "The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger \"RecursionError: maximum recursion depth exceeded while calling a Python object\" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-36632",
"detail": "disputed",
"description": "Not an issue, in fact expected behaviour"
},
{
"id": "CVE-2023-38898",
"summary": "An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component. NOTE: this is disputed by the vendor because (1) neither 3.7 nor any other release is affected (it is a bug in some 3.12 pre-releases); (2) there are no common scenarios in which an adversary can call _asyncio._swap_current_task but does not already have the ability to call arbitrary functions; and (3) there are no common scenarios in which sensitive information, which is not already accessible to an adversary, becomes accessible through this bug.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38898"
},
{
"id": "CVE-2023-40217",
"summary": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217"
},
{
"id": "CVE-2023-41105",
"summary": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105"
},
{
"id": "CVE-2023-6507",
"summary": "An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases.\n\nWhen using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list.\n\nThis issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).\n\n",
"scorev2": "0.0",
"scorev3": "4.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6507"
}
]
},
{
"name": "python3-aenum",
"layer": "meta-python",
"version": "3.1.15",
"products": [
{
"product": "aenum",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-anytree-native",
"layer": "meta-agl-kuksa-val",
"version": "2.8.0",
"products": [
{
"product": "anytree",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-atomicwrites",
"layer": "meta",
"version": "1.4.1",
"products": [
{
"product": "atomicwrites",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-attrs",
"layer": "meta",
"version": "23.2.0",
"products": [
{
"product": "attrs",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-bitstruct",
"layer": "meta-python",
"version": "8.19.0",
"products": [
{
"product": "bitstruct",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-build-native",
"layer": "meta",
"version": "1.1.1",
"products": [
{
"product": "build",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-calver-native",
"layer": "meta",
"version": "2022.6.26",
"products": [
{
"product": "python3-calver",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-can",
"layer": "meta-python",
"version": "4.2.2",
"products": [
{
"product": "python-can",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-can-j1939",
"layer": "meta-agl-kuksa-val",
"version": "2.0.6",
"products": [
{
"product": "can-j1939",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-cantools",
"layer": "meta-python",
"version": "39.4.4",
"products": [
{
"product": "cantools",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-cmd2",
"layer": "meta-python",
"version": "2.4.3",
"products": [
{
"product": "cmd2",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-colorama",
"layer": "meta-python",
"version": "0.4.6",
"products": [
{
"product": "colorama",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-cython-native",
"layer": "meta",
"version": "3.0.8",
"products": [
{
"product": "Cython",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-dbus",
"layer": "meta",
"version": "1.3.2",
"products": [
{
"product": "python3-dbus",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-dbusmock",
"layer": "meta",
"version": "0.31.1",
"products": [
{
"product": "python-dbusmock",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-decorator",
"layer": "meta-python",
"version": "5.1.1",
"products": [
{
"product": "decorator",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-deprecation-native",
"layer": "meta-agl-kuksa-val",
"version": "2.1.0",
"products": [
{
"product": "deprecation",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-diskcache",
"layer": "meta-python",
"version": "5.6.3",
"products": [
{
"product": "diskcache",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-distro",
"layer": "meta-python",
"version": "1.9.0",
"products": [
{
"product": "distro",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-docutils-native",
"layer": "meta",
"version": "0.20.1",
"products": [
{
"product": "docutils",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-editables-native",
"layer": "meta",
"version": "0.5",
"products": [
{
"product": "editables",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-flit-core-native",
"layer": "meta",
"version": "3.9.0",
"products": [
{
"product": "flit",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-graphql-core-native",
"layer": "meta-agl-kuksa-val",
"version": "3.2.3",
"products": [
{
"product": "graphql-core",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-grpcio",
"layer": "meta-python",
"version": "1.62.2",
"products": [
{
"product": "grpcio",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-grpcio-native",
"layer": "meta-python",
"version": "1.62.2",
"products": [
{
"product": "grpcio",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-grpcio-tools",
"layer": "meta-python",
"version": "1.62.2",
"products": [
{
"product": "grpcio-tools",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-grpcio-tools-native",
"layer": "meta-python",
"version": "1.62.2",
"products": [
{
"product": "grpcio-tools",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-hatch-fancy-pypi-readme-native",
"layer": "meta",
"version": "24.1.0",
"products": [
{
"product": "hatch_fancy_pypi_readme",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-hatch-vcs-native",
"layer": "meta",
"version": "0.4.0",
"products": [
{
"product": "hatch_vcs",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-hatchling-native",
"layer": "meta",
"version": "1.21.1",
"products": [
{
"product": "hatchling",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-hypothesis",
"layer": "meta",
"version": "6.98.15",
"products": [
{
"product": "hypothesis",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-importlib-metadata",
"layer": "meta",
"version": "7.0.1",
"products": [
{
"product": "importlib_metadata",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-importlib-metadata-native",
"layer": "meta",
"version": "7.0.1",
"products": [
{
"product": "importlib_metadata",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-iniconfig",
"layer": "meta",
"version": "2.0.0",
"products": [
{
"product": "iniconfig",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-iniparse",
"layer": "meta",
"version": "0.5",
"products": [
{
"product": "iniparse",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-iniparse-native",
"layer": "meta",
"version": "0.5",
"products": [
{
"product": "iniparse",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-installer-native",
"layer": "meta",
"version": "0.7.0",
"products": [
{
"product": "installer",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-ipy",
"layer": "meta-python",
"version": "1.01",
"products": [
{
"product": "IPy",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-jinja2-native",
"layer": "meta",
"version": "3.1.3",
"products": [
{
"product": "jinja2",
"cvesInRecord": "Yes"
},
{
"product": "jinja",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2014-0012",
"summary": "FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0012"
},
{
"id": "CVE-2014-1402",
"summary": "The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1402"
},
{
"id": "CVE-2016-10745",
"summary": "In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10745"
},
{
"id": "CVE-2019-10906",
"summary": "In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10906"
},
{
"id": "CVE-2019-8341",
"summary": "An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the \"source\" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8341"
},
{
"id": "CVE-2020-28493",
"summary": "This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28493"
},
{
"id": "CVE-2024-22195",
"summary": "Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.\n",
"scorev2": "0.0",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-22195"
}
]
},
{
"name": "python3-jsonpath-ng",
"layer": "meta-agl-kuksa-val",
"version": "1.5.3",
"products": [
{
"product": "jsonpath-ng",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-mako-native",
"layer": "meta",
"version": "1.3.2",
"products": [
{
"product": "Mako",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-markupsafe-native",
"layer": "meta",
"version": "2.1.5",
"products": [
{
"product": "MarkupSafe",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-more-itertools",
"layer": "meta",
"version": "10.2.0",
"products": [
{
"product": "more-itertools",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-more-itertools-native",
"layer": "meta",
"version": "10.2.0",
"products": [
{
"product": "more-itertools",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-native",
"layer": "meta",
"version": "3.12.3",
"products": [
{
"product": "python",
"cvesInRecord": "Yes"
},
{
"product": "cpython",
"cvesInRecord": "No"
}
],
"issue": [
{
"id": "CVE-2002-1119",
"summary": "os._execvpe from os.py in Python 2.2.1 and earlier creates temporary files with predictable names, which could allow local users to execute arbitrary code via a symlink attack.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1119"
},
{
"id": "CVE-2004-0150",
"summary": "Buffer overflow in the getaddrinfo function in Python 2.2 before 2.2.2, when IPv6 support is disabled, allows remote attackers to execute arbitrary code via an IPv6 address that is obtained using DNS.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0150"
},
{
"id": "CVE-2005-0089",
"summary": "The SimpleXMLRPCServer library module in Python 2.2, 2.3 before 2.3.5, and 2.4, when used by XML-RPC servers that use the register_instance method to register an object without a _dispatch method, allows remote attackers to read or modify globals of the associated module, and possibly execute arbitrary code, via dotted attributes.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0089"
},
{
"id": "CVE-2006-1542",
"summary": "Stack-based buffer overflow in Python 2.4.2 and earlier, running on Linux 2.6.12.5 under gcc 4.0.3 with libc 2.3.5, allows local users to cause a \"stack overflow,\" and possibly gain privileges, by running a script from a current working directory that has a long name, related to the realpath function. NOTE: this might not be a vulnerability. However, the fact that it appears in a programming language interpreter could mean that some applications are affected, although attack scenarios might be limited because the attacker might already need to cross privilege boundaries to cause an exploitable program to be placed in a directory with a long name; or, depending on the method that Python uses to determine the current working directory, setuid applications might be affected.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1542"
},
{
"id": "CVE-2006-4980",
"summary": "Buffer overflow in the repr function in Python 2.3 through 2.6 before 20060822 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via crafted wide character UTF-32/UCS-4 strings to certain scripts.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4980"
},
{
"id": "CVE-2007-1657",
"summary": "Stack-based buffer overflow in the file_compress function in minigzip (Modules/zlib) in Python 2.5 allows context-dependent attackers to execute arbitrary code via a long file argument.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1657"
},
{
"id": "CVE-2007-2052",
"summary": "Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2052"
},
{
"id": "CVE-2007-4559",
"summary": "Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4559",
"detail": "disputed",
"description": "Upstream consider this expected behaviour"
},
{
"id": "CVE-2007-4965",
"summary": "Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4965"
},
{
"id": "CVE-2008-1679",
"summary": "Multiple integer overflows in imageop.c in Python before 2.5.3 allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted images that trigger heap-based buffer overflows. NOTE: this issue is due to an incomplete fix for CVE-2007-4965.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1679"
},
{
"id": "CVE-2008-1721",
"summary": "Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1721"
},
{
"id": "CVE-2008-1887",
"summary": "Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1887"
},
{
"id": "CVE-2008-2315",
"summary": "Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules. NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2315"
},
{
"id": "CVE-2008-2316",
"summary": "Integer overflow in _hashopenssl.c in the hashlib module in Python 2.5.2 and earlier might allow context-dependent attackers to defeat cryptographic digests, related to \"partial hashlib hashing of data exceeding 4GB.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2316"
},
{
"id": "CVE-2008-3142",
"summary": "Multiple buffer overflows in Python 2.5.2 and earlier on 32bit platforms allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a long string that leads to incorrect memory allocation during Unicode string processing, related to the unicode_resize function and the PyMem_RESIZE macro.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3142"
},
{
"id": "CVE-2008-3143",
"summary": "Multiple integer overflows in Python before 2.5.2 might allow context-dependent attackers to have an unknown impact via vectors related to (1) Include/pymem.h; (2) _csv.c, (3) _struct.c, (4) arraymodule.c, (5) audioop.c, (6) binascii.c, (7) cPickle.c, (8) cStringIO.c, (9) cjkcodecs/multibytecodec.c, (10) datetimemodule.c, (11) md5.c, (12) rgbimgmodule.c, and (13) stropmodule.c in Modules/; (14) bufferobject.c, (15) listobject.c, and (16) obmalloc.c in Objects/; (17) Parser/node.c; and (18) asdl.c, (19) ast.c, (20) bltinmodule.c, and (21) compile.c in Python/, as addressed by \"checks for integer overflows, contributed by Google.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3143"
},
{
"id": "CVE-2008-3144",
"summary": "Multiple integer overflows in the PyOS_vsnprintf function in Python/mysnprintf.c in Python 2.5.2 and earlier allow context-dependent attackers to cause a denial of service (memory corruption) or have unspecified other impact via crafted input to string formatting operations. NOTE: the handling of certain integer values is also affected by related integer underflows and an off-by-one error.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3144"
},
{
"id": "CVE-2008-4108",
"summary": "Tools/faqwiz/move-faqwiz.sh (aka the generic FAQ wizard moving tool) in Python 2.4.5 might allow local users to overwrite arbitrary files via a symlink attack on a tmp$RANDOM.tmp temporary file. NOTE: there may not be common usage scenarios in which tmp$RANDOM.tmp is located in an untrusted directory.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4108"
},
{
"id": "CVE-2008-4864",
"summary": "Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4864"
},
{
"id": "CVE-2008-5031",
"summary": "Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5031"
},
{
"id": "CVE-2008-5983",
"summary": "Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5983"
},
{
"id": "CVE-2009-4134",
"summary": "Buffer underflow in the rgbimg module in Python 2.5 allows remote attackers to cause a denial of service (application crash) via a large ZSIZE value in a black-and-white (aka B/W) RGB image that triggers an invalid pointer dereference.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4134"
},
{
"id": "CVE-2010-1449",
"summary": "Integer overflow in rgbimgmodule.c in the rgbimg module in Python 2.5 allows remote attackers to have an unspecified impact via a large image that triggers a buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-3143.12.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1449"
},
{
"id": "CVE-2010-1450",
"summary": "Multiple buffer overflows in the RLE decoder in the rgbimg module in Python 2.5 allow remote attackers to have an unspecified impact via an image file containing crafted data that triggers improper processing within the (1) longimagedata or (2) expandrow function.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1450"
},
{
"id": "CVE-2010-1634",
"summary": "Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1634"
},
{
"id": "CVE-2010-2089",
"summary": "The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2089"
},
{
"id": "CVE-2010-3492",
"summary": "The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3492"
},
{
"id": "CVE-2010-3493",
"summary": "Multiple race conditions in smtpd.py in the smtpd module in Python 2.6, 2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername function having an ENOTCONN error, a related issue to CVE-2010-3492.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3493"
},
{
"id": "CVE-2011-1015",
"summary": "The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script source code via an HTTP GET request that lacks a / (slash) character at the beginning of the URI.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1015"
},
{
"id": "CVE-2011-1521",
"summary": "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1521"
},
{
"id": "CVE-2011-4940",
"summary": "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4940"
},
{
"id": "CVE-2011-4944",
"summary": "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4944"
},
{
"id": "CVE-2012-0845",
"summary": "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0845"
},
{
"id": "CVE-2012-0876",
"summary": "The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0876"
},
{
"id": "CVE-2012-1150",
"summary": "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1150"
},
{
"id": "CVE-2012-2135",
"summary": "The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2135"
},
{
"id": "CVE-2013-0340",
"summary": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0340"
},
{
"id": "CVE-2013-1753",
"summary": "The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1753"
},
{
"id": "CVE-2013-2099",
"summary": "Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2099"
},
{
"id": "CVE-2013-4238",
"summary": "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4238"
},
{
"id": "CVE-2013-7040",
"summary": "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7040"
},
{
"id": "CVE-2013-7338",
"summary": "Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7338"
},
{
"id": "CVE-2013-7440",
"summary": "The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7440"
},
{
"id": "CVE-2014-0224",
"summary": "OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the \"CCS Injection\" vulnerability.",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0224"
},
{
"id": "CVE-2014-1912",
"summary": "Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1912"
},
{
"id": "CVE-2014-2667",
"summary": "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2667"
},
{
"id": "CVE-2014-4616",
"summary": "Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4616"
},
{
"id": "CVE-2014-4650",
"summary": "The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4650"
},
{
"id": "CVE-2014-7185",
"summary": "Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a \"buffer\" function.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7185"
},
{
"id": "CVE-2014-9365",
"summary": "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9365"
},
{
"id": "CVE-2015-1283",
"summary": "Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1283"
},
{
"id": "CVE-2015-20107",
"summary": "In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9",
"scorev2": "8.0",
"scorev3": "7.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:C/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-20107",
"detail": "upstream-wontfix",
"description": "The mailcap module is insecure by design, so this can't be fixed in a meaningful way"
},
{
"id": "CVE-2015-5652",
"summary": "Untrusted search path vulnerability in python.exe in Python through 3.5.0 on Windows allows local users to gain privileges via a Trojan horse readline.pyd file in the current working directory. NOTE: the vendor says \"It was determined that this is a longtime behavior of Python that cannot really be altered at this point.\"",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5652"
},
{
"id": "CVE-2016-0718",
"summary": "Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0718"
},
{
"id": "CVE-2016-0772",
"summary": "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"",
"scorev2": "5.8",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0772"
},
{
"id": "CVE-2016-1000110",
"summary": "The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.",
"scorev2": "5.8",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000110"
},
{
"id": "CVE-2016-2183",
"summary": "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2183"
},
{
"id": "CVE-2016-3189",
"summary": "Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3189"
},
{
"id": "CVE-2016-4472",
"summary": "The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4472"
},
{
"id": "CVE-2016-5636",
"summary": "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5636"
},
{
"id": "CVE-2016-5699",
"summary": "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.",
"scorev2": "4.3",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5699"
},
{
"id": "CVE-2016-9063",
"summary": "An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9063"
},
{
"id": "CVE-2017-1000158",
"summary": "CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000158"
},
{
"id": "CVE-2017-17522",
"summary": "Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17522"
},
{
"id": "CVE-2017-18207",
"summary": "The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4 does not ensure a nonzero channel value, which allows attackers to cause a denial of service (divide-by-zero and exception) via a crafted wav format audio file. NOTE: the vendor disputes this issue because Python applications \"need to be prepared to handle a wide variety of exceptions.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18207"
},
{
"id": "CVE-2017-20052",
"summary": "A vulnerability classified as problematic was found in Python 2.7.13. This vulnerability affects unknown code of the component pgAdmin4. The manipulation leads to uncontrolled search path. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.",
"scorev2": "4.4",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-20052"
},
{
"id": "CVE-2017-9233",
"summary": "XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9233"
},
{
"id": "CVE-2018-1000030",
"summary": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.",
"scorev2": "3.3",
"scorev3": "3.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000030"
},
{
"id": "CVE-2018-1000117",
"summary": "Python Software Foundation CPython version From 3.2 until 3.6.4 on Windows contains a Buffer Overflow vulnerability in os.symlink() function on Windows that can result in Arbitrary code execution, likely escalation of privilege. This attack appears to be exploitable via a python script that creates a symlink with an attacker controlled name or location. This vulnerability appears to have been fixed in 3.7.0 and 3.6.5.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000117"
},
{
"id": "CVE-2018-1000802",
"summary": "Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000802"
},
{
"id": "CVE-2018-1060",
"summary": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.",
"scorev2": "5.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1060"
},
{
"id": "CVE-2018-1061",
"summary": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1061"
},
{
"id": "CVE-2018-14647",
"summary": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14647"
},
{
"id": "CVE-2018-20406",
"summary": "Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a \"resize to twice the size\" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. This issue is fixed in: v3.4.10, v3.4.10rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.7rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.7, v3.6.7rc1, v3.6.7rc2, v3.6.8, v3.6.8rc1, v3.6.9, v3.6.9rc1; v3.7.1, v3.7.1rc1, v3.7.1rc2, v3.7.2, v3.7.2rc1, v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20406"
},
{
"id": "CVE-2018-20852",
"summary": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20852"
},
{
"id": "CVE-2018-25032",
"summary": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-25032"
},
{
"id": "CVE-2019-10160",
"summary": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.",
"scorev2": "5.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10160"
},
{
"id": "CVE-2019-12900",
"summary": "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12900"
},
{
"id": "CVE-2019-13404",
"summary": "The MSI installer for Python through 2.7.16 on Windows defaults to the C:\\Python27 directory, which makes it easier for local users to deploy Trojan horse code. (This also affects old 3.x releases before 3.5.) NOTE: the vendor's position is that it is the user's responsibility to ensure C:\\Python27 access control or choose a different directory, because backwards compatibility requires that C:\\Python27 remain the default for 2.7.x",
"scorev2": "9.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13404"
},
{
"id": "CVE-2019-15903",
"summary": "In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15903"
},
{
"id": "CVE-2019-16056",
"summary": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16056"
},
{
"id": "CVE-2019-16935",
"summary": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.",
"scorev2": "4.3",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16935"
},
{
"id": "CVE-2019-17514",
"summary": "library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated \"finds all the pathnames matching a specified pattern according to the rules used by the Unix shell,\" one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17514"
},
{
"id": "CVE-2019-18348",
"summary": "An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.",
"scorev2": "4.3",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18348",
"detail": "not-applicable-config",
"description": "This is not exploitable when glibc has CVE-2016-10739 fixed"
},
{
"id": "CVE-2019-20907",
"summary": "In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20907"
},
{
"id": "CVE-2019-5010",
"summary": "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.",
"scorev2": "5.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5010"
},
{
"id": "CVE-2019-9636",
"summary": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.",
"scorev2": "5.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9636"
},
{
"id": "CVE-2019-9674",
"summary": "Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9674"
},
{
"id": "CVE-2019-9740",
"summary": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.",
"scorev2": "4.3",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9740"
},
{
"id": "CVE-2019-9947",
"summary": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.",
"scorev2": "4.3",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9947"
},
{
"id": "CVE-2019-9948",
"summary": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9948"
},
{
"id": "CVE-2020-10735",
"summary": "A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int(\"text\"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10735"
},
{
"id": "CVE-2020-14422",
"summary": "Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14422"
},
{
"id": "CVE-2020-15523",
"summary": "In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15523",
"detail": "not-applicable-platform",
"description": "Issue only applies on Windows"
},
{
"id": "CVE-2020-15801",
"summary": "In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The ._pth file (e.g., the python._pth file) is not affected.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15801"
},
{
"id": "CVE-2020-26116",
"summary": "http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.",
"scorev2": "6.4",
"scorev3": "7.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-26116"
},
{
"id": "CVE-2020-27619",
"summary": "In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27619"
},
{
"id": "CVE-2020-8315",
"summary": "In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8315"
},
{
"id": "CVE-2020-8492",
"summary": "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.",
"scorev2": "7.1",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8492"
},
{
"id": "CVE-2021-23336",
"summary": "The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.",
"scorev2": "4.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23336"
},
{
"id": "CVE-2021-28861",
"summary": "Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states \"Warning: http.server is not recommended for production. It only implements basic security checks.\"",
"scorev2": "0.0",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28861"
},
{
"id": "CVE-2021-29921",
"summary": "In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29921"
},
{
"id": "CVE-2021-3177",
"summary": "Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3177"
},
{
"id": "CVE-2021-3426",
"summary": "There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3426"
},
{
"id": "CVE-2021-3733",
"summary": "There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3733"
},
{
"id": "CVE-2021-3737",
"summary": "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.",
"scorev2": "7.1",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3737"
},
{
"id": "CVE-2021-4189",
"summary": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4189"
},
{
"id": "CVE-2022-0391",
"summary": "A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\\r' and '\\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0391"
},
{
"id": "CVE-2022-26488",
"summary": "In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26488",
"detail": "not-applicable-platform",
"description": "Issue only applies on Windows"
},
{
"id": "CVE-2022-37454",
"summary": "The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-37454"
},
{
"id": "CVE-2022-42919",
"summary": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919"
},
{
"id": "CVE-2022-45061",
"summary": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061"
},
{
"id": "CVE-2022-48560",
"summary": "A use-after-free exists in Python through 3.9 via heappushpop in heapq.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48560"
},
{
"id": "CVE-2022-48564",
"summary": "read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48564"
},
{
"id": "CVE-2022-48565",
"summary": "An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48565"
},
{
"id": "CVE-2022-48566",
"summary": "An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48566"
},
{
"id": "CVE-2023-24329",
"summary": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329"
},
{
"id": "CVE-2023-27043",
"summary": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043"
},
{
"id": "CVE-2023-33595",
"summary": "CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-free via the function ascii_decode at /Objects/unicodeobject.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33595"
},
{
"id": "CVE-2023-36632",
"summary": "The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger \"RecursionError: maximum recursion depth exceeded while calling a Python object\" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-36632",
"detail": "disputed",
"description": "Not an issue, in fact expected behaviour"
},
{
"id": "CVE-2023-38898",
"summary": "An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component. NOTE: this is disputed by the vendor because (1) neither 3.7 nor any other release is affected (it is a bug in some 3.12 pre-releases); (2) there are no common scenarios in which an adversary can call _asyncio._swap_current_task but does not already have the ability to call arbitrary functions; and (3) there are no common scenarios in which sensitive information, which is not already accessible to an adversary, becomes accessible through this bug.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38898"
},
{
"id": "CVE-2023-40217",
"summary": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217"
},
{
"id": "CVE-2023-41105",
"summary": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105"
},
{
"id": "CVE-2023-6507",
"summary": "An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases.\n\nWhen using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list.\n\nThis issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).\n\n",
"scorev2": "0.0",
"scorev3": "4.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6507"
}
]
},
{
"name": "python3-networkx",
"layer": "meta-python",
"version": "3.1",
"products": [
{
"product": "networkx",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-numpy",
"layer": "meta",
"version": "1.26.4",
"products": [
{
"product": "python3-numpy",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-packaging",
"layer": "meta",
"version": "23.2",
"products": [
{
"product": "packaging",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-packaging-native",
"layer": "meta",
"version": "23.2",
"products": [
{
"product": "packaging",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-pathlib2",
"layer": "meta",
"version": "2.3.7",
"products": [
{
"product": "pathlib2",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-pathlib2-native",
"layer": "meta",
"version": "2.3.7",
"products": [
{
"product": "pathlib2",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-pathspec-native",
"layer": "meta",
"version": "0.12.1",
"products": [
{
"product": "pathspec",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-pip-native",
"layer": "meta",
"version": "24.0",
"products": [
{
"product": "pip",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-pluggy",
"layer": "meta",
"version": "1.4.0",
"products": [
{
"product": "pluggy",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-pluggy-native",
"layer": "meta",
"version": "1.4.0",
"products": [
{
"product": "pluggy",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-ply",
"layer": "meta",
"version": "3.11",
"products": [
{
"product": "ply",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-poetry-core-native",
"layer": "meta",
"version": "1.9.0",
"products": [
{
"product": "poetry_core",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-protobuf",
"layer": "meta-python",
"version": "4.25.3",
"products": [
{
"product": "protobuf",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-protobuf-native",
"layer": "meta-python",
"version": "4.25.3",
"products": [
{
"product": "protobuf",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-py",
"layer": "meta",
"version": "1.11.0",
"products": [
{
"product": "py",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-py-expression-eval",
"layer": "meta-agl-kuksa-val",
"version": "0.3.14",
"products": [
{
"product": "python3-py-expression-eval",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-pycairo",
"layer": "meta",
"version": "1.26.0",
"products": [
{
"product": "python3-pycairo",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-pygments",
"layer": "meta",
"version": "2.17.2",
"products": [
{
"product": "pygments",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-pygments-native",
"layer": "meta",
"version": "2.17.2",
"products": [
{
"product": "pygments",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-pygobject",
"layer": "meta",
"version": "3.46.0",
"products": [
{
"product": "python3-pygobject",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-pyparsing-native",
"layer": "meta",
"version": "3.1.1",
"products": [
{
"product": "pyparsing",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-pyperclip",
"layer": "meta-python",
"version": "1.8.2",
"products": [
{
"product": "pyperclip",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-pyproject-hooks-native",
"layer": "meta",
"version": "1.0.0",
"products": [
{
"product": "pyproject_hooks",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-pyserial",
"layer": "meta-python",
"version": "3.5",
"products": [
{
"product": "pyserial",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-pytest",
"layer": "meta",
"version": "8.0.2",
"products": [
{
"product": "pytest",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-pyyaml",
"layer": "meta",
"version": "6.0.1",
"products": [
{
"product": "PyYAML",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-pyyaml-native",
"layer": "meta",
"version": "6.0.1",
"products": [
{
"product": "PyYAML",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-scons-native",
"layer": "meta",
"version": "4.6.0",
"products": [
{
"product": "SCons",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-setuptools",
"layer": "meta",
"version": "69.1.1",
"products": [
{
"product": "setuptools",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-1633",
"summary": "easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1633"
},
{
"id": "CVE-2022-40897",
"summary": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40897"
}
]
},
{
"name": "python3-setuptools-git-versioning-native",
"layer": "meta-agl-kuksa-val",
"version": "1.7.4",
"products": [
{
"product": "setuptools-git-versioning",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-setuptools-native",
"layer": "meta",
"version": "69.1.1",
"products": [
{
"product": "setuptools",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2013-1633",
"summary": "easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1633"
},
{
"id": "CVE-2022-40897",
"summary": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40897"
}
]
},
{
"name": "python3-setuptools-scm-native",
"layer": "meta",
"version": "8.0.4",
"products": [
{
"product": "setuptools-scm",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-six",
"layer": "meta",
"version": "1.16.0",
"products": [
{
"product": "six",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-six-native",
"layer": "meta",
"version": "1.16.0",
"products": [
{
"product": "six",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-sortedcontainers",
"layer": "meta",
"version": "2.4.0",
"products": [
{
"product": "sortedcontainers",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-systemd",
"layer": "meta-python",
"version": "235",
"products": [
{
"product": "systemd-python",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-textparser",
"layer": "meta-python",
"version": "0.24.0",
"products": [
{
"product": "textparser",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-toml-native",
"layer": "meta",
"version": "0.10.2",
"products": [
{
"product": "toml",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-tomli-native",
"layer": "meta",
"version": "2.0.1",
"products": [
{
"product": "tomli",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-trove-classifiers-native",
"layer": "meta",
"version": "2024.2.23",
"products": [
{
"product": "trove-classifiers",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-typing-extensions",
"layer": "meta",
"version": "4.10.0",
"products": [
{
"product": "typing_extensions",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-typing-extensions-native",
"layer": "meta",
"version": "4.10.0",
"products": [
{
"product": "typing_extensions",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-unittest-automake-output",
"layer": "meta",
"version": "0.2",
"products": [
{
"product": "python3-unittest-automake-output",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-wcwidth",
"layer": "meta",
"version": "0.2.13",
"products": [
{
"product": "wcwidth",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-websockets",
"layer": "meta",
"version": "12.0",
"products": [
{
"product": "websockets",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-wheel-native",
"layer": "meta",
"version": "0.42.0",
"products": [
{
"product": "wheel",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-wrapt",
"layer": "meta-python",
"version": "1.16.0",
"products": [
{
"product": "wrapt",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-zipp",
"layer": "meta",
"version": "3.17.0",
"products": [
{
"product": "zipp",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "python3-zipp-native",
"layer": "meta",
"version": "3.17.0",
"products": [
{
"product": "zipp",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "qemu-native",
"layer": "meta",
"version": "8.2.1",
"products": [
{
"product": "qemu",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-0998",
"summary": "The VNC server implementation in QEMU, as used by Xen and possibly other environments, allows local users of a guest operating system to read arbitrary files on the host operating system via unspecified vectors related to QEMU monitor mode, as demonstrated by mapping files to a CDROM device. NOTE: some of these details are obtained from third party information.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0998",
"detail": "not-applicable-config",
"description": "The VNC server can expose host files uder some circumstances. We don't enable it by default."
},
{
"id": "CVE-2007-1320",
"summary": "Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to \"attempting to mark non-existent regions as dirty,\" aka the \"bitblt\" heap overflow.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1320"
},
{
"id": "CVE-2007-1321",
"summary": "Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 \"receive\" integer signedness error. NOTE: this identifier was inadvertently used by some sources to cover multiple issues that were labeled \"NE2000 network driver and the socket code,\" but separate identifiers have been created for the individual vulnerabilities since there are sometimes different fixes; see CVE-2007-5729 and CVE-2007-5730.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1321"
},
{
"id": "CVE-2007-1322",
"summary": "QEMU 0.8.2 allows local users to halt a virtual machine by executing the icebp instruction.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1322"
},
{
"id": "CVE-2007-1366",
"summary": "QEMU 0.8.2 allows local users to crash a virtual machine via the divisor operand to the aam instruction, as demonstrated by \"aam 0x0,\" which triggers a divide-by-zero error.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1366"
},
{
"id": "CVE-2007-5729",
"summary": "The NE2000 emulator in QEMU 0.8.2 allows local users to execute arbitrary code by writing Ethernet frames with a size larger than the MTU to the EN0_TCNT register, which triggers a heap-based buffer overflow in the slirp library, aka NE2000 \"mtu\" heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of \"NE2000 network driver and the socket code,\" but this is the correct identifier for the mtu overflow vulnerability.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5729"
},
{
"id": "CVE-2007-5730",
"summary": "Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to execute arbitrary code via crafted data in the \"net socket listen\" option, aka QEMU \"net socket\" heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of \"NE2000 network driver and the socket code,\" but this is the correct identifier for the individual net socket listen vulnerability.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5730"
},
{
"id": "CVE-2007-6227",
"summary": "QEMU 0.9.0 allows local users of a Windows XP SP2 guest operating system to overwrite the TranslationBlock (code_gen_buffer) buffer, and probably have unspecified other impacts related to an \"overflow,\" via certain Windows executable programs, as demonstrated by qemu-dos.com.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6227"
},
{
"id": "CVE-2008-0928",
"summary": "Qemu 0.9.1 and earlier does not perform range checks for block device read or write requests, which allows guest host users with root privileges to access arbitrary memory and escape the virtual machine.",
"scorev2": "4.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0928"
},
{
"id": "CVE-2008-1945",
"summary": "QEMU 0.9.0 does not properly handle changes to removable media, which allows guest OS users to read arbitrary files on the host OS by using the diskformat: parameter in the -usbdevice option to modify the disk-image header to identify a different format, a related issue to CVE-2008-2004.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1945"
},
{
"id": "CVE-2008-2004",
"summary": "The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2004"
},
{
"id": "CVE-2008-2382",
"summary": "The protocol_client_msg function in vnc.c in the VNC server in (1) Qemu 0.9.1 and earlier and (2) KVM kvm-79 and earlier allows remote attackers to cause a denial of service (infinite loop) via a certain message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2382"
},
{
"id": "CVE-2008-4539",
"summary": "Heap-based buffer overflow in the Cirrus VGA implementation in (1) KVM before kvm-82 and (2) QEMU on Debian GNU/Linux and Ubuntu might allow local users to gain privileges by using the VNC console for a connection, aka the LGD-54XX \"bitblt\" heap overflow. NOTE: this issue exists because of an incorrect fix for CVE-2007-1320.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4539"
},
{
"id": "CVE-2008-4553",
"summary": "qemu-make-debian-root in qemu 0.9.1-5 on Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack on temporary files and directories.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4553"
},
{
"id": "CVE-2008-5714",
"summary": "Off-by-one error in monitor.c in Qemu 0.9.1 might make it easier for remote attackers to guess the VNC password, which is limited to seven characters where eight was intended.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5714"
},
{
"id": "CVE-2009-3616",
"summary": "Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities.",
"scorev2": "8.5",
"scorev3": "9.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3616"
},
{
"id": "CVE-2010-0297",
"summary": "Buffer overflow in the usb_host_handle_control function in the USB passthrough handling implementation in usb-linux.c in QEMU before 0.11.1 allows guest OS users to cause a denial of service (guest OS crash or hang) or possibly execute arbitrary code on the host OS via a crafted USB packet.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0297"
},
{
"id": "CVE-2011-0011",
"summary": "qemu-kvm before 0.11.0 disables VNC authentication when the password is cleared, which allows remote attackers to bypass authentication and establish VNC sessions.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0011"
},
{
"id": "CVE-2011-1750",
"summary": "Multiple heap-based buffer overflows in the virtio-blk driver (hw/virtio-blk.c) in qemu-kvm 0.14.0 allow local guest users to cause a denial of service (guest crash) and possibly gain privileges via a (1) write request to the virtio_blk_handle_write function or (2) read request to the virtio_blk_handle_read function that is not properly aligned.",
"scorev2": "7.4",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1750"
},
{
"id": "CVE-2011-1751",
"summary": "The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Management emulation in qemu-kvm does not check if a device is hotpluggable before unplugging the PCI-ISA bridge, which allows privileged guest users to cause a denial of service (guest crash) and possibly execute arbitrary code by sending a crafted value to the 0xae08 (PCI_EJ_BASE) I/O port, which leads to a use-after-free related to \"active qemu timers.\"",
"scorev2": "7.4",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1751"
},
{
"id": "CVE-2011-2212",
"summary": "Buffer overflow in the virtio subsystem in qemu-kvm 0.14.0 and earlier allows privileged guest users to cause a denial of service (guest crash) or gain privileges via a crafted indirect descriptor related to \"virtqueue in and out requests.\"",
"scorev2": "7.4",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2212"
},
{
"id": "CVE-2011-2527",
"summary": "The change_process_uid function in os-posix.c in Qemu 0.14.0 and earlier does not properly drop group privileges when the -runas option is used, which allows local guest users to access restricted files on the host.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2527"
},
{
"id": "CVE-2011-3346",
"summary": "Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU before 0.15.2, as used by Xen, might allow local guest users with permission to access the CD-ROM to cause a denial of service (guest crash) via a crafted SAI READ CAPACITY SCSI command. NOTE: this is only a vulnerability when root has manually modified certain permissions or ACLs.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3346"
},
{
"id": "CVE-2011-4111",
"summary": "Buffer overflow in the ccid_card_vscard_handle_message function in hw/ccid-card-passthru.c in QEMU before 0.15.2 and 1.x before 1.0-rc4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted VSC_ATR message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4111"
},
{
"id": "CVE-2012-2652",
"summary": "The bdrv_open function in Qemu 1.0 does not properly handle the failure of the mkstemp function, when in snapshot node, which allows local users to overwrite or read arbitrary files via a symlink attack on an unspecified temporary file.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2652"
},
{
"id": "CVE-2012-3515",
"summary": "Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a \"device model's address space.\"",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3515"
},
{
"id": "CVE-2012-6075",
"summary": "Buffer overflow in the e1000_receive function in the e1000 device driver (hw/e1000.c) in QEMU 1.3.0-rc2 and other versions, when the SBP and LPE flags are disabled, allows remote attackers to cause a denial of service (guest OS crash) and possibly execute arbitrary guest code via a large packet.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6075"
},
{
"id": "CVE-2013-2007",
"summary": "The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when started in daemon mode, uses weak permissions for certain files, which allows local users to read and write to these files.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2007"
},
{
"id": "CVE-2013-2016",
"summary": "A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the matching host's qemu address space and thus increase their privileges on the host.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2016"
},
{
"id": "CVE-2013-4148",
"summary": "Integer signedness error in the virtio_net_load function in hw/net/virtio-net.c in QEMU 1.x before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image, which triggers a buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4148"
},
{
"id": "CVE-2013-4149",
"summary": "Buffer overflow in virtio_net_load function in net/virtio-net.c in QEMU 1.3.0 through 1.7.x before 1.7.2 might allow remote attackers to execute arbitrary code via a large MAC table.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4149"
},
{
"id": "CVE-2013-4150",
"summary": "The virtio_net_load function in hw/net/virtio-net.c in QEMU 1.5.0 through 1.7.x before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors in which the value of curr_queues is greater than max_queues, which triggers an out-of-bounds write.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4150"
},
{
"id": "CVE-2013-4151",
"summary": "The virtio_load function in virtio/virtio.c in QEMU 1.x before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds write.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4151"
},
{
"id": "CVE-2013-4344",
"summary": "Buffer overflow in the SCSI implementation in QEMU, as used in Xen, when a SCSI controller has more than 256 attached devices, allows local users to gain privileges via a small transfer buffer in a REPORT LUNS command.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4344"
},
{
"id": "CVE-2013-4375",
"summary": "The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before 4.3.1, and qemu 1.1 and other versions, allows local HVM guests to cause a denial of service (domain grant reference consumption) via unspecified vectors.",
"scorev2": "2.7",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4375"
},
{
"id": "CVE-2013-4377",
"summary": "Use-after-free vulnerability in the virtio-pci implementation in Qemu 1.4.0 through 1.6.0 allows local users to cause a denial of service (daemon crash) by \"hot-unplugging\" a virtio device.",
"scorev2": "2.3",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4377"
},
{
"id": "CVE-2013-4526",
"summary": "Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via vectors related to migrating ports.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4526"
},
{
"id": "CVE-2013-4527",
"summary": "Buffer overflow in hw/timer/hpet.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via vectors related to the number of timers.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4527"
},
{
"id": "CVE-2013-4529",
"summary": "Buffer overflow in hw/pci/pcie_aer.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large log_num value in a savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4529"
},
{
"id": "CVE-2013-4530",
"summary": "Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4530"
},
{
"id": "CVE-2013-4531",
"summary": "Buffer overflow in target-arm/machine.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative value in cpreg_vmstate_array_len in a savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4531"
},
{
"id": "CVE-2013-4532",
"summary": "Qemu 1.1.2+dfsg to 2.1+dfsg suffers from a buffer overrun which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4532"
},
{
"id": "CVE-2013-4533",
"summary": "Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted s->rx_level value in a savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4533"
},
{
"id": "CVE-2013-4534",
"summary": "Buffer overflow in hw/intc/openpic.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to IRQDest elements.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4534"
},
{
"id": "CVE-2013-4535",
"summary": "The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read.",
"scorev2": "7.2",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4535"
},
{
"id": "CVE-2013-4536",
"summary": "An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4536"
},
{
"id": "CVE-2013-4537",
"summary": "The ssi_sd_transfer function in hw/sd/ssi-sd.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted arglen value in a savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4537"
},
{
"id": "CVE-2013-4538",
"summary": "Multiple buffer overflows in the ssd0323_load function in hw/display/ssd0323.c in QEMU before 1.7.2 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted (1) cmd_len, (2) row, or (3) col values; (4) row_start and row_end values; or (5) col_star and col_end values in a savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4538"
},
{
"id": "CVE-2013-4539",
"summary": "Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4539"
},
{
"id": "CVE-2013-4540",
"summary": "Buffer overflow in scoop_gpio_handler_update in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a large (1) prev_level, (2) gpio_level, or (3) gpio_dir value in a savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4540"
},
{
"id": "CVE-2013-4541",
"summary": "The usb_device_post_load function in hw/usb/bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, related to a negative setup_len or setup_index value.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4541"
},
{
"id": "CVE-2013-4542",
"summary": "The virtio_scsi_load_request function in hw/scsi/scsi-bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds array access.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4542"
},
{
"id": "CVE-2013-4544",
"summary": "hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier allows local guest users to cause a denial of service or possibly execute arbitrary code via vectors related to (1) RX or (2) TX queue numbers or (3) interrupt indices. NOTE: some of these details are obtained from third party information.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4544"
},
{
"id": "CVE-2013-6399",
"summary": "Array index error in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6399"
},
{
"id": "CVE-2014-0142",
"summary": "QEMU, possibly before 2.0.0, allows local users to cause a denial of service (divide-by-zero error and crash) via a zero value in the (1) tracks field to the seek_to_sector function in block/parallels.c or (2) extent_size field in the bochs function in block/bochs.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0142"
},
{
"id": "CVE-2014-0143",
"summary": "Multiple integer overflows in the block drivers in QEMU, possibly before 2.0.0, allow local users to cause a denial of service (crash) via a crafted catalog size in (1) the parallels_open function in block/parallels.c or (2) bochs_open function in bochs.c, a large L1 table in the (3) qcow2_snapshot_load_tmp in qcow2-snapshot.c or (4) qcow2_grow_l1_table function in qcow2-cluster.c, (5) a large request in the bdrv_check_byte_request function in block.c and other block drivers, (6) crafted cluster indexes in the get_refcount function in qcow2-refcount.c, or (7) a large number of blocks in the cloop_open function in cloop.c, which trigger buffer overflows, memory corruption, large memory allocations and out-of-bounds read and writes.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0143"
},
{
"id": "CVE-2014-0144",
"summary": "QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host with the privileges of the QEMU process.",
"scorev2": "0.0",
"scorev3": "8.6",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0144"
},
{
"id": "CVE-2014-0145",
"summary": "Multiple buffer overflows in QEMU before 1.7.2 and 2.x before 2.0.0, allow local users to cause a denial of service (crash) or possibly execute arbitrary code via a large (1) L1 table in the qcow2_snapshot_load_tmp in the QCOW 2 block driver (block/qcow2-snapshot.c) or (2) uncompressed chunk, (3) chunk length, or (4) number of sectors in the DMG block driver (block/dmg.c).",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0145"
},
{
"id": "CVE-2014-0146",
"summary": "The qcow2_open function in the (block/qcow2.c) in QEMU before 1.7.2 and 2.x before 2.0.0 allows local users to cause a denial of service (NULL pointer dereference) via a crafted image which causes an error, related to the initialization of the snapshot_offset and nb_snapshots fields.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0146"
},
{
"id": "CVE-2014-0147",
"summary": "Qemu before 1.6.2 block diver for the various disk image formats used by Bochs and for the QCOW version 2 format, are vulnerable to a possible crash caused by signed data types or a logic error while creating QCOW2 snapshots, which leads to incorrectly calling update_refcount() routine.",
"scorev2": "0.0",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0147"
},
{
"id": "CVE-2014-0148",
"summary": "Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_sector_size variables. These are used to derive other fields like 'sectors_per_block' etc. A user able to alter the Qemu disk image could ise this flaw to crash the Qemu instance resulting in DoS.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0148"
},
{
"id": "CVE-2014-0150",
"summary": "Integer overflow in the virtio_net_handle_mac function in hw/net/virtio-net.c in QEMU 2.0 and earlier allows local guest users to execute arbitrary code via a MAC addresses table update request, which triggers a heap-based buffer overflow.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0150"
},
{
"id": "CVE-2014-0182",
"summary": "Heap-based buffer overflow in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted config length in a savevm image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0182"
},
{
"id": "CVE-2014-0222",
"summary": "Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0222"
},
{
"id": "CVE-2014-0223",
"summary": "Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0223"
},
{
"id": "CVE-2014-2894",
"summary": "Off-by-one error in the cmd_smart function in the smart self test in hw/ide/core.c in QEMU before 2.0 allows local users to have unspecified impact via a SMART EXECUTE OFFLINE command that triggers a buffer underflow and memory corruption.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2894"
},
{
"id": "CVE-2014-3461",
"summary": "hw/usb/bus.c in QEMU 1.6.2 allows remote attackers to execute arbitrary code via crafted savevm data, which triggers a heap-based buffer overflow, related to \"USB post load checks.\"",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3461"
},
{
"id": "CVE-2014-3471",
"summary": "Use-after-free vulnerability in hw/pci/pcie.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU instance crash) via hotplug and hotunplug operations of Virtio block devices.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3471"
},
{
"id": "CVE-2014-3615",
"summary": "The VGA emulator in QEMU allows local guest users to read host memory by setting the display to a high resolution.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3615"
},
{
"id": "CVE-2014-3640",
"summary": "The sosendto function in slirp/udp.c in QEMU before 2.1.2 allows local users to cause a denial of service (NULL pointer dereference) by sending a udp packet with a value of 0 in the source port and address, which triggers access of an uninitialized socket.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3640"
},
{
"id": "CVE-2014-3689",
"summary": "The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3689"
},
{
"id": "CVE-2014-5263",
"summary": "vmstate_xhci_event in hw/usb/hcd-xhci.c in QEMU 1.6.0 does not terminate the list with the VMSTATE_END_OF_LIST macro, which allows attackers to cause a denial of service (out-of-bounds access, infinite loop, and memory corruption) and possibly gain privileges via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5263"
},
{
"id": "CVE-2014-5388",
"summary": "Off-by-one error in the pci_read function in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in QEMU allows local guest users to obtain sensitive information and have other unspecified impact related to a crafted PCI device that triggers memory corruption.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5388"
},
{
"id": "CVE-2014-7815",
"summary": "The set_pixel_format function in ui/vnc.c in QEMU allows remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7815"
},
{
"id": "CVE-2014-7840",
"summary": "The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allows remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7840"
},
{
"id": "CVE-2014-8106",
"summary": "Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for CVE-2007-1320.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8106"
},
{
"id": "CVE-2014-9718",
"summary": "The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality in QEMU 1.0 through 2.1.3 have multiple interpretations of a function's return value, which allows guest OS users to cause a host OS denial of service (memory consumption or infinite loop, and system crash) via a PRDT with zero complete sectors, related to the bmdma_prepare_buf and ahci_dma_prepare_buf functions.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9718"
},
{
"id": "CVE-2015-1779",
"summary": "The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section.",
"scorev2": "7.8",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1779"
},
{
"id": "CVE-2015-3209",
"summary": "Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3209"
},
{
"id": "CVE-2015-3214",
"summary": "The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3214"
},
{
"id": "CVE-2015-3456",
"summary": "The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.",
"scorev2": "7.7",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3456"
},
{
"id": "CVE-2015-4037",
"summary": "The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4037"
},
{
"id": "CVE-2015-4106",
"summary": "QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4106"
},
{
"id": "CVE-2015-5154",
"summary": "Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5154"
},
{
"id": "CVE-2015-5158",
"summary": "Stack-based buffer overflow in hw/scsi/scsi-bus.c in QEMU, when built with SCSI-device emulation support, allows guest OS users with CAP_SYS_RAWIO permissions to cause a denial of service (instance crash) via an invalid opcode in a SCSI command descriptor block.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5158"
},
{
"id": "CVE-2015-5225",
"summary": "Buffer overflow in the vnc_refresh_server_surface function in the VNC display driver in QEMU before 2.4.0.1 allows guest users to cause a denial of service (heap memory corruption and process crash) or possibly execute arbitrary code on the host via unspecified vectors, related to refreshing the server display surface.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5225"
},
{
"id": "CVE-2015-5239",
"summary": "Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5239"
},
{
"id": "CVE-2015-5278",
"summary": "The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows attackers to cause a denial of service (infinite loop and instance crash) or possibly execute arbitrary code via vectors related to receiving packets.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5278"
},
{
"id": "CVE-2015-5279",
"summary": "Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5279"
},
{
"id": "CVE-2015-5745",
"summary": "Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5745"
},
{
"id": "CVE-2015-6815",
"summary": "The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors.",
"scorev2": "2.7",
"scorev3": "3.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6815"
},
{
"id": "CVE-2015-6855",
"summary": "hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6855"
},
{
"id": "CVE-2015-7295",
"summary": "hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7295"
},
{
"id": "CVE-2015-7504",
"summary": "Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode.",
"scorev2": "4.6",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7504"
},
{
"id": "CVE-2015-7512",
"summary": "Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet.",
"scorev2": "6.8",
"scorev3": "9.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7512"
},
{
"id": "CVE-2015-7549",
"summary": "The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by leveraging failure to define the .write method.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7549"
},
{
"id": "CVE-2015-8345",
"summary": "The eepro100 emulator in QEMU qemu-kvm blank allows local guest users to cause a denial of service (application crash and infinite loop) via vectors involving the command block list.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8345"
},
{
"id": "CVE-2015-8504",
"summary": "Qemu, when built with VNC display driver support, allows remote attackers to cause a denial of service (arithmetic exception and application crash) via crafted SetPixelFormat messages from a client.",
"scorev2": "3.5",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8504"
},
{
"id": "CVE-2015-8556",
"summary": "Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1.",
"scorev2": "10.0",
"scorev3": "10.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8556"
},
{
"id": "CVE-2015-8558",
"summary": "The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular isochronous transfer descriptor (iTD) list.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8558"
},
{
"id": "CVE-2015-8567",
"summary": "Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause a denial of service (memory consumption).",
"scorev2": "6.8",
"scorev3": "7.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8567"
},
{
"id": "CVE-2015-8568",
"summary": "Memory leak in QEMU, when built with a VMWARE VMXNET3 paravirtual NIC emulator support, allows local guest users to cause a denial of service (host memory consumption) by trying to activate the vmxnet3 device repeatedly.",
"scorev2": "4.7",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8568"
},
{
"id": "CVE-2015-8613",
"summary": "Stack-based buffer overflow in the megasas_ctrl_get_info function in QEMU, when built with SCSI MegaRAID SAS HBA emulation support, allows local guest users to cause a denial of service (QEMU instance crash) via a crafted SCSI controller CTRL_GET_INFO command.",
"scorev2": "1.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8613"
},
{
"id": "CVE-2015-8619",
"summary": "The Human Monitor Interface support in QEMU allows remote attackers to cause a denial of service (out-of-bounds write and application crash).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8619"
},
{
"id": "CVE-2015-8666",
"summary": "Heap-based buffer overflow in QEMU, when built with the Q35-chipset-based PC system emulator.",
"scorev2": "3.3",
"scorev3": "7.9",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8666"
},
{
"id": "CVE-2015-8701",
"summary": "QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit (tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments. A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the QEMU process instance resulting in DoS issue.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8701"
},
{
"id": "CVE-2015-8743",
"summary": "QEMU (aka Quick Emulator) built with the NE2000 device emulation support is vulnerable to an OOB r/w access issue. It could occur while performing 'ioport' r/w operations. A privileged (CAP_SYS_RAWIO) user/process could use this flaw to leak or corrupt QEMU memory bytes.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8743"
},
{
"id": "CVE-2015-8744",
"summary": "QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It occurs when a guest sends a Layer-2 packet smaller than 22 bytes. A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8744"
},
{
"id": "CVE-2015-8745",
"summary": "QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It could occur while reading Interrupt Mask Registers (IMR). A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8745"
},
{
"id": "CVE-2015-8817",
"summary": "QEMU (aka Quick Emulator) built to use 'address_space_translate' to map an address to a MemoryRegionSection is vulnerable to an OOB r/w access issue. It could occur while doing pci_dma_read/write calls. Affects QEMU versions >= 1.6.0 and <= 2.3.1. A privileged user inside guest could use this flaw to crash the guest instance resulting in DoS.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8817"
},
{
"id": "CVE-2015-8818",
"summary": "The cpu_physical_memory_write_rom_internal function in exec.c in QEMU (aka Quick Emulator) does not properly skip MMIO regions, which allows local privileged guest users to cause a denial of service (guest crash) via unspecified vectors.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8818"
},
{
"id": "CVE-2016-10028",
"summary": "The virgl_cmd_get_capset function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) built with Virtio GPU Device emulator support allows local guest OS users to cause a denial of service (out-of-bounds read and process crash) via a VIRTIO_GPU_CMD_GET_CAPSET command with a maximum capabilities size with a value of 0.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10028"
},
{
"id": "CVE-2016-10029",
"summary": "The virtio_gpu_set_scanout function in QEMU (aka Quick Emulator) built with Virtio GPU Device emulator support allows local guest OS users to cause a denial of service (out-of-bounds read and process crash) via a scanout id in a VIRTIO_GPU_CMD_SET_SCANOUT command larger than num_scanouts.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10029"
},
{
"id": "CVE-2016-10155",
"summary": "Memory leak in hw/watchdog/wdt_i6300esb.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.",
"scorev2": "4.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10155"
},
{
"id": "CVE-2016-1568",
"summary": "Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.",
"scorev2": "6.9",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1568"
},
{
"id": "CVE-2016-1714",
"summary": "The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO privilege to cause a denial of service (out-of-bounds read or write access and process crash) or possibly execute arbitrary code via an invalid current entry value in a firmware configuration.",
"scorev2": "6.9",
"scorev3": "8.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1714"
},
{
"id": "CVE-2016-1922",
"summary": "QEMU (aka Quick Emulator) built with the TPR optimization for 32-bit Windows guests support is vulnerable to a null pointer dereference flaw. It occurs while doing I/O port write operations via hmp interface. In that, 'current_cpu' remains null, which leads to the null pointer dereference. A user or process could use this flaw to crash the QEMU instance, resulting in DoS issue.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1922"
},
{
"id": "CVE-2016-1981",
"summary": "QEMU (aka Quick Emulator) built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing data via transmit or receive descriptors, provided the initial receive/transmit descriptor head (TDH/RDH) is set outside the allocated descriptor buffer. A privileged user inside guest could use this flaw to crash the QEMU instance resulting in DoS.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1981"
},
{
"id": "CVE-2016-2197",
"summary": "QEMU (aka Quick Emulator) built with an IDE AHCI emulation support is vulnerable to a null pointer dereference flaw. It occurs while unmapping the Frame Information Structure (FIS) and Command List Block (CLB) entries. A privileged user inside guest could use this flaw to crash the QEMU process instance resulting in DoS.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2197"
},
{
"id": "CVE-2016-2198",
"summary": "QEMU (aka Quick Emulator) built with the USB EHCI emulation support is vulnerable to a null pointer dereference flaw. It could occur when an application attempts to write to EHCI capabilities registers. A privileged user inside quest could use this flaw to crash the QEMU process instance resulting in DoS.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2198"
},
{
"id": "CVE-2016-2391",
"summary": "The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers.",
"scorev2": "2.1",
"scorev3": "5.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2391"
},
{
"id": "CVE-2016-2392",
"summary": "The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 does not properly validate USB configuration descriptor objects, which allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2392"
},
{
"id": "CVE-2016-2538",
"summary": "Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_dataout function.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2538"
},
{
"id": "CVE-2016-2841",
"summary": "The ne2000_receive function in the NE2000 NIC emulation support (hw/net/ne2000.c) in QEMU before 2.5.1 allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via crafted values for the PSTART and PSTOP registers, involving ring buffer control.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2841"
},
{
"id": "CVE-2016-2857",
"summary": "The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet.",
"scorev2": "3.6",
"scorev3": "8.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2857"
},
{
"id": "CVE-2016-2858",
"summary": "QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption.",
"scorev2": "1.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2858"
},
{
"id": "CVE-2016-3710",
"summary": "The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the \"Dark Portal\" issue.",
"scorev2": "7.2",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3710"
},
{
"id": "CVE-2016-3712",
"summary": "Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3712"
},
{
"id": "CVE-2016-4001",
"summary": "Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet.",
"scorev2": "4.3",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4001"
},
{
"id": "CVE-2016-4002",
"summary": "Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes.",
"scorev2": "6.8",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4002"
},
{
"id": "CVE-2016-4020",
"summary": "The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR).",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4020"
},
{
"id": "CVE-2016-4037",
"summary": "The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular split isochronous transfer descriptor (siTD) list, a related issue to CVE-2015-8558.",
"scorev2": "4.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4037"
},
{
"id": "CVE-2016-4439",
"summary": "The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the QEMU host via unspecified vectors.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4439"
},
{
"id": "CVE-2016-4441",
"summary": "The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check DMA length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4441"
},
{
"id": "CVE-2016-4453",
"summary": "The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4453"
},
{
"id": "CVE-2016-4454",
"summary": "The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read.",
"scorev2": "3.6",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4454"
},
{
"id": "CVE-2016-4952",
"summary": "QEMU (aka Quick Emulator), when built with VMWARE PVSCSI paravirtual SCSI bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds array access) via vectors related to the (1) PVSCSI_CMD_SETUP_RINGS or (2) PVSCSI_CMD_SETUP_MSG_RING SCSI command.",
"scorev2": "1.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4952"
},
{
"id": "CVE-2016-4964",
"summary": "The mptsas_fetch_requests function in hw/scsi/mptsas.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop, and CPU consumption or QEMU process crash) via vectors involving s->state.",
"scorev2": "4.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4964"
},
{
"id": "CVE-2016-5105",
"summary": "The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, uses an uninitialized variable, which allows local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command.",
"scorev2": "1.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5105"
},
{
"id": "CVE-2016-5106",
"summary": "The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command.",
"scorev2": "1.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5106"
},
{
"id": "CVE-2016-5107",
"summary": "The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors.",
"scorev2": "1.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5107"
},
{
"id": "CVE-2016-5126",
"summary": "Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5126"
},
{
"id": "CVE-2016-5238",
"summary": "The get_cmd function in hw/scsi/esp.c in QEMU might allow local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5238"
},
{
"id": "CVE-2016-5337",
"summary": "The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allows local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5337"
},
{
"id": "CVE-2016-5338",
"summary": "The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allow local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5338"
},
{
"id": "CVE-2016-5403",
"summary": "The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5403"
},
{
"id": "CVE-2016-6351",
"summary": "The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), when built with ESP/NCR53C9x controller emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the QEMU host via vectors involving DMA read into ESP command buffer.",
"scorev2": "7.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6351"
},
{
"id": "CVE-2016-6490",
"summary": "The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6490"
},
{
"id": "CVE-2016-6833",
"summary": "Use-after-free vulnerability in the vmxnet3_io_bar0_write function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU instance crash) by leveraging failure to check if the device is active.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6833"
},
{
"id": "CVE-2016-6834",
"summary": "The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the current fragment length.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6834"
},
{
"id": "CVE-2016-6835",
"summary": "The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (buffer over-read) by leveraging failure to check IP header length.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6835"
},
{
"id": "CVE-2016-6836",
"summary": "The vmxnet3_complete_packet function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host memory information by leveraging failure to initialize the txcq_descr object.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6836"
},
{
"id": "CVE-2016-6888",
"summary": "Integer overflow in the net_tx_pkt_init function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU process crash) via the maximum fragmentation count, which triggers an unchecked multiplication and NULL pointer dereference.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6888"
},
{
"id": "CVE-2016-7116",
"summary": "Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to access host files outside the export path via a .. (dot dot) in an unspecified string.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7116"
},
{
"id": "CVE-2016-7155",
"summary": "hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds access or infinite loop, and QEMU process crash) via a crafted page count for descriptor rings.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7155"
},
{
"id": "CVE-2016-7156",
"summary": "The pvscsi_convert_sglist function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging an incorrect cast.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7156"
},
{
"id": "CVE-2016-7157",
"summary": "The (1) mptsas_config_manufacturing_1 and (2) mptsas_config_ioc_0 functions in hw/scsi/mptconfig.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via vectors involving MPTSAS_CONFIG_PACK.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7157"
},
{
"id": "CVE-2016-7161",
"summary": "Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7161"
},
{
"id": "CVE-2016-7170",
"summary": "The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to cursor.mask[] and cursor.image[] array sizes when processing a DEFINE_CURSOR svga command.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7170"
},
{
"id": "CVE-2016-7421",
"summary": "The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the ring size.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7421"
},
{
"id": "CVE-2016-7422",
"summary": "The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via a large I/O descriptor buffer length value.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7422"
},
{
"id": "CVE-2016-7423",
"summary": "The mptsas_process_scsi_io_request function in QEMU (aka Quick Emulator), when built with LSI SAS1068 Host Bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors involving MPTSASRequest objects.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7423"
},
{
"id": "CVE-2016-7466",
"summary": "Memory leak in the usb_xhci_exit function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator), when the xhci uses msix, allows local guest OS administrators to cause a denial of service (memory consumption and possibly QEMU process crash) by repeatedly unplugging a USB device.",
"scorev2": "1.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7466"
},
{
"id": "CVE-2016-7907",
"summary": "The imx_fec_do_tx function in hw/net/imx_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7907"
},
{
"id": "CVE-2016-7908",
"summary": "The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7908"
},
{
"id": "CVE-2016-7909",
"summary": "The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0.",
"scorev2": "4.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7909"
},
{
"id": "CVE-2016-7994",
"summary": "Memory leak in the virtio_gpu_resource_create_2d function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_CREATE_2D commands.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7994"
},
{
"id": "CVE-2016-7995",
"summary": "Memory leak in the ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of crafted buffer page select (PG) indexes.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7995"
},
{
"id": "CVE-2016-8576",
"summary": "The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8576"
},
{
"id": "CVE-2016-8577",
"summary": "Memory leak in the v9fs_read function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors related to an I/O read operation.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8577"
},
{
"id": "CVE-2016-8578",
"summary": "The v9fs_iov_vunmarshal function in fsdev/9p-iov-marshal.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) by sending an empty string parameter to a 9P operation.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8578"
},
{
"id": "CVE-2016-8667",
"summary": "The rc4030_write function in hw/dma/rc4030.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8667"
},
{
"id": "CVE-2016-8668",
"summary": "The rocker_io_writel function in hw/net/rocker/rocker.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging failure to limit DMA buffer size.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8668"
},
{
"id": "CVE-2016-8669",
"summary": "The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8669"
},
{
"id": "CVE-2016-8909",
"summary": "The intel_hda_xfer function in hw/audio/intel-hda.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8909"
},
{
"id": "CVE-2016-8910",
"summary": "The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8910"
},
{
"id": "CVE-2016-9101",
"summary": "Memory leak in hw/net/eepro100.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by repeatedly unplugging an i8255x (PRO100) NIC device.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9101"
},
{
"id": "CVE-2016-9102",
"summary": "Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9102"
},
{
"id": "CVE-2016-9103",
"summary": "The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values before writing to them.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9103"
},
{
"id": "CVE-2016-9104",
"summary": "Multiple integer overflows in the (1) v9fs_xattr_read and (2) v9fs_xattr_write functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via a crafted offset, which triggers an out-of-bounds access.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9104"
},
{
"id": "CVE-2016-9105",
"summary": "Memory leak in the v9fs_link function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors involving a reference to the source fid object.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9105"
},
{
"id": "CVE-2016-9106",
"summary": "Memory leak in the v9fs_write function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) by leveraging failure to free an IO vector.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9106"
},
{
"id": "CVE-2016-9381",
"summary": "Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a \"double fetch\" vulnerability.",
"scorev2": "6.9",
"scorev3": "7.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9381"
},
{
"id": "CVE-2016-9602",
"summary": "Qemu before version 2.9 is vulnerable to an improper link following when built with the VirtFS. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.",
"scorev2": "9.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9602"
},
{
"id": "CVE-2016-9603",
"summary": "A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support before 2.9; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the host with privileges of the QEMU process.",
"scorev2": "9.0",
"scorev3": "9.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9603"
},
{
"id": "CVE-2016-9776",
"summary": "QEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet Controller emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could use this issue to crash the QEMU process on the host leading to DoS.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9776"
},
{
"id": "CVE-2016-9845",
"summary": "QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest user/process could use this flaw to leak contents of the host memory bytes.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9845"
},
{
"id": "CVE-2016-9846",
"summary": "QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while updating the cursor data in update_cursor_data_virgl. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9846"
},
{
"id": "CVE-2016-9907",
"summary": "Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9907"
},
{
"id": "CVE-2016-9908",
"summary": "Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to leak contents of the host memory bytes.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9908"
},
{
"id": "CVE-2016-9911",
"summary": "Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9911"
},
{
"id": "CVE-2016-9912",
"summary": "Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while destroying gpu resource object in 'virtio_gpu_resource_destroy'. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9912"
},
{
"id": "CVE-2016-9913",
"summary": "Memory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) via vectors involving the order of resource cleanup.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9913"
},
{
"id": "CVE-2016-9914",
"summary": "Memory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in FileOperations.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9914"
},
{
"id": "CVE-2016-9915",
"summary": "Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the handle backend.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9915"
},
{
"id": "CVE-2016-9916",
"summary": "Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the proxy backend.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9916"
},
{
"id": "CVE-2016-9921",
"summary": "Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting in DoS.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9921"
},
{
"id": "CVE-2016-9922",
"summary": "The cirrus_do_copy function in hw/display/cirrus_vga.c in QEMU (aka Quick Emulator), when cirrus graphics mode is VGA, allows local guest OS privileged users to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving blit pitch values.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9922"
},
{
"id": "CVE-2016-9923",
"summary": "Quick Emulator (Qemu) built with the 'chardev' backend support is vulnerable to a use after free issue. It could occur while hotplug and unplugging the device in the guest. A guest user/process could use this flaw to crash a Qemu process on the host resulting in DoS.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9923"
},
{
"id": "CVE-2017-10664",
"summary": "qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10664"
},
{
"id": "CVE-2017-10806",
"summary": "Stack-based buffer overflow in hw/usb/redirect.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10806"
},
{
"id": "CVE-2017-11334",
"summary": "The address_space_write_continue function in exec.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11334"
},
{
"id": "CVE-2017-11434",
"summary": "The dhcp_decode function in slirp/bootp.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) via a crafted DHCP options string.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11434"
},
{
"id": "CVE-2017-12809",
"summary": "QEMU (aka Quick Emulator), when built with the IDE disk and CD/DVD-ROM Emulator support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12809"
},
{
"id": "CVE-2017-13672",
"summary": "QEMU (aka Quick Emulator), when built with the VGA display emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13672"
},
{
"id": "CVE-2017-13673",
"summary": "The vga display update in mis-calculated the region for the dirty bitmap snapshot in case split screen mode is used causing a denial of service (assertion failure) in the cpu_physical_memory_snapshot_get_dirty function.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13673"
},
{
"id": "CVE-2017-13711",
"summary": "Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (aka Quick Emulator) allows attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear ifq_so from pending packets.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13711"
},
{
"id": "CVE-2017-14167",
"summary": "Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (aka Quick Emulator) allows local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write.",
"scorev2": "7.2",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14167"
},
{
"id": "CVE-2017-15038",
"summary": "Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes.",
"scorev2": "1.9",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15038"
},
{
"id": "CVE-2017-15118",
"summary": "A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15118"
},
{
"id": "CVE-2017-15119",
"summary": "The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS.",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15119"
},
{
"id": "CVE-2017-15124",
"summary": "VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15124"
},
{
"id": "CVE-2017-15268",
"summary": "Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15268"
},
{
"id": "CVE-2017-15289",
"summary": "The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15289"
},
{
"id": "CVE-2017-16845",
"summary": "hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access.",
"scorev2": "6.4",
"scorev3": "10.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16845"
},
{
"id": "CVE-2017-17381",
"summary": "The Virtio Vring implementation in QEMU allows local OS guest users to cause a denial of service (divide-by-zero error and QEMU process crash) by unsetting vring alignment while updating Virtio rings.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17381"
},
{
"id": "CVE-2017-18030",
"summary": "The cirrus_invalidate_region function in hw/display/cirrus_vga.c in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors related to negative pitch.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18030"
},
{
"id": "CVE-2017-18043",
"summary": "Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) allows a user to cause a denial of service (Qemu process crash).",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18043"
},
{
"id": "CVE-2017-2615",
"summary": "Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host.",
"scorev2": "9.0",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2615"
},
{
"id": "CVE-2017-2620",
"summary": "Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process.",
"scorev2": "9.0",
"scorev3": "9.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2620"
},
{
"id": "CVE-2017-2630",
"summary": "A stack buffer overflow flaw was found in the Quick Emulator (QEMU) before 2.9 built with the Network Block Device (NBD) client support. The flaw could occur while processing server's response to a 'NBD_OPT_LIST' request. A malicious NBD server could use this issue to crash a remote NBD client resulting in DoS or potentially execute arbitrary code on client host with privileges of the QEMU process.",
"scorev2": "6.5",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2630"
},
{
"id": "CVE-2017-2633",
"summary": "An out-of-bounds memory access issue was found in Quick Emulator (QEMU) before 1.7.2 in the VNC display driver. This flaw could occur while refreshing the VNC display surface area in the 'vnc_refresh_server_surface'. A user inside a guest could use this flaw to crash the QEMU process.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2633"
},
{
"id": "CVE-2017-5525",
"summary": "Memory leak in hw/audio/ac97.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5525"
},
{
"id": "CVE-2017-5526",
"summary": "Memory leak in hw/audio/es1370.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5526"
},
{
"id": "CVE-2017-5552",
"summary": "Memory leak in the virgl_resource_attach_backing function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING commands.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5552"
},
{
"id": "CVE-2017-5578",
"summary": "Memory leak in the virtio_gpu_resource_attach_backing function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING commands.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5578"
},
{
"id": "CVE-2017-5579",
"summary": "Memory leak in the serial_exit_core function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5579"
},
{
"id": "CVE-2017-5667",
"summary": "The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds heap access and crash) or execute arbitrary code on the QEMU host via vectors involving the data transfer length.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5667"
},
{
"id": "CVE-2017-5856",
"summary": "Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) via MegaRAID Firmware Interface (MFI) commands with the sglist size set to a value over 2 Gb.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5856"
},
{
"id": "CVE-2017-5857",
"summary": "Memory leak in the virgl_cmd_resource_unref function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_UNREF commands sent without detaching the backing storage beforehand.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5857"
},
{
"id": "CVE-2017-5898",
"summary": "Integer overflow in the emulated_apdu_from_guest function in usb/dev-smartcard-reader.c in Quick Emulator (Qemu), when built with the CCID Card device emulator support, allows local users to cause a denial of service (application crash) via a large Application Protocol Data Units (APDU) unit.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5898"
},
{
"id": "CVE-2017-5931",
"summary": "Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code on the host via a crafted virtio-crypto request, which triggers a heap-based buffer overflow.",
"scorev2": "7.2",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5931"
},
{
"id": "CVE-2017-5973",
"summary": "The xhci_kick_epctx function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors related to control transfer descriptor sequence.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5973"
},
{
"id": "CVE-2017-5987",
"summary": "The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5987"
},
{
"id": "CVE-2017-6058",
"summary": "Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU (aka Quick Emulator), when the VLANSTRIP feature is enabled on the vmxnet3 device, allows remote attackers to cause a denial of service (out-of-bounds access and QEMU process crash) via vectors related to VLAN stripping.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6058"
},
{
"id": "CVE-2017-6505",
"summary": "The ohci_service_ed_list function in hw/usb/hcd-ohci.c in QEMU (aka Quick Emulator) before 2.9.0 allows local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors, a different vulnerability than CVE-2017-9330.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6505"
},
{
"id": "CVE-2017-7377",
"summary": "The (1) v9fs_create and (2) v9fs_lcreate functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS privileged users to cause a denial of service (file descriptor or memory consumption) via vectors related to an already in-use fid.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7377"
},
{
"id": "CVE-2017-7471",
"summary": "Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System (9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.",
"scorev2": "7.7",
"scorev3": "9.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7471"
},
{
"id": "CVE-2017-7493",
"summary": "Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to escalate their privileges inside guest.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7493"
},
{
"id": "CVE-2017-7539",
"summary": "An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A remote user or process could use this flaw to crash the qemu-nbd server resulting in denial of service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7539"
},
{
"id": "CVE-2017-7718",
"summary": "hw/display/cirrus_vga_rop.h in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7718"
},
{
"id": "CVE-2017-7980",
"summary": "Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick Emulator (Qemu) 2.8 and earlier allows local guest OS users to execute arbitrary code or cause a denial of service (crash) via vectors related to a VNC client updating its display after a VGA operation.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7980"
},
{
"id": "CVE-2017-8086",
"summary": "Memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8086"
},
{
"id": "CVE-2017-8112",
"summary": "hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8112"
},
{
"id": "CVE-2017-8284",
"summary": "The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic block that injects code into a setuid program, as demonstrated by procmail. NOTE: the vendor has stated \"this bug does not violate any security guarantees QEMU makes.",
"scorev2": "6.9",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8284"
},
{
"id": "CVE-2017-8309",
"summary": "Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8309"
},
{
"id": "CVE-2017-8379",
"summary": "Memory leak in the keyboard input event handlers support in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large keyboard events.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8379"
},
{
"id": "CVE-2017-8380",
"summary": "Buffer overflow in the \"megasas_mmio_write\" function in Qemu 2.9.0 allows remote attackers to have unspecified impact via unknown vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8380"
},
{
"id": "CVE-2017-9060",
"summary": "Memory leak in the virtio_gpu_set_scanout function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (memory consumption) via a large number of \"VIRTIO_GPU_CMD_SET_SCANOUT:\" commands.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9060"
},
{
"id": "CVE-2017-9310",
"summary": "QEMU (aka Quick Emulator), when built with the e1000e NIC emulation support, allows local guest OS privileged users to cause a denial of service (infinite loop) via vectors related to setting the initial receive / transmit descriptor head (TDH/RDH) outside the allocated descriptor buffer.",
"scorev2": "1.9",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9310"
},
{
"id": "CVE-2017-9330",
"summary": "QEMU (aka Quick Emulator) before 2.9.0, when built with the USB OHCI Emulation support, allows local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value, a different vulnerability than CVE-2017-6505.",
"scorev2": "1.9",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9330"
},
{
"id": "CVE-2017-9373",
"summary": "Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the AHCI device.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9373"
},
{
"id": "CVE-2017-9374",
"summary": "Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the device.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9374"
},
{
"id": "CVE-2017-9375",
"summary": "QEMU (aka Quick Emulator), when built with USB xHCI controller emulator support, allows local guest OS privileged users to cause a denial of service (infinite recursive call) via vectors involving control transfer descriptors sequencing.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9375"
},
{
"id": "CVE-2017-9503",
"summary": "QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving megasas command processing.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9503"
},
{
"id": "CVE-2017-9524",
"summary": "The qemu-nbd server in QEMU (aka Quick Emulator), when built with the Network Block Device (NBD) Server support, allows remote attackers to cause a denial of service (segmentation fault and server crash) by leveraging failure to ensure that all initialization occurs before talking to a client in the nbd_negotiate function.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9524"
},
{
"id": "CVE-2018-10839",
"summary": "Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10839"
},
{
"id": "CVE-2018-11806",
"summary": "m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams.",
"scorev2": "7.2",
"scorev3": "8.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11806"
},
{
"id": "CVE-2018-12617",
"summary": "qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12617"
},
{
"id": "CVE-2018-15746",
"summary": "qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15746"
},
{
"id": "CVE-2018-16847",
"summary": "An OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process.",
"scorev2": "4.6",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16847"
},
{
"id": "CVE-2018-16867",
"summary": "A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A path traversal in the in usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write arbitrary files which may lead do DoS scenario OR possibly lead to code execution on the host.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16867"
},
{
"id": "CVE-2018-16872",
"summary": "A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS.",
"scorev2": "3.5",
"scorev3": "5.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16872"
},
{
"id": "CVE-2018-17958",
"summary": "Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17958"
},
{
"id": "CVE-2018-17962",
"summary": "Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17962"
},
{
"id": "CVE-2018-17963",
"summary": "qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17963"
},
{
"id": "CVE-2018-18438",
"summary": "Qemu has integer overflows because IOReadHandler and its associated functions use a signed integer data type for a size value.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18438",
"detail": "disputed",
"description": "The issues identified by this CVE were determined to not constitute a vulnerability."
},
{
"id": "CVE-2018-18849",
"summary": "In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18849"
},
{
"id": "CVE-2018-18954",
"summary": "The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1 allows out-of-bounds write or read access to PowerNV memory.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18954"
},
{
"id": "CVE-2018-19364",
"summary": "hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second thread, leading to (for example) a use-after-free outcome.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19364"
},
{
"id": "CVE-2018-19489",
"summary": "v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS users to cause a denial of service (crash) because of a race condition during file renaming.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19489"
},
{
"id": "CVE-2018-19665",
"summary": "The Bluetooth subsystem in QEMU mishandles negative values for length variables, leading to memory corruption.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19665"
},
{
"id": "CVE-2018-20123",
"summary": "pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak after an initialisation error.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20123"
},
{
"id": "CVE-2018-20124",
"summary": "hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20124"
},
{
"id": "CVE-2018-20125",
"summary": "hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20125"
},
{
"id": "CVE-2018-20126",
"summary": "hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are mishandled.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20126"
},
{
"id": "CVE-2018-20191",
"summary": "hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20191"
},
{
"id": "CVE-2018-20216",
"summary": "QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and -1 is mishandled).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20216"
},
{
"id": "CVE-2018-20815",
"summary": "In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20815"
},
{
"id": "CVE-2018-5683",
"summary": "The vga_draw_text function in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5683"
},
{
"id": "CVE-2018-7550",
"summary": "The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access.",
"scorev2": "4.6",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7550"
},
{
"id": "CVE-2018-7858",
"summary": "Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds access and QEMU process crash) by leveraging incorrect region calculation when updating VGA display.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7858"
},
{
"id": "CVE-2019-12067",
"summary": "The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12067"
},
{
"id": "CVE-2019-12068",
"summary": "In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.",
"scorev2": "2.1",
"scorev3": "3.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12068"
},
{
"id": "CVE-2019-12155",
"summary": "interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12155"
},
{
"id": "CVE-2019-12247",
"summary": "QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12247"
},
{
"id": "CVE-2019-12928",
"summary": "The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12928"
},
{
"id": "CVE-2019-12929",
"summary": "The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12929"
},
{
"id": "CVE-2019-13164",
"summary": "qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13164"
},
{
"id": "CVE-2019-15034",
"summary": "hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading to a buffer overflow involving the PCIe extended config space.",
"scorev2": "4.4",
"scorev3": "5.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15034"
},
{
"id": "CVE-2019-15890",
"summary": "libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15890"
},
{
"id": "CVE-2019-20175",
"summary": "An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a multiple of 512 (the size of a sector). NOTE: a member of the QEMU security team disputes the significance of this issue because a \"privileged guest user has many ways to cause similar DoS effect, without triggering this assert.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20175"
},
{
"id": "CVE-2019-20382",
"summary": "QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd.",
"scorev2": "2.7",
"scorev3": "3.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20382"
},
{
"id": "CVE-2019-20808",
"summary": "In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA implementation. It occurs in the ati_cursor_define() routine while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20808"
},
{
"id": "CVE-2019-3812",
"summary": "QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3812"
},
{
"id": "CVE-2019-5008",
"summary": "hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, which allows the attacker to cause a denial of service via a device driver.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5008"
},
{
"id": "CVE-2019-6501",
"summary": "In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-bounds write and read operations.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6501"
},
{
"id": "CVE-2019-6778",
"summary": "In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6778"
},
{
"id": "CVE-2019-8934",
"summary": "hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8934"
},
{
"id": "CVE-2019-9824",
"summary": "tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9824"
},
{
"id": "CVE-2020-10702",
"summary": "A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all programs running on QEMU.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10702"
},
{
"id": "CVE-2020-10717",
"summary": "A potential DoS flaw was found in the virtio-fs shared file system daemon (virtiofsd) implementation of the QEMU version >= v5.0. Virtio-fs is meant to share a host file system directory with a guest via virtio-fs device. If the guest opens the maximum number of file descriptors under the shared directory, a denial of service may occur. This flaw allows a guest user/process to cause this denial of service on the host.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10717"
},
{
"id": "CVE-2020-10761",
"summary": "An assertion failure issue was found in the Network Block Device(NBD) Server in all QEMU versions before QEMU 5.0.1. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A remote nbd-client could use this flaw to crash the qemu-nbd server resulting in a denial of service.",
"scorev2": "4.0",
"scorev3": "5.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10761"
},
{
"id": "CVE-2020-11102",
"summary": "hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length.",
"scorev2": "6.8",
"scorev3": "5.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11102"
},
{
"id": "CVE-2020-11869",
"summary": "An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11869"
},
{
"id": "CVE-2020-11947",
"summary": "iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose unrelated information from process memory to an attacker.",
"scorev2": "2.1",
"scorev3": "3.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11947"
},
{
"id": "CVE-2020-12829",
"summary": "In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service.",
"scorev2": "2.1",
"scorev3": "3.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12829"
},
{
"id": "CVE-2020-13253",
"summary": "sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13253"
},
{
"id": "CVE-2020-13361",
"summary": "In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.",
"scorev2": "3.3",
"scorev3": "3.9",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13361"
},
{
"id": "CVE-2020-13362",
"summary": "In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user.",
"scorev2": "2.1",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13362"
},
{
"id": "CVE-2020-13659",
"summary": "address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer.",
"scorev2": "1.9",
"scorev3": "2.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13659"
},
{
"id": "CVE-2020-13754",
"summary": "hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13754"
},
{
"id": "CVE-2020-13765",
"summary": "rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation.",
"scorev2": "6.8",
"scorev3": "5.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13765"
},
{
"id": "CVE-2020-13791",
"summary": "hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13791"
},
{
"id": "CVE-2020-13800",
"summary": "ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call.",
"scorev2": "4.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13800"
},
{
"id": "CVE-2020-14364",
"summary": "An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host.",
"scorev2": "4.4",
"scorev3": "5.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14364"
},
{
"id": "CVE-2020-14394",
"summary": "An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service.",
"scorev2": "0.0",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14394"
},
{
"id": "CVE-2020-14415",
"summary": "oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14415"
},
{
"id": "CVE-2020-15469",
"summary": "In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.",
"scorev2": "2.1",
"scorev3": "2.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15469"
},
{
"id": "CVE-2020-15859",
"summary": "QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15859"
},
{
"id": "CVE-2020-15863",
"summary": "hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential privileged code execution. This was fixed in commit 5519724a13664b43e225ca05351c60b4468e4555.",
"scorev2": "4.4",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15863"
},
{
"id": "CVE-2020-16092",
"summary": "In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in hw/net/net_tx_pkt.c.",
"scorev2": "2.1",
"scorev3": "3.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16092"
},
{
"id": "CVE-2020-1711",
"summary": "An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host.",
"scorev2": "6.0",
"scorev3": "6.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1711"
},
{
"id": "CVE-2020-17380",
"summary": "A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.",
"scorev2": "4.6",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17380"
},
{
"id": "CVE-2020-24165",
"summary": "An issue was discovered in TCG Accelerator in QEMU 4.2.0, allows local attackers to execute arbitrary code, escalate privileges, and cause a denial of service (DoS). Note: This is disputed as a bug and not a valid security issue by multiple third parties.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24165"
},
{
"id": "CVE-2020-24352",
"summary": "An issue was discovered in QEMU through 5.1.0. An out-of-bounds memory access was found in the ATI VGA device implementation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati_2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24352"
},
{
"id": "CVE-2020-25084",
"summary": "QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.",
"scorev2": "2.1",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25084"
},
{
"id": "CVE-2020-25085",
"summary": "QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case.",
"scorev2": "4.4",
"scorev3": "5.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25085"
},
{
"id": "CVE-2020-25624",
"summary": "hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.",
"scorev2": "4.4",
"scorev3": "5.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25624"
},
{
"id": "CVE-2020-25625",
"summary": "hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop.",
"scorev2": "4.7",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25625"
},
{
"id": "CVE-2020-25723",
"summary": "A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service.",
"scorev2": "2.1",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25723"
},
{
"id": "CVE-2020-25741",
"summary": "fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.",
"scorev2": "2.1",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25741"
},
{
"id": "CVE-2020-25742",
"summary": "pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.",
"scorev2": "2.1",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25742"
},
{
"id": "CVE-2020-25743",
"summary": "hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.",
"scorev2": "2.1",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25743"
},
{
"id": "CVE-2020-27616",
"summary": "ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a calculation. A guest can crash the QEMU process.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27616"
},
{
"id": "CVE-2020-27617",
"summary": "eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27617"
},
{
"id": "CVE-2020-27661",
"summary": "A divide-by-zero issue was found in dwc2_handle_packet in hw/usb/hcd-dwc2.c in the hcd-dwc2 USB host controller emulation of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27661"
},
{
"id": "CVE-2020-27821",
"summary": "A flaw was found in the memory management API of QEMU during the initialization of a memory region cache. This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27821"
},
{
"id": "CVE-2020-28916",
"summary": "hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28916"
},
{
"id": "CVE-2020-29443",
"summary": "ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated.",
"scorev2": "3.3",
"scorev3": "3.9",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29443"
},
{
"id": "CVE-2020-35503",
"summary": "A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35503"
},
{
"id": "CVE-2020-35504",
"summary": "A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35504"
},
{
"id": "CVE-2020-35505",
"summary": "A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.",
"scorev2": "2.1",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35505"
},
{
"id": "CVE-2020-35506",
"summary": "A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process.",
"scorev2": "4.6",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35506"
},
{
"id": "CVE-2020-35517",
"summary": "A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices.",
"scorev2": "4.6",
"scorev3": "8.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35517"
},
{
"id": "CVE-2020-7039",
"summary": "tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code.",
"scorev2": "6.8",
"scorev3": "5.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-7039"
},
{
"id": "CVE-2020-7211",
"summary": "tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\\ directory traversal on Windows.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-7211"
},
{
"id": "CVE-2021-20181",
"summary": "A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.",
"scorev2": "6.9",
"scorev3": "7.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20181"
},
{
"id": "CVE-2021-20196",
"summary": "A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20196"
},
{
"id": "CVE-2021-20203",
"summary": "An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.",
"scorev2": "2.1",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20203"
},
{
"id": "CVE-2021-20221",
"summary": "An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20221"
},
{
"id": "CVE-2021-20255",
"summary": "A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20255"
},
{
"id": "CVE-2021-20257",
"summary": "An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20257"
},
{
"id": "CVE-2021-20263",
"summary": "A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20263"
},
{
"id": "CVE-2021-20295",
"summary": "It was discovered that the update for the virt:rhel module in the RHSA-2020:4676 (https://access.redhat.com/errata/RHSA-2020:4676) erratum released as part of Red Hat Enterprise Linux 8.3 failed to include the fix for the qemu-kvm component issue CVE-2020-10756, which was previously corrected in virt:rhel/qemu-kvm via erratum RHSA-2020:4059 (https://access.redhat.com/errata/RHSA-2020:4059). CVE-2021-20295 was assigned to that Red Hat specific security regression. For more details about the original security issue CVE-2020-10756, refer to bug 1835986 or the CVE page: https://access.redhat.com/security/cve/CVE-2020-10756.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20295"
},
{
"id": "CVE-2021-3392",
"summary": "A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.",
"scorev2": "2.1",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3392"
},
{
"id": "CVE-2021-3409",
"summary": "The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this.",
"scorev2": "4.6",
"scorev3": "5.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3409"
},
{
"id": "CVE-2021-3416",
"summary": "A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario.",
"scorev2": "2.1",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3416"
},
{
"id": "CVE-2021-3507",
"summary": "A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory.",
"scorev2": "3.6",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3507"
},
{
"id": "CVE-2021-3527",
"summary": "A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3527"
},
{
"id": "CVE-2021-3544",
"summary": "Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3544"
},
{
"id": "CVE-2021-3545",
"summary": "An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3545"
},
{
"id": "CVE-2021-3546",
"summary": "An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process.",
"scorev2": "4.6",
"scorev3": "8.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3546"
},
{
"id": "CVE-2021-3582",
"summary": "A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a \"PVRDMA_CMD_CREATE_MR\" command due to improper memory remapping (mremap). This flaw allows a malicious guest to crash the QEMU process on the host. The highest threat from this vulnerability is to system availability.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3582"
},
{
"id": "CVE-2021-3607",
"summary": "An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a \"PVRDMA_REG_DSRHIGH\" write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability.",
"scorev2": "4.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3607"
},
{
"id": "CVE-2021-3608",
"summary": "A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a \"PVRDMA_REG_DSRHIGH\" write from the guest and may result in a crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest threat from this vulnerability is to system availability.",
"scorev2": "4.9",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3608"
},
{
"id": "CVE-2021-3611",
"summary": "A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. This flaw affects QEMU versions prior to 7.0.0.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3611"
},
{
"id": "CVE-2021-3638",
"summary": "An out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for the destination display parameters. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3638"
},
{
"id": "CVE-2021-3682",
"summary": "A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.",
"scorev2": "6.0",
"scorev3": "8.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3682"
},
{
"id": "CVE-2021-3713",
"summary": "An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host.",
"scorev2": "4.6",
"scorev3": "7.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3713"
},
{
"id": "CVE-2021-3735",
"summary": "A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3735"
},
{
"id": "CVE-2021-3748",
"summary": "A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.",
"scorev2": "6.9",
"scorev3": "7.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3748"
},
{
"id": "CVE-2021-3750",
"summary": "A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.",
"scorev2": "4.6",
"scorev3": "8.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3750"
},
{
"id": "CVE-2021-3929",
"summary": "A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.",
"scorev2": "0.0",
"scorev3": "8.2",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3929"
},
{
"id": "CVE-2021-3930",
"summary": "An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.",
"scorev2": "2.1",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3930"
},
{
"id": "CVE-2021-3947",
"summary": "A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist() where a malicious guest controlling certain input can read out of bounds memory. A malicious user could use this flaw leading to disclosure of sensitive information.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3947"
},
{
"id": "CVE-2021-4145",
"summary": "A NULL pointer dereference issue was found in the block mirror layer of QEMU in versions prior to 6.2.0. The `self` pointer is dereferenced in mirror_wait_on_conflicts() without ensuring that it's not NULL. A malicious unprivileged user within the guest could use this flaw to crash the QEMU process on the host when writing data reaches the threshold of mirroring node.",
"scorev2": "4.9",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4145"
},
{
"id": "CVE-2021-4158",
"summary": "A NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.",
"scorev2": "0.0",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4158"
},
{
"id": "CVE-2021-4206",
"summary": "A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.",
"scorev2": "4.6",
"scorev3": "8.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4206"
},
{
"id": "CVE-2021-4207",
"summary": "A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.",
"scorev2": "4.6",
"scorev3": "8.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4207"
},
{
"id": "CVE-2022-0216",
"summary": "A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.",
"scorev2": "0.0",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0216"
},
{
"id": "CVE-2022-0358",
"summary": "A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0358"
},
{
"id": "CVE-2022-1050",
"summary": "A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.",
"scorev2": "4.6",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1050"
},
{
"id": "CVE-2022-26353",
"summary": "A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26353"
},
{
"id": "CVE-2022-26354",
"summary": "A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.",
"scorev2": "2.1",
"scorev3": "3.2",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26354"
},
{
"id": "CVE-2022-2962",
"summary": "A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2962"
},
{
"id": "CVE-2022-3165",
"summary": "An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3165"
},
{
"id": "CVE-2022-35414",
"summary": "softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash. NOTE: a third party states that the Non-virtualization Use Case in the qemu.org reference applies here, i.e., \"Bugs affecting the non-virtualization use case are not considered security bugs at this time.",
"scorev2": "6.1",
"scorev3": "8.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-35414"
},
{
"id": "CVE-2022-36648",
"summary": "The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS. Note: This has been disputed by multiple third parties as not a valid vulnerability due to the rocker device not falling within the virtualization use case.",
"scorev2": "0.0",
"scorev3": "10.0",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-36648"
},
{
"id": "CVE-2022-3872",
"summary": "An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.",
"scorev2": "0.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3872"
},
{
"id": "CVE-2022-4144",
"summary": "An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4144"
},
{
"id": "CVE-2022-4172",
"summary": "An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4172"
},
{
"id": "CVE-2023-0330",
"summary": "A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free.",
"scorev2": "0.0",
"scorev3": "6.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0330"
},
{
"id": "CVE-2023-0664",
"summary": "A flaw was found in the QEMU Guest Agent service for Windows. A local unprivileged user may be able to manipulate the QEMU Guest Agent's Windows installer via repair custom actions to elevate their privileges on the system.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0664",
"detail": "not-applicable-platform",
"description": "Issue only applies on Windows"
},
{
"id": "CVE-2023-1386",
"summary": "A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1386"
},
{
"id": "CVE-2023-1544",
"summary": "A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.",
"scorev2": "0.0",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1544"
},
{
"id": "CVE-2023-2680",
"summary": "This CVE exists because of an incomplete fix for CVE-2021-3750. More specifically, the qemu-kvm package as released for Red Hat Enterprise Linux 9.1 via RHSA-2022:7967 included a version of qemu-kvm that was actually missing the fix for CVE-2021-3750.",
"scorev2": "0.0",
"scorev3": "8.2",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2680",
"detail": "not-applicable-platform",
"description": "RHEL specific issue."
},
{
"id": "CVE-2023-2861",
"summary": "A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host side, potentially allowing a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared folder.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2861"
},
{
"id": "CVE-2023-3019",
"summary": "A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3019",
"detail": "cpe-incorrect",
"description": "Applies only against versions before 8.2.0"
},
{
"id": "CVE-2023-3180",
"summary": "A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3180"
},
{
"id": "CVE-2023-3255",
"summary": "A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3255"
},
{
"id": "CVE-2023-3301",
"summary": "A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this time window to trigger an assertion and cause a denial of service.",
"scorev2": "0.0",
"scorev3": "5.6",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3301"
},
{
"id": "CVE-2023-3354",
"summary": "A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3354"
},
{
"id": "CVE-2023-40360",
"summary": "QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive in hw/nvme/ctrl.c because there is no check for whether an endurance group is configured before checking whether Flexible Data Placement is enabled.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-40360"
},
{
"id": "CVE-2023-4135",
"summary": "A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process does not validate an offset provided by the guest before computing a host heap pointer, which is used for copying data back to the guest. Arbitrary heap memory relative to an allocated buffer can be disclosed.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4135"
},
{
"id": "CVE-2023-42467",
"summary": "QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-42467"
},
{
"id": "CVE-2023-5088",
"summary": "A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot.",
"scorev2": "0.0",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5088",
"detail": "cpe-incorrect",
"description": "Applies only against version 8.2.0 and earlier"
},
{
"id": "CVE-2023-6683",
"summary": "A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6683"
},
{
"id": "CVE-2023-6693",
"summary": "A stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6693",
"detail": "cpe-incorrect",
"description": "Applies only against version 8.2.0 and earlier"
},
{
"id": "CVE-2024-3567",
"summary": "A flaw was found in QEMU. An assertion failure was present in the update_sctp_checksum() function in hw/net/net_tx_pkt.c when trying to calculate the checksum of a short-sized fragmented packet. This flaw allows a malicious guest to crash QEMU and cause a denial of service condition.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-3567"
},
{
"id": "CVE-2024-6505",
"summary": "A flaw was found in the virtio-net device in QEMU. When enabling the RSS feature on the virtio-net network card, the indirections_table data within RSS becomes controllable. Setting excessively large values may cause an index out-of-bounds issue, potentially resulting in heap overflow access. This flaw allows a privileged user in the guest to crash the QEMU process on the host.",
"scorev2": "0.0",
"scorev3": "6.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-6505"
}
]
},
{
"name": "qemuwrapper-cross",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "qemuwrapper",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "qt3d",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qt3d",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qt3d-native",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qt3d",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtbase",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtbase",
"cvesInRecord": "Yes"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2019-18281",
"summary": "An out-of-bounds memory access in the generateDirectionalRuns() function in qtextengine.cpp in Qt qtbase 5.11.x and 5.12.x before 5.12.5 allows attackers to cause a denial of service by crashing an application via a text file containing many directional characters.",
"scorev2": "4.3",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18281"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtbase-native",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtbase",
"cvesInRecord": "Yes"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2019-18281",
"summary": "An out-of-bounds memory access in the generateDirectionalRuns() function in qtextengine.cpp in Qt qtbase 5.11.x and 5.12.x before 5.12.5 allows attackers to cause a denial of service by crashing an application via a text file containing many directional characters.",
"scorev2": "4.3",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18281"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtcharts",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtcharts",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtconnectivity",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtconnectivity",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtdeclarative",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtdeclarative",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtdeclarative-native",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtdeclarative",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtgraphicaleffects",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtgraphicaleffects",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtimageformats",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtimageformats",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtlocation",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtlocation",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtmqtt",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtmqtt",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtmultimedia",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtmultimedia",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtquickcontrols",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtquickcontrols",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtquickcontrols2",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtquickcontrols2",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtquickcontrols2-agl",
"layer": "meta-agl-demo",
"version": "1.0+git",
"products": [
{
"product": "qtquickcontrols2-agl",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "qtquickcontrols2-agl-style",
"layer": "meta-agl-demo",
"version": "1.0+git",
"products": [
{
"product": "qtquickcontrols2-agl-style",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "qtscript",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtscript",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtsensors",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtsensors",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtserialbus",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtserialbus",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtserialport",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtserialport",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtsvg",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtsvg",
"cvesInRecord": "Yes"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2021-45930",
"summary": "Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an out-of-bounds write in QtPrivate::QCommonArrayOps::growAppend (called from QPainterPath::addPath and QPathClipper::intersect).",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45930"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtsystems",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtsystems",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qttools",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qttools",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qttools-native",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qttools",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qttranslations",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qttranslations",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtvirtualkeyboard",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtvirtualkeyboard",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtwayland",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtwayland",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtwayland-native",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtwayland",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtwebchannel",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtwebchannel",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtwebsockets",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtwebsockets",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtxmlpatterns",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtxmlpatterns",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "qtxmlpatterns-native",
"layer": "meta-qt5",
"version": "5.15.13+git",
"products": [
{
"product": "qtxmlpatterns",
"cvesInRecord": "No"
},
{
"product": "qt",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0691",
"summary": "Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0691"
},
{
"id": "CVE-2004-0692",
"summary": "The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0692"
},
{
"id": "CVE-2004-0693",
"summary": "The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0693"
},
{
"id": "CVE-2005-0627",
"summary": "Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0627"
},
{
"id": "CVE-2006-4811",
"summary": "Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4811"
},
{
"id": "CVE-2007-0242",
"summary": "The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0242"
},
{
"id": "CVE-2007-3388",
"summary": "Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3388"
},
{
"id": "CVE-2007-4137",
"summary": "Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4137"
},
{
"id": "CVE-2009-2700",
"summary": "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2700"
},
{
"id": "CVE-2010-1766",
"summary": "Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1766"
},
{
"id": "CVE-2010-2621",
"summary": "The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2621"
},
{
"id": "CVE-2010-5076",
"summary": "QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5076"
},
{
"id": "CVE-2011-3193",
"summary": "Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3193"
},
{
"id": "CVE-2011-3194",
"summary": "Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3194"
},
{
"id": "CVE-2012-5624",
"summary": "The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5624"
},
{
"id": "CVE-2012-6093",
"summary": "The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an \"incompatible structure layout\" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6093"
},
{
"id": "CVE-2013-0254",
"summary": "The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.",
"scorev2": "3.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0254"
},
{
"id": "CVE-2013-4549",
"summary": "QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4549"
},
{
"id": "CVE-2014-0190",
"summary": "The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0190"
},
{
"id": "CVE-2015-0295",
"summary": "The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0295"
},
{
"id": "CVE-2015-1290",
"summary": "The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.",
"scorev2": "9.3",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1290"
},
{
"id": "CVE-2015-1858",
"summary": "Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1858"
},
{
"id": "CVE-2015-1859",
"summary": "Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1859"
},
{
"id": "CVE-2015-1860",
"summary": "Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1860"
},
{
"id": "CVE-2015-7298",
"summary": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7298"
},
{
"id": "CVE-2015-9541",
"summary": "Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9541"
},
{
"id": "CVE-2017-10904",
"summary": "Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10904"
},
{
"id": "CVE-2017-10905",
"summary": "A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.",
"scorev2": "6.8",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10905"
},
{
"id": "CVE-2017-15011",
"summary": "The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15011"
},
{
"id": "CVE-2018-15518",
"summary": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"id": "CVE-2018-19865",
"summary": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"id": "CVE-2018-19869",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19869"
},
{
"id": "CVE-2018-19870",
"summary": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
},
{
"id": "CVE-2018-19871",
"summary": "An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19871"
},
{
"id": "CVE-2018-19872",
"summary": "An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19872"
},
{
"id": "CVE-2018-19873",
"summary": "An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19873"
},
{
"id": "CVE-2018-21035",
"summary": "In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).",
"scorev2": "5.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21035"
},
{
"id": "CVE-2020-0569",
"summary": "Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.",
"scorev2": "2.7",
"scorev3": "5.7",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0569"
},
{
"id": "CVE-2020-0570",
"summary": "Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.",
"scorev2": "4.4",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-0570"
},
{
"id": "CVE-2020-12267",
"summary": "setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12267"
},
{
"id": "CVE-2020-13962",
"summary": "Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13962"
},
{
"id": "CVE-2020-17507",
"summary": "An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17507"
},
{
"id": "CVE-2020-24742",
"summary": "An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24742"
},
{
"id": "CVE-2021-28025",
"summary": "Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28025"
},
{
"id": "CVE-2021-3481",
"summary": "A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.",
"scorev2": "0.0",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3481"
},
{
"id": "CVE-2021-38593",
"summary": "Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593"
},
{
"id": "CVE-2022-25255",
"summary": "In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255"
},
{
"id": "CVE-2022-25634",
"summary": "Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25634"
},
{
"id": "CVE-2022-40983",
"summary": "An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40983"
},
{
"id": "CVE-2022-43591",
"summary": "A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43591"
},
{
"id": "CVE-2023-24607",
"summary": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607"
},
{
"id": "CVE-2023-32573",
"summary": "In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573"
},
{
"id": "CVE-2023-32762",
"summary": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32762"
},
{
"id": "CVE-2023-32763",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763"
},
{
"id": "CVE-2023-33285",
"summary": "An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285"
},
{
"id": "CVE-2023-34410",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410"
},
{
"id": "CVE-2023-37369",
"summary": "In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369"
},
{
"id": "CVE-2023-38197",
"summary": "An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38197"
},
{
"id": "CVE-2023-43114",
"summary": "An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114"
},
{
"id": "CVE-2023-51714",
"summary": "An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714"
},
{
"id": "CVE-2024-39936",
"summary": "An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39936"
}
]
},
{
"name": "quilt-native",
"layer": "meta",
"version": "0.67",
"products": [
{
"product": "quilt",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "quota",
"layer": "meta",
"version": "4.09",
"products": [
{
"product": "linux_diskquota",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2012-3417",
"summary": "The good_client function in rquotad (rquota_svc.c) in Linux DiskQuota (aka quota) before 3.17 invokes the hosts_ctl function the first time without a host name, which might allow remote attackers to bypass TCP Wrappers rules in hosts.deny.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3417"
}
]
},
{
"name": "radio",
"layer": "meta-agl-demo",
"version": "1.0+git",
"products": [
{
"product": "radio",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2007-5755",
"summary": "Multiple stack-based buffer overflows in the AOL AmpX ActiveX control in AmpX.dll 2.6.1.11 in AOL Radio allow remote attackers to execute arbitrary code via long arguments to unspecified methods.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5755"
}
]
},
{
"name": "re2",
"layer": "meta-oe",
"version": "2024.03.01",
"products": [
{
"product": "re2",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "re2-native",
"layer": "meta-oe",
"version": "2024.03.01",
"products": [
{
"product": "re2",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "re2c-native",
"layer": "meta",
"version": "3.1",
"products": [
{
"product": "re2c",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2018-21232",
"summary": "re2c before 2.0 has uncontrolled recursion that causes stack consumption in find_fixed_tags.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21232"
},
{
"id": "CVE-2020-11958",
"summary": "re2c 1.3 has a heap-based buffer overflow in Scanner::fill in parse/scanner.cc via a long lexeme.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11958"
},
{
"id": "CVE-2022-23901",
"summary": "A stack overflow re2c 2.2 exists due to infinite recursion issues in src/dfa/dead_rules.cc.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23901"
}
]
},
{
"name": "readline",
"layer": "meta",
"version": "8.2",
"products": [
{
"product": "readline",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2014-2524",
"summary": "The _rl_tropen function in util.c in GNU readline before 6.3 patch 3 allows local users to create or overwrite arbitrary files via a symlink attack on a /var/tmp/rltrace.[PID] file.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2524"
}
]
},
{
"name": "readline-native",
"layer": "meta",
"version": "8.2",
"products": [
{
"product": "readline",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2014-2524",
"summary": "The _rl_tropen function in util.c in GNU readline before 6.3 patch 3 allows local users to create or overwrite arbitrary files via a symlink attack on a /var/tmp/rltrace.[PID] file.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2524"
}
]
},
{
"name": "refpolicy-targeted",
"layer": "meta-selinux",
"version": "2.20240226+git",
"products": [
{
"product": "refpolicy-targeted",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "resolv-conf-relabel",
"layer": "meta-netboot",
"version": "1.0",
"products": [
{
"product": "resolv-conf-relabel",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "rng-tools",
"layer": "meta",
"version": "6.16",
"products": [
{
"product": "rng-tools",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "rpcbind",
"layer": "meta",
"version": "1.2.6",
"products": [
{
"product": "rpcbind",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2010-2061",
"summary": "rpcbind 0.2.0 does not properly validate (1) /tmp/portmap.xdr and (2) /tmp/rpcbind.xdr, which can be created by an attacker before the daemon is started.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2061"
},
{
"id": "CVE-2010-2064",
"summary": "rpcbind 0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /tmp/portmap.xdr and (2) /tmp/rpcbind.xdr.",
"scorev2": "3.6",
"scorev3": "7.1",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2064"
},
{
"id": "CVE-2015-7236",
"summary": "Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via crafted packets, involving a PMAP_CALLIT code.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7236"
},
{
"id": "CVE-2017-8779",
"summary": "rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.",
"scorev2": "7.8",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8779"
}
]
},
{
"name": "rpm",
"layer": "meta",
"version": "1_4.19.1.1",
"products": [
{
"product": "rpm",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2005-4889",
"summary": "lib/fsm.c in RPM before 4.4.3 does not properly reset the metadata of an executable file during deletion of the file in an RPM package removal, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file, a related issue to CVE-2010-2059.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4889"
},
{
"id": "CVE-2010-2059",
"summary": "lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and RPM before 4.4.3, does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2059"
},
{
"id": "CVE-2010-2197",
"summary": "rpmbuild in RPM 4.8.0 and earlier does not properly parse the syntax of spec files, which allows user-assisted remote attackers to remove home directories via vectors involving a ;~ (semicolon tilde) sequence in a Name tag.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2197"
},
{
"id": "CVE-2010-2198",
"summary": "lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade or deletion of the file in an RPM package removal, which might allow local users to gain privileges or bypass intended access restrictions by creating a hard link to a vulnerable file that has (1) POSIX file capabilities or (2) SELinux context information, a related issue to CVE-2010-2059.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2198"
},
{
"id": "CVE-2010-2199",
"summary": "lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade or deletion of the file in an RPM package removal, which might allow local users to bypass intended access restrictions by creating a hard link to a vulnerable file that has a POSIX ACL, a related issue to CVE-2010-2059.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2199"
},
{
"id": "CVE-2011-3378",
"summary": "RPM 4.4.x through 4.9.x, probably before 4.9.1.2, allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via an rpm package with crafted headers and offsets that are not properly handled when a package is queried or installed, related to (1) the regionSwab function, (2) the headerLoad function, and (3) multiple functions in rpmio/rpmpgp.c.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3378"
},
{
"id": "CVE-2012-0060",
"summary": "RPM before 4.9.1.3 does not properly validate region tags, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an invalid region tag in a package header to the (1) headerLoad, (2) rpmReadSignature, or (3) headerVerify function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0060"
},
{
"id": "CVE-2012-0061",
"summary": "The headerLoad function in lib/header.c in RPM before 4.9.1.3 does not properly validate region tags, which allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large region size in a package header.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0061"
},
{
"id": "CVE-2012-0815",
"summary": "The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0815"
},
{
"id": "CVE-2012-6088",
"summary": "The rpmpkgRead function in lib/package.c in RPM 4.10.x before 4.10.2 does not return an error code in certain situations involving an \"unparseable signature,\" which allows remote attackers to bypass RPM signature checks via a crafted package.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6088"
},
{
"id": "CVE-2013-6435",
"summary": "Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbitrary code via a crafted RPM file whose installation extracts the contents to temporary files before validating the signature, as demonstrated by installing a file in the /etc/cron.d directory.",
"scorev2": "7.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6435"
},
{
"id": "CVE-2014-8118",
"summary": "Integer overflow in RPM 4.12 and earlier allows remote attackers to execute arbitrary code via a crafted CPIO header in the payload section of an RPM file, which triggers a stack-based buffer overflow.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8118"
},
{
"id": "CVE-2017-7500",
"summary": "It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7500"
},
{
"id": "CVE-2017-7501",
"summary": "It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7501"
},
{
"id": "CVE-2021-20266",
"summary": "A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.",
"scorev2": "4.0",
"scorev3": "4.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20266"
},
{
"id": "CVE-2021-20271",
"summary": "A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.",
"scorev2": "5.1",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20271"
},
{
"id": "CVE-2021-3421",
"summary": "A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3421"
},
{
"id": "CVE-2021-3521",
"summary": "There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a \"binding signature.\" RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3521"
},
{
"id": "CVE-2021-35937",
"summary": "A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"scorev2": "0.0",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-35937"
},
{
"id": "CVE-2021-35938",
"summary": "A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-35938"
},
{
"id": "CVE-2021-35939",
"summary": "It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-35939"
}
]
},
{
"name": "rpm-native",
"layer": "meta",
"version": "1_4.19.1.1",
"products": [
{
"product": "rpm",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2005-4889",
"summary": "lib/fsm.c in RPM before 4.4.3 does not properly reset the metadata of an executable file during deletion of the file in an RPM package removal, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file, a related issue to CVE-2010-2059.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4889"
},
{
"id": "CVE-2010-2059",
"summary": "lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and RPM before 4.4.3, does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2059"
},
{
"id": "CVE-2010-2197",
"summary": "rpmbuild in RPM 4.8.0 and earlier does not properly parse the syntax of spec files, which allows user-assisted remote attackers to remove home directories via vectors involving a ;~ (semicolon tilde) sequence in a Name tag.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2197"
},
{
"id": "CVE-2010-2198",
"summary": "lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade or deletion of the file in an RPM package removal, which might allow local users to gain privileges or bypass intended access restrictions by creating a hard link to a vulnerable file that has (1) POSIX file capabilities or (2) SELinux context information, a related issue to CVE-2010-2059.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2198"
},
{
"id": "CVE-2010-2199",
"summary": "lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade or deletion of the file in an RPM package removal, which might allow local users to bypass intended access restrictions by creating a hard link to a vulnerable file that has a POSIX ACL, a related issue to CVE-2010-2059.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2199"
},
{
"id": "CVE-2011-3378",
"summary": "RPM 4.4.x through 4.9.x, probably before 4.9.1.2, allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via an rpm package with crafted headers and offsets that are not properly handled when a package is queried or installed, related to (1) the regionSwab function, (2) the headerLoad function, and (3) multiple functions in rpmio/rpmpgp.c.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3378"
},
{
"id": "CVE-2012-0060",
"summary": "RPM before 4.9.1.3 does not properly validate region tags, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an invalid region tag in a package header to the (1) headerLoad, (2) rpmReadSignature, or (3) headerVerify function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0060"
},
{
"id": "CVE-2012-0061",
"summary": "The headerLoad function in lib/header.c in RPM before 4.9.1.3 does not properly validate region tags, which allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large region size in a package header.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0061"
},
{
"id": "CVE-2012-0815",
"summary": "The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0815"
},
{
"id": "CVE-2012-6088",
"summary": "The rpmpkgRead function in lib/package.c in RPM 4.10.x before 4.10.2 does not return an error code in certain situations involving an \"unparseable signature,\" which allows remote attackers to bypass RPM signature checks via a crafted package.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6088"
},
{
"id": "CVE-2013-6435",
"summary": "Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbitrary code via a crafted RPM file whose installation extracts the contents to temporary files before validating the signature, as demonstrated by installing a file in the /etc/cron.d directory.",
"scorev2": "7.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6435"
},
{
"id": "CVE-2014-8118",
"summary": "Integer overflow in RPM 4.12 and earlier allows remote attackers to execute arbitrary code via a crafted CPIO header in the payload section of an RPM file, which triggers a stack-based buffer overflow.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8118"
},
{
"id": "CVE-2017-7500",
"summary": "It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7500"
},
{
"id": "CVE-2017-7501",
"summary": "It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7501"
},
{
"id": "CVE-2021-20266",
"summary": "A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.",
"scorev2": "4.0",
"scorev3": "4.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20266"
},
{
"id": "CVE-2021-20271",
"summary": "A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.",
"scorev2": "5.1",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20271"
},
{
"id": "CVE-2021-3421",
"summary": "A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3421"
},
{
"id": "CVE-2021-3521",
"summary": "There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a \"binding signature.\" RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3521"
},
{
"id": "CVE-2021-35937",
"summary": "A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"scorev2": "0.0",
"scorev3": "6.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-35937"
},
{
"id": "CVE-2021-35938",
"summary": "A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-35938"
},
{
"id": "CVE-2021-35939",
"summary": "It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-35939"
}
]
},
{
"name": "rsync",
"layer": "meta",
"version": "3.2.7",
"products": [
{
"product": "rsync",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-0473",
"summary": "The rsync command before rsync 2.3.1 may inadvertently change the permissions of the client's working directory to the permissions of the directory being transferred.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0473"
},
{
"id": "CVE-2002-0048",
"summary": "Multiple signedness errors (mixed signed and unsigned numbers) in the I/O functions of rsync 2.4.6, 2.3.2, and other versions allow remote attackers to cause a denial of service and execute arbitrary code in the rsync client or server.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0048"
},
{
"id": "CVE-2002-0080",
"summary": "rsync, when running in daemon mode, does not properly call setgroups before dropping privileges, which could provide supplemental group privileges to local users, who could then read certain files that would otherwise be disallowed.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0080"
},
{
"id": "CVE-2003-0962",
"summary": "Heap-based buffer overflow in rsync before 2.5.7, when running in server mode, allows remote attackers to execute arbitrary code and possibly escape the chroot jail.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0962"
},
{
"id": "CVE-2004-0426",
"summary": "rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0426"
},
{
"id": "CVE-2004-0792",
"summary": "Directory traversal vulnerability in the sanitize_path function in util.c for rsync 2.6.2 and earlier, when chroot is disabled, allows attackers to read or write certain files.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0792"
},
{
"id": "CVE-2006-2083",
"summary": "Integer overflow in the receive_xattr function in the extended attributes patch (xattr.c) for rsync before 2.6.8 might allow attackers to execute arbitrary code via crafted extended attributes that trigger a buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2083"
},
{
"id": "CVE-2007-4091",
"summary": "Multiple off-by-one errors in the sender.c in rsync 2.6.9 might allow remote attackers to execute arbitrary code via directory names that are not properly handled when calling the f_name function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4091"
},
{
"id": "CVE-2007-6199",
"summary": "rsync before 3.0.0pre6, when running a writable rsync daemon that is not using chroot, allows remote attackers to access restricted files via unknown vectors that cause rsync to create a symlink that points outside of the module's hierarchy.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6199"
},
{
"id": "CVE-2007-6200",
"summary": "Unspecified vulnerability in rsync before 3.0.0pre6, when running a writable rsync daemon, allows remote attackers to bypass exclude, exclude_from, and filter and read or write hidden files via (1) symlink, (2) partial-dir, (3) backup-dir, and unspecified (4) dest options.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6200"
},
{
"id": "CVE-2008-1720",
"summary": "Buffer overflow in rsync 2.6.9 to 3.0.1, with extended attribute (xattr) support enabled, might allow remote attackers to execute arbitrary code via unknown vectors.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1720"
},
{
"id": "CVE-2011-1097",
"summary": "rsync 3.x before 3.0.8, when certain recursion, deletion, and ownership options are used, allows remote rsync servers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via malformed data.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1097"
},
{
"id": "CVE-2014-2855",
"summary": "The check_secret function in authenticate.c in rsync 3.1.0 and earlier allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a user name which does not exist in the secrets file.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2855"
},
{
"id": "CVE-2014-9512",
"summary": "rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9512"
},
{
"id": "CVE-2017-15994",
"summary": "rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15994"
},
{
"id": "CVE-2017-16548",
"summary": "The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16548"
},
{
"id": "CVE-2017-17433",
"summary": "The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17433"
},
{
"id": "CVE-2017-17434",
"summary": "The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in \"xname follows\" strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17434"
},
{
"id": "CVE-2018-5764",
"summary": "The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5764"
},
{
"id": "CVE-2020-14387",
"summary": "A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote, unauthenticated attacker could exploit the flaw by performing a man-in-the-middle attack using a valid certificate for another hostname which could compromise confidentiality and integrity of data transmitted using rsync-ssl. The highest threat from this vulnerability is to data confidentiality and integrity. This flaw affects rsync versions before 3.2.4.",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14387"
},
{
"id": "CVE-2022-29154",
"summary": "An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).",
"scorev2": "0.0",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29154"
}
]
},
{
"name": "rsync-native",
"layer": "meta",
"version": "3.2.7",
"products": [
{
"product": "rsync",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-1999-0473",
"summary": "The rsync command before rsync 2.3.1 may inadvertently change the permissions of the client's working directory to the permissions of the directory being transferred.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0473"
},
{
"id": "CVE-2002-0048",
"summary": "Multiple signedness errors (mixed signed and unsigned numbers) in the I/O functions of rsync 2.4.6, 2.3.2, and other versions allow remote attackers to cause a denial of service and execute arbitrary code in the rsync client or server.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0048"
},
{
"id": "CVE-2002-0080",
"summary": "rsync, when running in daemon mode, does not properly call setgroups before dropping privileges, which could provide supplemental group privileges to local users, who could then read certain files that would otherwise be disallowed.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0080"
},
{
"id": "CVE-2003-0962",
"summary": "Heap-based buffer overflow in rsync before 2.5.7, when running in server mode, allows remote attackers to execute arbitrary code and possibly escape the chroot jail.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0962"
},
{
"id": "CVE-2004-0426",
"summary": "rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0426"
},
{
"id": "CVE-2004-0792",
"summary": "Directory traversal vulnerability in the sanitize_path function in util.c for rsync 2.6.2 and earlier, when chroot is disabled, allows attackers to read or write certain files.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0792"
},
{
"id": "CVE-2006-2083",
"summary": "Integer overflow in the receive_xattr function in the extended attributes patch (xattr.c) for rsync before 2.6.8 might allow attackers to execute arbitrary code via crafted extended attributes that trigger a buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2083"
},
{
"id": "CVE-2007-4091",
"summary": "Multiple off-by-one errors in the sender.c in rsync 2.6.9 might allow remote attackers to execute arbitrary code via directory names that are not properly handled when calling the f_name function.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4091"
},
{
"id": "CVE-2007-6199",
"summary": "rsync before 3.0.0pre6, when running a writable rsync daemon that is not using chroot, allows remote attackers to access restricted files via unknown vectors that cause rsync to create a symlink that points outside of the module's hierarchy.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6199"
},
{
"id": "CVE-2007-6200",
"summary": "Unspecified vulnerability in rsync before 3.0.0pre6, when running a writable rsync daemon, allows remote attackers to bypass exclude, exclude_from, and filter and read or write hidden files via (1) symlink, (2) partial-dir, (3) backup-dir, and unspecified (4) dest options.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6200"
},
{
"id": "CVE-2008-1720",
"summary": "Buffer overflow in rsync 2.6.9 to 3.0.1, with extended attribute (xattr) support enabled, might allow remote attackers to execute arbitrary code via unknown vectors.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1720"
},
{
"id": "CVE-2011-1097",
"summary": "rsync 3.x before 3.0.8, when certain recursion, deletion, and ownership options are used, allows remote rsync servers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via malformed data.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1097"
},
{
"id": "CVE-2014-2855",
"summary": "The check_secret function in authenticate.c in rsync 3.1.0 and earlier allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a user name which does not exist in the secrets file.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2855"
},
{
"id": "CVE-2014-9512",
"summary": "rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path.",
"scorev2": "6.4",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9512"
},
{
"id": "CVE-2017-15994",
"summary": "rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15994"
},
{
"id": "CVE-2017-16548",
"summary": "The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16548"
},
{
"id": "CVE-2017-17433",
"summary": "The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17433"
},
{
"id": "CVE-2017-17434",
"summary": "The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in \"xname follows\" strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17434"
},
{
"id": "CVE-2018-5764",
"summary": "The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5764"
},
{
"id": "CVE-2020-14387",
"summary": "A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote, unauthenticated attacker could exploit the flaw by performing a man-in-the-middle attack using a valid certificate for another hostname which could compromise confidentiality and integrity of data transmitted using rsync-ssl. The highest threat from this vulnerability is to data confidentiality and integrity. This flaw affects rsync versions before 3.2.4.",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14387"
},
{
"id": "CVE-2022-29154",
"summary": "An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).",
"scorev2": "0.0",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29154"
}
]
},
{
"name": "rtl-sdr",
"layer": "meta-agl-demo",
"version": "0.5.3",
"products": [
{
"product": "rtl-sdr",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "run-postinsts",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "run-postinsts",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "rust-llvm-native",
"layer": "meta",
"version": "1.75.0",
"products": [
{
"product": "rust-llvm",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "rust-native",
"layer": "meta",
"version": "1.75.0",
"products": [
{
"product": "rust",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-20001",
"summary": "In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory safety violation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-20001"
},
{
"id": "CVE-2017-20004",
"summary": "In the standard library in Rust before 1.19.0, there is a synchronization problem in the MutexGuard object. MutexGuards can be used across threads with any types, allowing for memory safety issues through race conditions.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-20004"
},
{
"id": "CVE-2018-1000622",
"summary": "The Rust Programming Language rustdoc version Between 0.8 and 1.27.0 contains a CWE-427: Uncontrolled Search Path Element vulnerability in rustdoc plugins that can result in local code execution as a different user. This attack appear to be exploitable via using the --plugin flag without the --plugin-path flag. This vulnerability appears to have been fixed in 1.27.1.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000622"
},
{
"id": "CVE-2018-1000657",
"summary": "Rust Programming Language Rust standard library version Commit bfa0e1f58acf1c28d500c34ed258f09ae021893e and later; stable release 1.3.0 and later contains a Buffer Overflow vulnerability in std::collections::vec_deque::VecDeque::reserve() function that can result in Arbitrary code execution, but no proof-of-concept exploit is currently published.. This vulnerability appears to have been fixed in after commit fdfafb510b1a38f727e920dccbeeb638d39a8e60; stable release 1.22.0 and later.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000657"
},
{
"id": "CVE-2018-1000810",
"summary": "The Rust Programming Language Standard Library version 1.29.0, 1.28.0, 1.27.2, 1.27.1, 127.0, 126.2, 126.1, 126.0 contains a CWE-680: Integer Overflow to Buffer Overflow vulnerability in standard library that can result in buffer overflow. This attack appear to be exploitable via str::repeat, passed a large number, can overflow an internal buffer. This vulnerability appears to have been fixed in 1.29.1.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000810"
},
{
"id": "CVE-2018-25008",
"summary": "In the standard library in Rust before 1.29.0, there is weak synchronization in the Arc::get_mut method. This synchronization issue can be lead to memory safety issues through race conditions.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-25008"
},
{
"id": "CVE-2019-1010299",
"summary": "The Rust Programming Language Standard Library 1.18.0 and later is affected by: CWE-200: Information Exposure. The impact is: Contents of uninitialized memory could be printed to string or to log file. The component is: Debug trait implementation for std::collections::vec_deque::Iter. The attack vector is: The program needs to invoke debug printing for iterator over an empty VecDeque. The fixed version is: 1.30.0, nightly versions after commit b85e4cc8fadaabd41da5b9645c08c68b8f89908d.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010299"
},
{
"id": "CVE-2019-12083",
"summary": "The Rust Programming Language Standard Library 1.34.x before 1.34.2 contains a stabilized method which, if overridden, can violate Rust's safety guarantees and cause memory unsafety. If the `Error::type_id` method is overridden then any type can be safely cast to any other type, causing memory safety vulnerabilities in safe code (e.g., out-of-bounds write or read). Code that does not manually implement Error::type_id is unaffected.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12083"
},
{
"id": "CVE-2019-16760",
"summary": "Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package` configuration key. Usage of the `package` key to rename dependencies in `Cargo.toml` is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo may download the wrong dependency, which could be squatted on crates.io to be a malicious package. This not only affects manifests that you write locally yourself, but also manifests published to crates.io. Rust 1.0.0 through Rust 1.25.0 is affected by this advisory because Cargo will ignore the `package` key in manifests. Rust 1.26.0 through Rust 1.30.0 are not affected and typically will emit an error because the `package` key is unstable. Rust 1.31.0 and after are not affected because Cargo understands the `package` key. Users of the affected versions are strongly encouraged to update their compiler to the latest available one. Preventing this issue from happening requires updating your compiler to be either Rust 1.26.0 or newer. There will be no point release for Rust versions prior to 1.26.0. Users of Rust 1.19.0 to Rust 1.25.0 can instead apply linked patches to mitigate the issue.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16760"
},
{
"id": "CVE-2020-36317",
"summary": "In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the same string.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36317"
},
{
"id": "CVE-2020-36318",
"summary": "In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36318"
},
{
"id": "CVE-2020-36323",
"summary": "In the standard library in Rust before 1.52.0, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.",
"scorev2": "6.4",
"scorev3": "8.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36323"
},
{
"id": "CVE-2021-28875",
"summary": "In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28875"
},
{
"id": "CVE-2021-28876",
"summary": "In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait.",
"scorev2": "4.3",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28876"
},
{
"id": "CVE-2021-28877",
"summary": "In the standard library in Rust before 1.51.0, the Zip implementation calls __iterator_get_unchecked() for the same index more than once when nested. This bug can lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28877"
},
{
"id": "CVE-2021-28878",
"summary": "In the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked() more than once for the same index (under certain conditions) when next_back() and next() are used together. This bug could lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait.",
"scorev2": "4.3",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28878"
},
{
"id": "CVE-2021-28879",
"summary": "In the standard library in Rust before 1.52.0, the Zip implementation can report an incorrect size due to an integer overflow. This bug can lead to a buffer overflow when a consumed Zip iterator is used again.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28879"
},
{
"id": "CVE-2021-29922",
"summary": "library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29922"
},
{
"id": "CVE-2021-31162",
"summary": "In the standard library in Rust before 1.52.0, a double free can occur in the Vec::from_iter function if freeing the element panics.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-31162"
},
{
"id": "CVE-2022-21658",
"summary": "Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.",
"scorev2": "3.3",
"scorev3": "6.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-21658"
},
{
"id": "CVE-2023-40030",
"summary": "Cargo downloads a Rust project\u2019s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by `cargo build --timings`. A malicious package included as a dependency may inject nearly arbitrary HTML here, potentially leading to cross-site scripting if the report is subsequently uploaded somewhere. The vulnerability affects users relying on dependencies from git, local paths, or alternative registries. Users who solely depend on crates.io are unaffected.\n\nRust 1.60.0 introduced `cargo build --timings`, which produces a report of how long the different steps of the build process took. It includes lists of Cargo features for each crate. Prior to Rust 1.72, Cargo feature names were allowed to contain almost any characters (with some exceptions as used by the feature syntax), but it would produce a future incompatibility warning about them since Rust 1.49. crates.io is far more stringent about what it considers a valid feature name and has not allowed such feature names. As the feature names were included unescaped in the timings report, they could be used to inject Javascript into the page, for example with a feature name like `features = [\"![]()
O) in a CREATE TABLE statement.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3415"
},
{
"id": "CVE-2015-3416",
"summary": "The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3416"
},
{
"id": "CVE-2015-3717",
"summary": "Multiple buffer overflows in the printf functionality in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3717"
},
{
"id": "CVE-2015-5895",
"summary": "Multiple unspecified vulnerabilities in SQLite before 3.8.10.2, as used in Apple iOS before 9, have unknown impact and attack vectors.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5895"
},
{
"id": "CVE-2015-6607",
"summary": "SQLite before 3.8.9, as used in Android before 5.1.1 LMY48T, allows attackers to gain privileges via a crafted application, aka internal bug 20099586.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6607"
},
{
"id": "CVE-2016-6153",
"summary": "os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files.",
"scorev2": "4.6",
"scorev3": "5.9",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6153"
},
{
"id": "CVE-2017-10989",
"summary": "The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10989"
},
{
"id": "CVE-2017-13685",
"summary": "The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13685"
},
{
"id": "CVE-2017-15286",
"summary": "SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in shell.c because it fails to consider certain cases where `sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never initialized.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15286"
},
{
"id": "CVE-2018-20346",
"summary": "SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20346"
},
{
"id": "CVE-2018-20505",
"summary": "SQLite 3.25.2, when queries are run on a table with a malformed PRIMARY KEY, allows remote attackers to cause a denial of service (application crash) by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20505"
},
{
"id": "CVE-2018-20506",
"summary": "SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a \"merge\" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20506"
},
{
"id": "CVE-2018-8740",
"summary": "In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8740"
},
{
"id": "CVE-2019-16168",
"summary": "In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16168"
},
{
"id": "CVE-2019-19242",
"summary": "SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19242"
},
{
"id": "CVE-2019-19244",
"summary": "sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19244"
},
{
"id": "CVE-2019-19317",
"summary": "lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19317"
},
{
"id": "CVE-2019-19603",
"summary": "SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19603"
},
{
"id": "CVE-2019-19645",
"summary": "alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19645"
},
{
"id": "CVE-2019-19646",
"summary": "pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19646"
},
{
"id": "CVE-2019-19880",
"summary": "exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19880"
},
{
"id": "CVE-2019-19923",
"summary": "flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19923"
},
{
"id": "CVE-2019-19924",
"summary": "SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19924"
},
{
"id": "CVE-2019-19925",
"summary": "zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19925"
},
{
"id": "CVE-2019-19926",
"summary": "multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19926"
},
{
"id": "CVE-2019-19959",
"summary": "ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19959"
},
{
"id": "CVE-2019-20218",
"summary": "selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20218"
},
{
"id": "CVE-2019-5018",
"summary": "An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5018"
},
{
"id": "CVE-2019-8457",
"summary": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8457"
},
{
"id": "CVE-2019-9936",
"summary": "In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9936"
},
{
"id": "CVE-2019-9937",
"summary": "In SQLite 3.27.2, interleaving reads and writes in a single transaction with an fts5 virtual table will lead to a NULL Pointer Dereference in fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and ext/fts5/fts5_index.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9937"
},
{
"id": "CVE-2020-11655",
"summary": "SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11655"
},
{
"id": "CVE-2020-11656",
"summary": "In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11656"
},
{
"id": "CVE-2020-13434",
"summary": "SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13434"
},
{
"id": "CVE-2020-13435",
"summary": "SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13435"
},
{
"id": "CVE-2020-13630",
"summary": "ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13630"
},
{
"id": "CVE-2020-13631",
"summary": "SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13631"
},
{
"id": "CVE-2020-13632",
"summary": "ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13632"
},
{
"id": "CVE-2020-13871",
"summary": "SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13871"
},
{
"id": "CVE-2020-15358",
"summary": "In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15358"
},
{
"id": "CVE-2020-35525",
"summary": "In SQlite 3.31.1, a potential null pointer derreference was found in the INTERSEC query processing.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35525"
},
{
"id": "CVE-2020-35527",
"summary": "In SQLite 3.31.1, there is an out of bounds access problem through ALTER TABLE for views that have a nested FROM clause.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35527"
},
{
"id": "CVE-2020-9327",
"summary": "In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-9327"
},
{
"id": "CVE-2021-20227",
"summary": "A flaw was found in SQLite's SELECT query functionality (src/select.c). This flaw allows an attacker who is capable of running SQL queries locally on the SQLite database to cause a denial of service or possible code execution by triggering a use-after-free. The highest threat from this vulnerability is to system availability.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20227"
},
{
"id": "CVE-2021-31239",
"summary": "An issue found in SQLite SQLite3 v.3.35.4 that allows a remote attacker to cause a denial of service via the appendvfs.c function.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-31239"
},
{
"id": "CVE-2021-36690",
"summary": "A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is intentionally allowed to execute commands). This report does NOT imply any problem in the SQLite library.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-36690"
},
{
"id": "CVE-2021-45346",
"summary": "A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.",
"scorev2": "4.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45346"
},
{
"id": "CVE-2022-35737",
"summary": "SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-35737"
},
{
"id": "CVE-2022-46908",
"summary": "SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.",
"scorev2": "0.0",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-46908"
},
{
"id": "CVE-2023-7104",
"summary": "A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.",
"scorev2": "5.2",
"scorev3": "7.3",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-7104"
},
{
"id": "CVE-2024-0232",
"summary": "A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a crash and leading to a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0232"
}
]
},
{
"name": "sqlite3-native",
"layer": "meta",
"version": "3_3.45.1",
"products": [
{
"product": "sqlite",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2008-6589",
"summary": "Multiple cross-site scripting (XSS) vulnerabilities in LightNEasy \"no database\" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) index.php and (2) LightNEasy.php.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-6589"
},
{
"id": "CVE-2008-6590",
"summary": "Multiple directory traversal vulnerabilities in LightNEasy \"no database\" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allow remote attackers to read arbitrary files via a .. (dot dot) in the page parameter to (1) index.php and (2) LightNEasy.php.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-6590"
},
{
"id": "CVE-2008-6592",
"summary": "thumbsup.php in Thumbs-Up 1.12, as used in LightNEasy \"no database\" (aka flat) and SQLite 1.2.2 and earlier, allows remote attackers to copy, rename, and read arbitrary files via directory traversal sequences in the image parameter with a modified cache_dir parameter containing a %00 (encoded null byte).",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-6592"
},
{
"id": "CVE-2008-6593",
"summary": "SQL injection vulnerability in LightNEasy/lightneasy.php in LightNEasy SQLite 1.2.2 and earlier allows remote attackers to inject arbitrary PHP code into comments.dat via the dlid parameter to index.php.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-6593"
},
{
"id": "CVE-2013-7443",
"summary": "Buffer overflow in the skip-scan optimization in SQLite 3.8.2 allows remote attackers to cause a denial of service (crash) via crafted SQL statements.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7443"
},
{
"id": "CVE-2015-3414",
"summary": "SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE\"\"\"\"\"\"\"\" at the end of a SELECT statement.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3414"
},
{
"id": "CVE-2015-3415",
"summary": "The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3415"
},
{
"id": "CVE-2015-3416",
"summary": "The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3416"
},
{
"id": "CVE-2015-3717",
"summary": "Multiple buffer overflows in the printf functionality in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3717"
},
{
"id": "CVE-2015-5895",
"summary": "Multiple unspecified vulnerabilities in SQLite before 3.8.10.2, as used in Apple iOS before 9, have unknown impact and attack vectors.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5895"
},
{
"id": "CVE-2015-6607",
"summary": "SQLite before 3.8.9, as used in Android before 5.1.1 LMY48T, allows attackers to gain privileges via a crafted application, aka internal bug 20099586.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6607"
},
{
"id": "CVE-2016-6153",
"summary": "os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files.",
"scorev2": "4.6",
"scorev3": "5.9",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6153"
},
{
"id": "CVE-2017-10989",
"summary": "The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10989"
},
{
"id": "CVE-2017-13685",
"summary": "The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13685"
},
{
"id": "CVE-2017-15286",
"summary": "SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in shell.c because it fails to consider certain cases where `sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never initialized.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15286"
},
{
"id": "CVE-2018-20346",
"summary": "SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20346"
},
{
"id": "CVE-2018-20505",
"summary": "SQLite 3.25.2, when queries are run on a table with a malformed PRIMARY KEY, allows remote attackers to cause a denial of service (application crash) by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20505"
},
{
"id": "CVE-2018-20506",
"summary": "SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a \"merge\" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20506"
},
{
"id": "CVE-2018-8740",
"summary": "In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8740"
},
{
"id": "CVE-2019-16168",
"summary": "In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16168"
},
{
"id": "CVE-2019-19242",
"summary": "SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19242"
},
{
"id": "CVE-2019-19244",
"summary": "sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19244"
},
{
"id": "CVE-2019-19317",
"summary": "lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19317"
},
{
"id": "CVE-2019-19603",
"summary": "SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19603"
},
{
"id": "CVE-2019-19645",
"summary": "alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19645"
},
{
"id": "CVE-2019-19646",
"summary": "pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19646"
},
{
"id": "CVE-2019-19880",
"summary": "exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19880"
},
{
"id": "CVE-2019-19923",
"summary": "flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19923"
},
{
"id": "CVE-2019-19924",
"summary": "SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19924"
},
{
"id": "CVE-2019-19925",
"summary": "zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19925"
},
{
"id": "CVE-2019-19926",
"summary": "multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19926"
},
{
"id": "CVE-2019-19959",
"summary": "ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19959"
},
{
"id": "CVE-2019-20218",
"summary": "selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20218"
},
{
"id": "CVE-2019-5018",
"summary": "An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5018"
},
{
"id": "CVE-2019-8457",
"summary": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8457"
},
{
"id": "CVE-2019-9936",
"summary": "In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9936"
},
{
"id": "CVE-2019-9937",
"summary": "In SQLite 3.27.2, interleaving reads and writes in a single transaction with an fts5 virtual table will lead to a NULL Pointer Dereference in fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and ext/fts5/fts5_index.c.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9937"
},
{
"id": "CVE-2020-11655",
"summary": "SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11655"
},
{
"id": "CVE-2020-11656",
"summary": "In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11656"
},
{
"id": "CVE-2020-13434",
"summary": "SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13434"
},
{
"id": "CVE-2020-13435",
"summary": "SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13435"
},
{
"id": "CVE-2020-13630",
"summary": "ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.",
"scorev2": "4.4",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13630"
},
{
"id": "CVE-2020-13631",
"summary": "SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13631"
},
{
"id": "CVE-2020-13632",
"summary": "ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13632"
},
{
"id": "CVE-2020-13871",
"summary": "SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13871"
},
{
"id": "CVE-2020-15358",
"summary": "In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15358"
},
{
"id": "CVE-2020-35525",
"summary": "In SQlite 3.31.1, a potential null pointer derreference was found in the INTERSEC query processing.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35525"
},
{
"id": "CVE-2020-35527",
"summary": "In SQLite 3.31.1, there is an out of bounds access problem through ALTER TABLE for views that have a nested FROM clause.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35527"
},
{
"id": "CVE-2020-9327",
"summary": "In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-9327"
},
{
"id": "CVE-2021-20227",
"summary": "A flaw was found in SQLite's SELECT query functionality (src/select.c). This flaw allows an attacker who is capable of running SQL queries locally on the SQLite database to cause a denial of service or possible code execution by triggering a use-after-free. The highest threat from this vulnerability is to system availability.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20227"
},
{
"id": "CVE-2021-31239",
"summary": "An issue found in SQLite SQLite3 v.3.35.4 that allows a remote attacker to cause a denial of service via the appendvfs.c function.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-31239"
},
{
"id": "CVE-2021-36690",
"summary": "A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is intentionally allowed to execute commands). This report does NOT imply any problem in the SQLite library.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-36690"
},
{
"id": "CVE-2021-45346",
"summary": "A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.",
"scorev2": "4.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45346"
},
{
"id": "CVE-2022-35737",
"summary": "SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-35737"
},
{
"id": "CVE-2022-46908",
"summary": "SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.",
"scorev2": "0.0",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-46908"
},
{
"id": "CVE-2023-7104",
"summary": "A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.",
"scorev2": "5.2",
"scorev3": "7.3",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-7104"
},
{
"id": "CVE-2024-0232",
"summary": "A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a crash and leading to a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0232"
}
]
},
{
"name": "strace",
"layer": "meta",
"version": "6.7",
"products": [
{
"product": "strace",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2000-0006",
"summary": "strace allows local users to read arbitrary files via memory mapped file names.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:N",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0006"
}
]
},
{
"name": "subversion-native",
"layer": "meta",
"version": "1.14.3",
"products": [
{
"product": "subversion",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2010-3315",
"summary": "authz.c in the mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x before 1.5.8 and 1.6.x before 1.6.13, when SVNPathAuthz short_circuit is enabled, does not properly handle a named repository as a rule scope, which allows remote authenticated users to bypass intended access restrictions via svn commands.",
"scorev2": "6.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3315"
},
{
"id": "CVE-2010-4539",
"summary": "The walk function in repos.c in the mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.15, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger the walking of SVNParentPath collections.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4539"
},
{
"id": "CVE-2010-4644",
"summary": "Multiple memory leaks in rev_hunt.c in Apache Subversion before 1.6.15 allow remote authenticated users to cause a denial of service (memory consumption and daemon crash) via the -g option to the blame command.",
"scorev2": "3.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4644"
},
{
"id": "CVE-2011-0715",
"summary": "The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.16, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a request that contains a lock token.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0715"
},
{
"id": "CVE-2011-1752",
"summary": "The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.17, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a request for a baselined WebDAV resource, as exploited in the wild in May 2011.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1752"
},
{
"id": "CVE-2011-1783",
"summary": "The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the SVNPathAuthz short_circuit option is enabled, allows remote attackers to cause a denial of service (infinite loop and memory consumption) in opportunistic circumstances by requesting data.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1783"
},
{
"id": "CVE-2011-1921",
"summary": "The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the SVNPathAuthz short_circuit option is disabled, does not properly enforce permissions for files that had been publicly readable in the past, which allows remote attackers to obtain sensitive information via a replay REPORT operation.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1921"
},
{
"id": "CVE-2013-1845",
"summary": "The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (memory consumption) by (1) setting or (2) deleting a large number of properties for a file or directory.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1845"
},
{
"id": "CVE-2013-1846",
"summary": "The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a LOCK on an activity URL.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1846"
},
{
"id": "CVE-2013-1847",
"summary": "The mod_dav_svn Apache HTTPD server module in Subversion 1.6.0 through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an anonymous LOCK for a URL that does not exist.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1847"
},
{
"id": "CVE-2013-1849",
"summary": "The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a PROPFIND request for an activity URL.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1849"
},
{
"id": "CVE-2013-1884",
"summary": "The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (segmentation fault and crash) via a log REPORT request with an invalid limit, which triggers an access of an uninitialized variable.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1884"
},
{
"id": "CVE-2013-1968",
"summary": "Subversion before 1.6.23 and 1.7.x before 1.7.10 allows remote authenticated users to cause a denial of service (FSFS repository corruption) via a newline character in a file name.",
"scorev2": "5.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1968"
},
{
"id": "CVE-2013-2088",
"summary": "contrib/hook-scripts/svn-keyword-check.pl in Subversion before 1.6.23 allows remote authenticated users with commit permissions to execute arbitrary commands via shell metacharacters in a filename.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2088"
},
{
"id": "CVE-2013-2112",
"summary": "The svnserve server in Subversion before 1.6.23 and 1.7.x before 1.7.10 allows remote attackers to cause a denial of service (exit) by aborting a connection.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2112"
},
{
"id": "CVE-2013-4131",
"summary": "The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.10 and 1.8.x before 1.8.1 allows remote authenticated users to cause a denial of service (assertion failure or out-of-bounds read) via a certain (1) COPY, (2) DELETE, or (3) MOVE request against a revision root.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4131"
},
{
"id": "CVE-2013-4246",
"summary": "libsvn_fs_fs/fs_fs.c in Apache Subversion 1.8.x before 1.8.2 might allow remote authenticated users with commit access to corrupt FSFS repositories and cause a denial of service or obtain sensitive information by editing packed revision properties.",
"scorev2": "6.5",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4246"
},
{
"id": "CVE-2013-4262",
"summary": "svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-2013-7393.",
"scorev2": "2.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:S/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4262"
},
{
"id": "CVE-2013-4277",
"summary": "Svnserve in Apache Subversion 1.4.0 through 1.7.12 and 1.8.0 through 1.8.1 allows local users to overwrite arbitrary files or kill arbitrary processes via a symlink attack on the file specified by the --pid-file option.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4277"
},
{
"id": "CVE-2013-4505",
"summary": "The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0 through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass intended access restrictions and possibly cause a denial of service (resource consumption) via a relative URL in a REPORT request.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4505"
},
{
"id": "CVE-2013-4558",
"summary": "The get_parent_resource function in repos.c in mod_dav_svn Apache HTTPD server module in Subversion 1.7.11 through 1.7.13 and 1.8.1 through 1.8.4, when built with assertions enabled and SVNAutoversioning is enabled, allows remote attackers to cause a denial of service (assertion failure and Apache process abort) via a non-canonical URL in a request, as demonstrated using a trailing /.",
"scorev2": "3.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4558"
},
{
"id": "CVE-2013-7393",
"summary": "The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions (ADT3).",
"scorev2": "2.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:S/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7393"
},
{
"id": "CVE-2014-0032",
"summary": "The get_resource function in repos.c in the mod_dav_svn module in Apache Subversion before 1.7.15 and 1.8.x before 1.8.6, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service (crash) via vectors related to the server root and request methods other than GET, as demonstrated by the \"svn ls http://svn.example.com\" command.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0032"
},
{
"id": "CVE-2014-3504",
"summary": "The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3504"
},
{
"id": "CVE-2014-3522",
"summary": "The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3522"
},
{
"id": "CVE-2014-3528",
"summary": "Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3528"
},
{
"id": "CVE-2014-3580",
"summary": "The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3580"
},
{
"id": "CVE-2014-8108",
"summary": "The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.7.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request for a URI that triggers a lookup for a virtual transaction name that does not exist.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8108"
},
{
"id": "CVE-2015-0202",
"summary": "The mod_dav_svn server in Subversion 1.8.0 through 1.8.11 allows remote attackers to cause a denial of service (memory consumption) via a large number of REPORT requests, which trigger the traversal of FSFS repository nodes.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0202"
},
{
"id": "CVE-2015-0248",
"summary": "The (1) mod_dav_svn and (2) svnserve servers in Subversion 1.6.0 through 1.7.19 and 1.8.0 through 1.8.11 allow remote attackers to cause a denial of service (assertion failure and abort) via crafted parameter combinations related to dynamically evaluated revision numbers.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0248"
},
{
"id": "CVE-2015-0251",
"summary": "The mod_dav_svn server in Subversion 1.5.0 through 1.7.19 and 1.8.0 through 1.8.11 allows remote authenticated users to spoof the svn:author property via a crafted v1 HTTP protocol request sequences.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0251"
},
{
"id": "CVE-2015-3184",
"summary": "mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before 1.8.14, when using Apache httpd 2.4.x, does not properly restrict anonymous access, which allows remote anonymous users to read hidden files via the path name.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3184"
},
{
"id": "CVE-2015-3187",
"summary": "The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3187"
},
{
"id": "CVE-2015-5259",
"summary": "Integer overflow in the read_string function in libsvn_ra_svn/marshal.c in Apache Subversion 1.9.x before 1.9.3 allows remote attackers to execute arbitrary code via an svn:// protocol string, which triggers a heap-based buffer overflow and an out-of-bounds read.",
"scorev2": "9.0",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5259"
},
{
"id": "CVE-2015-5343",
"summary": "Integer overflow in util.c in mod_dav_svn in Apache Subversion 1.7.x, 1.8.x before 1.8.15, and 1.9.x before 1.9.3 allows remote authenticated users to cause a denial of service (subversion server crash or memory consumption) and possibly execute arbitrary code via a skel-encoded request body, which triggers an out-of-bounds read and heap-based buffer overflow.",
"scorev2": "8.0",
"scorev3": "7.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5343"
},
{
"id": "CVE-2016-2167",
"summary": "The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string.",
"scorev2": "4.9",
"scorev3": "6.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2167"
},
{
"id": "CVE-2016-2168",
"summary": "The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a crafted header in a (1) MOVE or (2) COPY request, involving an authorization check.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2168"
},
{
"id": "CVE-2016-8734",
"summary": "Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8734"
},
{
"id": "CVE-2017-9800",
"summary": "A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9800"
},
{
"id": "CVE-2018-11782",
"summary": "In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer. This can lead to disruption for users of the server.",
"scorev2": "4.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11782"
},
{
"id": "CVE-2018-11803",
"summary": "Subversion's mod_dav_svn Apache HTTPD module versions 1.11.0 and 1.10.0 to 1.10.3 will crash after dereferencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11803"
},
{
"id": "CVE-2019-0203",
"summary": "In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion's svnserve server process may exit when a client sends certain sequences of protocol commands. This can lead to disruption for users of the server.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-0203"
},
{
"id": "CVE-2020-17525",
"summary": "Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL. This can lead to disruption for users of the service. This issue was fixed in mod_dav_svn+mod_authz_svn servers 1.14.1 and mod_dav_svn+mod_authz_svn servers 1.10.7",
"scorev2": "4.3",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-17525"
},
{
"id": "CVE-2021-28544",
"summary": "Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.",
"scorev2": "3.5",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28544"
},
{
"id": "CVE-2022-24070",
"summary": "Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-24070"
}
]
},
{
"name": "swig-native",
"layer": "meta",
"version": "4.2.1",
"products": [
{
"product": "swig",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2023-25344",
"summary": "An issue was discovered in swig-templates thru 2.0.4 and swig thru 1.4.2, allows attackers to execute arbitrary code via crafted Object.prototype anonymous function.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25344"
},
{
"id": "CVE-2023-25345",
"summary": "Directory traversal vulnerability in swig-templates thru 2.0.4 and swig thru 1.4.2, allows attackers to read arbitrary files via the include or extends tags.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25345"
}
]
},
{
"name": "systemd",
"layer": "meta",
"version": "1_255.4",
"products": [
{
"product": "systemd",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2012-0871",
"summary": "The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/.",
"scorev2": "6.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0871"
},
{
"id": "CVE-2012-1101",
"summary": "systemd 37-1 does not properly handle non-existent services, which causes a denial of service (failure of login procedure).",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1101"
},
{
"id": "CVE-2012-1174",
"summary": "The rm_rf_children function in util.c in the systemd-logind login manager in systemd before 44, when logging out, allows local users to delete arbitrary files via a symlink attack on unspecified files, related to \"particular records related with user session.\"",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1174"
},
{
"id": "CVE-2013-4327",
"summary": "systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4327"
},
{
"id": "CVE-2013-4391",
"summary": "Integer overflow in the valid_user_field function in journal/journald-native.c in systemd allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large journal data field, which triggers a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4391"
},
{
"id": "CVE-2013-4392",
"summary": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4392"
},
{
"id": "CVE-2013-4393",
"summary": "journald in systemd, when the origin of native messages is set to file, allows local users to cause a denial of service (logging service blocking) via a crafted file descriptor.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4393"
},
{
"id": "CVE-2013-4394",
"summary": "The SetX11Keyboard function in systemd, when PolicyKit Local Authority (PKLA) is used to change the group permissions on the X Keyboard Extension (XKB) layouts description, allows local users in the group to modify the Xorg X11 Server configuration file and possibly gain privileges via vectors involving \"special and control characters.\"",
"scorev2": "5.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4394"
},
{
"id": "CVE-2015-7510",
"summary": "Stack-based buffer overflow in the getpwnam and getgrnam functions of the NSS module nss-mymachines in systemd.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7510"
},
{
"id": "CVE-2016-10156",
"summary": "A flaw in systemd v228 in /src/basic/fs-util.c caused world writable suid files to be created when using the systemd timers features, allowing local attackers to escalate their privileges to root. This is fixed in v229.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10156"
},
{
"id": "CVE-2016-7795",
"summary": "The manager_invoke_notify_message function in systemd 231 and earlier allows local users to cause a denial of service (assertion failure and PID 1 hang) via a zero-length message received over a notify socket.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7795"
},
{
"id": "CVE-2016-7796",
"summary": "The manager_dispatch_notify_fd function in systemd allows local users to cause a denial of service (system hang) via a zero-length message received over a notify socket, which causes an error to be returned and the notification handler to be disabled.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7796"
},
{
"id": "CVE-2017-1000082",
"summary": "systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. \"0day\"), running the service in question with root privileges rather than the user intended.",
"scorev2": "10.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000082"
},
{
"id": "CVE-2017-15908",
"summary": "In systemd 223 through 235, a remote DNS server can respond with a custom crafted DNS NSEC resource record to trigger an infinite loop in the dns_packet_read_type_window() function of the 'systemd-resolved' service and cause a DoS of the affected service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15908"
},
{
"id": "CVE-2017-18078",
"summary": "systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18078"
},
{
"id": "CVE-2017-9217",
"summary": "systemd-resolved through 233 allows remote attackers to cause a denial of service (daemon crash) via a crafted DNS response with an empty question section.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9217"
},
{
"id": "CVE-2017-9445",
"summary": "In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9445"
},
{
"id": "CVE-2018-1049",
"summary": "In systemd prior to 234 a race condition exists between .mount and .automount units such that automount requests from kernel may not be serviced by systemd resulting in kernel holding the mountpoint and any processes that try to use said mount will hang. A race condition like this may lead to denial of service, until mount points are unmounted.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1049"
},
{
"id": "CVE-2018-15686",
"summary": "A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.",
"scorev2": "7.2",
"scorev3": "7.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15686"
},
{
"id": "CVE-2018-15687",
"summary": "A race condition in chown_one() of systemd allows an attacker to cause systemd to set arbitrary permissions on arbitrary files. Affected releases are systemd versions up to and including 239.",
"scorev2": "6.9",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15687"
},
{
"id": "CVE-2018-15688",
"summary": "A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap memory in systemd-networkd. Affected releases are systemd: versions up to and including 239.",
"scorev2": "5.8",
"scorev3": "8.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15688"
},
{
"id": "CVE-2018-16864",
"summary": "An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges. Versions through v240 are vulnerable.",
"scorev2": "4.6",
"scorev3": "7.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16864"
},
{
"id": "CVE-2018-16865",
"summary": "An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges. Versions through v240 are vulnerable.",
"scorev2": "4.6",
"scorev3": "7.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16865"
},
{
"id": "CVE-2018-16866",
"summary": "An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.",
"scorev2": "2.1",
"scorev3": "4.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16866"
},
{
"id": "CVE-2018-16888",
"summary": "It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.",
"scorev2": "1.9",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16888"
},
{
"id": "CVE-2018-20839",
"summary": "systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.",
"scorev2": "4.3",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20839"
},
{
"id": "CVE-2018-21029",
"summary": "systemd 239 through 245 accepts any certificate signed by a trusted certificate authority for DNS Over TLS. Server Name Indication (SNI) is not sent, and there is no hostname validation with the GnuTLS backend. NOTE: This has been disputed by the developer as not a vulnerability since hostname validation does not have anything to do with this issue (i.e. there is no hostname to be sent)",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21029"
},
{
"id": "CVE-2018-6954",
"summary": "systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6954"
},
{
"id": "CVE-2019-15718",
"summary": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.",
"scorev2": "3.6",
"scorev3": "4.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15718"
},
{
"id": "CVE-2019-20386",
"summary": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.",
"scorev2": "2.1",
"scorev3": "2.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20386"
},
{
"id": "CVE-2019-3842",
"summary": "In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the \"allow_active\" element rather than \"allow_any\".",
"scorev2": "4.4",
"scorev3": "4.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3842"
},
{
"id": "CVE-2019-3843",
"summary": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.",
"scorev2": "4.6",
"scorev3": "4.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3843"
},
{
"id": "CVE-2019-3844",
"summary": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.",
"scorev2": "4.6",
"scorev3": "4.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3844"
},
{
"id": "CVE-2019-6454",
"summary": "An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1, causing the stack pointer to jump over the stack guard pages into an unmapped memory region and trigger a denial of service (systemd PID1 crash and kernel panic).",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6454"
},
{
"id": "CVE-2020-13529",
"summary": "An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.",
"scorev2": "2.9",
"scorev3": "6.1",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13529"
},
{
"id": "CVE-2020-13776",
"summary": "systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.",
"scorev2": "6.2",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13776"
},
{
"id": "CVE-2020-1712",
"summary": "A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1712"
},
{
"id": "CVE-2021-33910",
"summary": "basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.",
"scorev2": "4.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33910"
},
{
"id": "CVE-2021-3997",
"summary": "A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many nested directories are created in /tmp.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3997"
},
{
"id": "CVE-2022-2526",
"summary": "A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2526"
},
{
"id": "CVE-2022-3821",
"summary": "An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3821"
},
{
"id": "CVE-2022-4415",
"summary": "A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4415"
},
{
"id": "CVE-2022-45873",
"summary": "systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45873"
},
{
"id": "CVE-2023-26604",
"summary": "systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the \"systemctl status\" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-26604"
},
{
"id": "CVE-2023-31437",
"summary": "An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31437"
},
{
"id": "CVE-2023-31438",
"summary": "An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31438"
},
{
"id": "CVE-2023-31439",
"summary": "An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"",
"scorev2": "0.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31439"
},
{
"id": "CVE-2023-7008",
"summary": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.",
"scorev2": "0.0",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-7008"
}
]
},
{
"name": "systemd-compat-units",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "systemd-compat-units",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "systemd-conf",
"layer": "meta",
"version": "1_1.0",
"products": [
{
"product": "systemd-conf",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "systemd-conf-canbus",
"layer": "meta-agl-core",
"version": "1_1.0",
"products": [
{
"product": "systemd-conf-canbus",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "systemd-selinux-relabel",
"layer": "meta-selinux",
"version": "1.0",
"products": [
{
"product": "systemd-selinux-relabel",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "systemd-serialgetty",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "systemd-serialgetty",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "systemd-systemctl-native",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "systemd-systemctl",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "systemtap",
"layer": "meta",
"version": "5.0",
"products": [
{
"product": "systemtap",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2009-0784",
"summary": "Race condition in the SystemTap stap tool 0.0.20080705 and 0.0.20090314 allows local users in the stapusr group to insert arbitrary SystemTap kernel modules and gain privileges via unknown vectors.",
"scorev2": "6.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0784"
},
{
"id": "CVE-2009-2911",
"summary": "SystemTap 1.0, when the --unprivileged option is used, does not properly restrict certain data sizes, which allows local users to (1) cause a denial of service or gain privileges via a print operation with a large number of arguments that trigger a kernel stack overflow, (2) cause a denial of service via crafted DWARF expressions that trigger a kernel stack frame overflow, or (3) cause a denial of service (infinite loop) via vectors that trigger creation of large unwind tables, related to Common Information Entry (CIE) and Call Frame Instruction (CFI) records.",
"scorev2": "1.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2911"
},
{
"id": "CVE-2009-4273",
"summary": "stap-server in SystemTap before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in stap command-line arguments in a request.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4273"
},
{
"id": "CVE-2010-0411",
"summary": "Multiple integer signedness errors in the (1) __get_argv and (2) __get_compat_argv functions in tapset/aux_syscalls.stp in SystemTap 1.1 allow local users to cause a denial of service (script crash, or system crash or hang) via a process with a large number of arguments, leading to a buffer overflow.",
"scorev2": "4.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0411"
},
{
"id": "CVE-2010-0412",
"summary": "stap-server in SystemTap 1.1 does not properly restrict the value of the -B (aka BUILD) option, which allows attackers to have an unspecified impact via vectors associated with executing the make program, a different vulnerability than CVE-2009-4273.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0412"
},
{
"id": "CVE-2010-4170",
"summary": "The staprun runtime tool in SystemTap 1.3 does not properly clear the environment before executing modprobe, which allows local users to gain privileges by setting the MODPROBE_OPTIONS environment variable to specify a malicious configuration file.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4170"
},
{
"id": "CVE-2010-4171",
"summary": "The staprun runtime tool in SystemTap 1.3 does not verify that a module to unload was previously loaded by SystemTap, which allows local users to cause a denial of service (unloading of arbitrary kernel modules).",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4171"
},
{
"id": "CVE-2011-1769",
"summary": "SystemTap 1.4 and earlier, when unprivileged (aka stapusr) mode is enabled, allows local users to cause a denial of service (divide-by-zero error and OOPS) via a crafted ELF program with DWARF expressions that are not properly handled by a stap script that performs context variable access.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1769"
},
{
"id": "CVE-2011-1781",
"summary": "SystemTap 1.4, when unprivileged (aka stapusr) mode is enabled, allows local users to cause a denial of service (divide-by-zero error and OOPS) via a crafted ELF program with DWARF expressions that are not properly handled by a stap script that performs stack unwinding (aka backtracing).",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1781"
},
{
"id": "CVE-2011-2502",
"summary": "runtime/staprun/staprun_funcs.c in the systemtap runtime tool (staprun) in SystemTap before 1.6 does not properly validate modules when a module path is specified by a user for user-space probing, which allows local users in the stapusr group to gain privileges via a crafted module in the search path in the -u argument.",
"scorev2": "4.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2502"
},
{
"id": "CVE-2011-2503",
"summary": "The insert_module function in runtime/staprun/staprun_funcs.c in the systemtap runtime tool (staprun) in SystemTap before 1.6 does not properly validate a module when loading it, which allows local users to gain privileges via a race condition between the signature validation and the module initialization.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2503"
},
{
"id": "CVE-2012-0875",
"summary": "SystemTap 1.7, 1.6.7, and probably other versions, when unprivileged mode is enabled, allows local users to obtain sensitive information from kernel memory or cause a denial of service (kernel panic and crash) via vectors related to crafted DWARF data, which triggers a read of an invalid pointer.",
"scorev2": "5.4",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0875"
}
]
},
{
"name": "taglib",
"layer": "meta",
"version": "2.0",
"products": [
{
"product": "taglib",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2012-1107",
"summary": "The analyzeCurrent function in ape/apeproperties.cpp in TagLib 1.7 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a crafted sampleRate in an ape file, which triggers a divide-by-zero error.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1107"
},
{
"id": "CVE-2012-1108",
"summary": "The parse function in ogg/xiphcomment.cpp in TagLib 1.7 and earlier allows remote attackers to cause a denial of service (crash) via a crafted vendorLength field in an ogg file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1108"
},
{
"id": "CVE-2012-1584",
"summary": "Integer overflow in the mid function in toolkit/tbytevector.cpp in TagLib 1.7 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a crafted file header field in a media file, which triggers a large memory allocation.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1584"
},
{
"id": "CVE-2017-12678",
"summary": "In TagLib 1.11.1, the rebuildAggregateFrames function in id3v2framefactory.cpp has a pointer to cast vulnerability, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted audio file.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12678"
},
{
"id": "CVE-2018-11439",
"summary": "The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib 1.11.1 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted audio file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11439"
}
]
},
{
"name": "tar",
"layer": "meta",
"version": "1.35",
"products": [
{
"product": "tar",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2001-1267",
"summary": "Directory traversal vulnerability in GNU tar 1.13.19 and earlier allows local users to overwrite arbitrary files during archive extraction via a tar file whose filenames contain a .. (dot dot).",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1267"
},
{
"id": "CVE-2002-0399",
"summary": "Directory traversal vulnerability in GNU tar 1.13.19 through 1.13.25, and possibly later versions, allows attackers to overwrite arbitrary files during archive extraction via a (1) \"/..\" or (2) \"./..\" string, which removes the leading slash but leaves the \"..\", a variant of CVE-2001-1267.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0399"
},
{
"id": "CVE-2002-1216",
"summary": "GNU tar 1.13.19 and other versions before 1.13.25 allows remote attackers to overwrite arbitrary files via a symlink attack, as the result of a modification that effectively disabled the security check.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1216"
},
{
"id": "CVE-2005-1918",
"summary": "The original patch for a GNU tar directory traversal vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses an \"incorrect optimization\" that allows user-assisted attackers to overwrite arbitrary files via a crafted tar file, probably involving \"/../\" sequences with a leading \"/\".",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1918"
},
{
"id": "CVE-2005-2541",
"summary": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2541"
},
{
"id": "CVE-2006-0300",
"summary": "Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0300"
},
{
"id": "CVE-2006-6097",
"summary": "GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6097"
},
{
"id": "CVE-2007-4131",
"summary": "Directory traversal vulnerability in the contains_dot_dot function in src/names.c in GNU tar allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4131"
},
{
"id": "CVE-2007-4476",
"summary": "Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a \"crashing stack.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4476"
},
{
"id": "CVE-2010-0624",
"summary": "Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0624"
},
{
"id": "CVE-2016-6321",
"summary": "Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6321"
},
{
"id": "CVE-2018-20482",
"summary": "GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20482"
},
{
"id": "CVE-2019-9923",
"summary": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9923"
},
{
"id": "CVE-2021-20193",
"summary": "A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20193"
},
{
"id": "CVE-2022-48303",
"summary": "GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48303"
}
]
},
{
"name": "target-sdk-provides-dummy",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "target-sdk-provides-dummy",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "tcp-wrappers",
"layer": "meta",
"version": "7.6",
"products": [
{
"product": "tcp-wrappers",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "texinfo-dummy-native",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "texinfo-dummy",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "tiff",
"layer": "meta",
"version": "4.6.0",
"products": [
{
"product": "libtiff",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0803",
"summary": "Multiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0803"
},
{
"id": "CVE-2004-0804",
"summary": "Vulnerability in tif_dirread.c for libtiff allows remote attackers to cause a denial of service (application crash) via a TIFF image that causes a divide-by-zero error when the number of row bytes is zero, a different vulnerability than CVE-2005-2452.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0804"
},
{
"id": "CVE-2004-0886",
"summary": "Multiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0886"
},
{
"id": "CVE-2004-0929",
"summary": "Heap-based buffer overflow in the OJPEGVSetField function in tif_ojpeg.c for libtiff 3.6.1 and earlier, when compiled with the OJPEG_SUPPORT (old JPEG support) option, allows remote attackers to execute arbitrary code via a malformed TIFF image.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0929"
},
{
"id": "CVE-2004-1183",
"summary": "Integer overflow in the tiffdump utility for libtiff 3.7.1 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted TIFF file.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1183"
},
{
"id": "CVE-2004-1307",
"summary": "Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1307"
},
{
"id": "CVE-2004-1308",
"summary": "Integer overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff 3.5.7 and 3.7.0 allows remote attackers to execute arbitrary code via a TIFF file containing a TIFF_ASCII or TIFF_UNDEFINED directory entry with a -1 entry count, which leads to a heap-based buffer overflow.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1308"
},
{
"id": "CVE-2005-1544",
"summary": "Stack-based buffer overflow in libTIFF before 3.7.2 allows remote attackers to execute arbitrary code via a TIFF file with a malformed BitsPerSample tag.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1544"
},
{
"id": "CVE-2005-2452",
"summary": "libtiff up to 3.7.0 allows remote attackers to cause a denial of service (application crash) via a TIFF image header with a zero \"YCbCr subsampling\" value, which causes a divide-by-zero error in (1) tif_strip.c and (2) tif_tile.c, a different vulnerability than CVE-2004-0804.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2452"
},
{
"id": "CVE-2006-0405",
"summary": "The TIFFFetchShortPair function in tif_dirread.c in libtiff 3.8.0 allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image that triggers a NULL pointer dereference, possibly due to changes in type declarations and/or the TIFFVSetField function.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0405"
},
{
"id": "CVE-2006-2024",
"summary": "Multiple vulnerabilities in libtiff before 3.8.1 allow context-dependent attackers to cause a denial of service via a TIFF image that triggers errors in (1) the TIFFFetchAnyArray function in (a) tif_dirread.c; (2) certain \"codec cleanup methods\" in (b) tif_lzw.c, (c) tif_pixarlog.c, and (d) tif_zip.c; (3) and improper restoration of setfield and getfield methods in cleanup functions within (e) tif_jpeg.c, tif_pixarlog.c, (f) tif_fax3.c, and tif_zip.c.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2024"
},
{
"id": "CVE-2006-2025",
"summary": "Integer overflow in the TIFFFetchData function in tif_dirread.c for libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via a crafted TIFF image.",
"scorev2": "6.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2025"
},
{
"id": "CVE-2006-2026",
"summary": "Double free vulnerability in tif_jpeg.c in libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers errors related to \"setfield/getfield methods in cleanup functions.\"",
"scorev2": "6.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2026"
},
{
"id": "CVE-2006-2120",
"summary": "The TIFFToRGB function in libtiff before 3.8.1 allows remote attackers to cause a denial of service (crash) via a crafted TIFF image with Yr/Yg/Yb values that exceed the YCR/YCG/YCB values, which triggers an out-of-bounds read.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2120"
},
{
"id": "CVE-2006-2193",
"summary": "Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a TIFF file with a DocumentName tag that contains UTF-8 characters, which triggers the overflow when a character is sign extended to an integer that produces more digits than expected in an sprintf call.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2193"
},
{
"id": "CVE-2006-2656",
"summary": "Stack-based buffer overflow in the tiffsplit command in libtiff 3.8.2 and earlier might might allow attackers to execute arbitrary code via a long filename. NOTE: tiffsplit is not setuid. If there is not a common scenario under which tiffsplit is called with attacker-controlled command line arguments, then perhaps this issue should not be included in CVE.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2656"
},
{
"id": "CVE-2006-3459",
"summary": "Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3.8.2, as used in Adobe Reader 9.3.0 and other products, allow context-dependent attackers to execute arbitrary code or cause a denial of service via unspecified vectors, including a large tdir_count value in the TIFFFetchShortPair function in tif_dirread.c.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3459"
},
{
"id": "CVE-2006-3460",
"summary": "Heap-based buffer overflow in the JPEG decoder in the TIFF library (libtiff) before 3.8.2 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via an encoded JPEG stream that is longer than the scan line size (TiffScanLineSize).",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3460"
},
{
"id": "CVE-2006-3461",
"summary": "Heap-based buffer overflow in the PixarLog decoder in the TIFF library (libtiff) before 3.8.2 might allow context-dependent attackers to execute arbitrary code via unknown vectors.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3461"
},
{
"id": "CVE-2006-3462",
"summary": "Heap-based buffer overflow in the NeXT RLE decoder in the TIFF library (libtiff) before 3.8.2 might allow context-dependent attackers to execute arbitrary code via unknown vectors involving decoding large RLE images.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3462"
},
{
"id": "CVE-2006-3463",
"summary": "The EstimateStripByteCounts function in TIFF library (libtiff) before 3.8.2 uses a 16-bit unsigned short when iterating over an unsigned 32-bit value, which allows context-dependent attackers to cause a denial of service via a large td_nstrips value, which triggers an infinite loop.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3463"
},
{
"id": "CVE-2006-3464",
"summary": "TIFF library (libtiff) before 3.8.2 allows context-dependent attackers to pass numeric range checks and possibly execute code, and trigger assert errors, via large offset values in a TIFF directory that lead to an integer overflow and other unspecified vectors involving \"unchecked arithmetic operations\".",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3464"
},
{
"id": "CVE-2006-3465",
"summary": "Unspecified vulnerability in the custom tag support for the TIFF library (libtiff) before 3.8.2 allows remote attackers to cause a denial of service (instability or crash) and execute arbitrary code via unknown vectors.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3465"
},
{
"id": "CVE-2008-2327",
"summary": "Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and earlier allow context-dependent attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2327"
},
{
"id": "CVE-2009-2285",
"summary": "Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 allows context-dependent attackers to cause a denial of service (crash) via a crafted TIFF image, a different vulnerability than CVE-2008-2327.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2285"
},
{
"id": "CVE-2009-2347",
"summary": "Multiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent attackers to execute arbitrary code via a TIFF image with large (1) width and (2) height values, which triggers a heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2347"
},
{
"id": "CVE-2009-5022",
"summary": "Heap-based buffer overflow in tif_ojpeg.c in the OJPEG decoder in LibTIFF before 3.9.5 allows remote attackers to execute arbitrary code via a crafted TIFF file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5022"
},
{
"id": "CVE-2010-2065",
"summary": "Integer overflow in the TIFFroundup macro in LibTIFF before 3.9.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TIFF file that triggers a buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2065"
},
{
"id": "CVE-2010-2067",
"summary": "Stack-based buffer overflow in the TIFFFetchSubjectDistance function in tif_dirread.c in LibTIFF before 3.9.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long EXIF SubjectDistance field in a TIFF file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2067"
},
{
"id": "CVE-2010-2233",
"summary": "tif_getimage.c in LibTIFF 3.9.0 and 3.9.2 on 64-bit platforms, as used in ImageMagick, does not properly perform vertical flips, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TIFF image, related to \"downsampled OJPEG input.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2233"
},
{
"id": "CVE-2010-2443",
"summary": "The OJPEGReadBufferFill function in tif_ojpeg.c in LibTIFF before 3.9.3 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an OJPEG image with undefined strip offsets, related to the TIFFVGetField function.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2443"
},
{
"id": "CVE-2010-2481",
"summary": "The TIFFExtractData macro in LibTIFF before 3.9.4 does not properly handle unknown tag types in TIFF directory entries, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted TIFF file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2481"
},
{
"id": "CVE-2010-2482",
"summary": "LibTIFF 3.9.4 and earlier does not properly handle an invalid td_stripbytecount field, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted TIFF file, a different vulnerability than CVE-2010-2443.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2482"
},
{
"id": "CVE-2010-2483",
"summary": "The TIFFRGBAImageGet function in LibTIFF 3.9.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a TIFF file with an invalid combination of SamplesPerPixel and Photometric values.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2483"
},
{
"id": "CVE-2010-2595",
"summary": "The TIFFYCbCrtoRGB function in LibTIFF 3.9.0 and 3.9.2, as used in ImageMagick, does not properly handle invalid ReferenceBlackWhite values, which allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image that triggers an array index error, related to \"downsampled OJPEG input.\"",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2595"
},
{
"id": "CVE-2010-2596",
"summary": "The OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and 3.9.2, as used in tiff2ps, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF image, related to \"downsampled OJPEG input.\"",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2596"
},
{
"id": "CVE-2010-2597",
"summary": "The TIFFVStripSize function in tif_strip.c in LibTIFF 3.9.0 and 3.9.2 makes incorrect calls to the TIFFGetField function, which allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image, related to \"downsampled OJPEG input\" and possibly related to a compiler optimization that triggers a divide-by-zero error.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2597"
},
{
"id": "CVE-2010-2630",
"summary": "The TIFFReadDirectory function in LibTIFF 3.9.0 does not properly validate the data types of codec-specific tags that have an out-of-order position in a TIFF file, which allows remote attackers to cause a denial of service (application crash) via a crafted file, a different vulnerability than CVE-2010-2481.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2630"
},
{
"id": "CVE-2010-2631",
"summary": "LibTIFF 3.9.0 ignores tags in certain situations during the first stage of TIFF file processing and does not properly handle this during the second stage, which allows remote attackers to cause a denial of service (application crash) via a crafted file, a different vulnerability than CVE-2010-2481.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2631"
},
{
"id": "CVE-2010-3087",
"summary": "LibTIFF before 3.9.2-5.2.1 in SUSE openSUSE 11.3 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TIFF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3087"
},
{
"id": "CVE-2010-4665",
"summary": "Integer overflow in the ReadDirectory function in tiffdump.c in tiffdump in LibTIFF before 3.9.5 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TIFF file containing a directory data structure with many directory entries.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4665"
},
{
"id": "CVE-2011-1167",
"summary": "Heap-based buffer overflow in the thunder (aka ThunderScan) decoder in tif_thunder.c in LibTIFF 3.9.4 and earlier allows remote attackers to execute arbitrary code via crafted THUNDER_2BITDELTAS data in a .tiff file that has an unexpected BitsPerSample value.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1167"
},
{
"id": "CVE-2012-1173",
"summary": "Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow remote attackers to execute arbitrary code via a crafted tile size in a TIFF file, which is not properly handled by the (1) gtTileSeparate or (2) gtStripSeparate function, leading to a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1173"
},
{
"id": "CVE-2012-2088",
"summary": "Integer signedness error in the TIFFReadDirectory function in tif_dirread.c in libtiff 3.9.4 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a negative tile depth in a tiff image, which triggers an improper conversion between signed and unsigned types, leading to a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2088"
},
{
"id": "CVE-2012-2113",
"summary": "Multiple integer overflows in tiff2pdf in libtiff before 4.0.2 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2113"
},
{
"id": "CVE-2012-3401",
"summary": "The t2p_read_tiff_init function in tiff2pdf (tools/tiff2pdf.c) in LibTIFF 4.0.2 and earlier does not properly initialize the T2P context struct pointer in certain error conditions, which allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3401"
},
{
"id": "CVE-2012-4447",
"summary": "Heap-based buffer overflow in tif_pixarlog.c in LibTIFF before 4.0.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted TIFF image using the PixarLog Compression format.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4447"
},
{
"id": "CVE-2012-4564",
"summary": "ppm2tiff does not check the return value of the TIFFScanlineSize function, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PPM image that triggers an integer overflow, a zero-memory allocation, and a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4564"
},
{
"id": "CVE-2012-5581",
"summary": "Stack-based buffer overflow in tif_dir.c in LibTIFF before 4.0.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DOTRANGE tag in a TIFF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5581"
},
{
"id": "CVE-2013-1960",
"summary": "Heap-based buffer overflow in the t2p_process_jpeg_strip function in tiff2pdf in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1960"
},
{
"id": "CVE-2013-1961",
"summary": "Stack-based buffer overflow in the t2p_write_pdf_page function in tiff2pdf in libtiff before 4.0.3 allows remote attackers to cause a denial of service (application crash) via a crafted image length and resolution in a TIFF image file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1961"
},
{
"id": "CVE-2013-4231",
"summary": "Multiple buffer overflows in libtiff before 4.0.3 allow remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) extension block in a GIF image or (2) GIF raster image to tools/gif2tiff.c or (3) a long filename for a TIFF image to tools/rgb2ycbcr.c. NOTE: vectors 1 and 3 are disputed by Red Hat, which states that the input cannot exceed the allocated buffer size.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4231"
},
{
"id": "CVE-2013-4232",
"summary": "Use-after-free vulnerability in the t2p_readwrite_pdf_image function in tools/tiff2pdf.c in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted TIFF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4232"
},
{
"id": "CVE-2013-4243",
"summary": "Heap-based buffer overflow in the readgifimage function in the gif2tiff tool in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted height and width values in a GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4243"
},
{
"id": "CVE-2013-4244",
"summary": "The LZW decompressor in the gif2tiff tool in libtiff 4.0.3 and earlier allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4244"
},
{
"id": "CVE-2014-8127",
"summary": "LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted TIFF image to the (1) checkInkNamesString function in tif_dir.c in the thumbnail tool, (2) compresscontig function in tiff2bw.c in the tiff2bw tool, (3) putcontig8bitCIELab function in tif_getimage.c in the tiff2rgba tool, LZWPreDecode function in tif_lzw.c in the (4) tiff2ps or (5) tiffdither tool, (6) NeXTDecode function in tif_next.c in the tiffmedian tool, or (7) TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8127"
},
{
"id": "CVE-2014-8128",
"summary": "LibTIFF prior to 4.0.4, as used in Apple iOS before 8.4 and OS X before 10.10.4 and other products, allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8128"
},
{
"id": "CVE-2014-8129",
"summary": "LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted TIFF image, as demonstrated by failure of tif_next.c to verify that the BitsPerSample value is 2, and the t2p_sample_lab_signed_to_unsigned function in tiff2pdf.c.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8129"
},
{
"id": "CVE-2014-8130",
"summary": "The _TIFFmalloc function in tif_unix.c in LibTIFF 4.0.3 does not reject a zero size, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image that is mishandled by the TIFFWriteScanline function in tif_write.c, as demonstrated by tiffdither.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8130"
},
{
"id": "CVE-2014-9330",
"summary": "Integer overflow in tif_packbits.c in bmp2tif in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) via crafted BMP image, related to dimensions, which triggers an out-of-bounds read.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9330"
},
{
"id": "CVE-2014-9655",
"summary": "The (1) putcontig8bitYCbCr21tile function in tif_getimage.c or (2) NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff-cvs-1.tif and libtiff-cvs-2.tif.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9655"
},
{
"id": "CVE-2015-1547",
"summary": "The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff5.tif.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1547"
},
{
"id": "CVE-2015-7313",
"summary": "LibTIFF allows remote attackers to cause a denial of service (memory consumption and crash) via a crafted tiff file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7313",
"detail": "fixed-version",
"description": "Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue"
},
{
"id": "CVE-2015-7554",
"summary": "The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7554"
},
{
"id": "CVE-2015-8665",
"summary": "tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via the SamplesPerPixel tag in a TIFF image.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8665"
},
{
"id": "CVE-2015-8668",
"summary": "Heap-based buffer overflow in the PackBitsPreEncode function in tif_packbits.c in bmp2tiff in libtiff 4.0.6 and earlier allows remote attackers to execute arbitrary code or cause a denial of service via a large width field in a BMP image.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8668"
},
{
"id": "CVE-2015-8683",
"summary": "The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a packed TIFF image.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8683"
},
{
"id": "CVE-2015-8781",
"summary": "tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds write) via an invalid number of samples per pixel in a LogL compressed TIFF image, a different vulnerability than CVE-2015-8782.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8781"
},
{
"id": "CVE-2015-8782",
"summary": "tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds writes) via a crafted TIFF image, a different vulnerability than CVE-2015-8781.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8782"
},
{
"id": "CVE-2015-8783",
"summary": "tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds reads) via a crafted TIFF image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8783"
},
{
"id": "CVE-2015-8784",
"summary": "The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image, as demonstrated by libtiff5.tif.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8784"
},
{
"id": "CVE-2015-8870",
"summary": "Integer overflow in tools/bmp2tiff.c in LibTIFF before 4.0.4 allows remote attackers to cause a denial of service (heap-based buffer over-read), or possibly obtain sensitive information from process memory, via crafted width and length values in RLE4 or RLE8 data in a BMP file.",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8870"
},
{
"id": "CVE-2016-10092",
"summary": "Heap-based buffer overflow in the readContigStripsIntoBuffer function in tif_unix.c in LibTIFF 4.0.7, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5 and 4.0.6 allows remote attackers to have unspecified impact via a crafted image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10092"
},
{
"id": "CVE-2016-10093",
"summary": "Integer overflow in tools/tiffcp.c in LibTIFF 4.0.7, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5 and 4.0.6 allows remote attackers to have unspecified impact via a crafted image, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10093"
},
{
"id": "CVE-2016-10094",
"summary": "Off-by-one error in the t2p_readwrite_pdf_image_tile function in tools/tiff2pdf.c in LibTIFF 4.0.7 allows remote attackers to have unspecified impact via a crafted image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10094"
},
{
"id": "CVE-2016-10095",
"summary": "Stack-based buffer overflow in the _TIFFVGetField function in tif_dir.c in LibTIFF 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7 and 4.0.8 allows remote attackers to cause a denial of service (crash) via a crafted TIFF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10095"
},
{
"id": "CVE-2016-10266",
"summary": "LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10266"
},
{
"id": "CVE-2016-10267",
"summary": "LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10267"
},
{
"id": "CVE-2016-10268",
"summary": "tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (integer underflow and heap-based buffer under-read) or possibly have unspecified other impact via a crafted TIFF image, related to \"READ of size 78490\" and libtiff/tif_unix.c:115:23.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10268"
},
{
"id": "CVE-2016-10269",
"summary": "LibTIFF 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6 and 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to \"READ of size 512\" and libtiff/tif_unix.c:340:2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10269"
},
{
"id": "CVE-2016-10270",
"summary": "LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to \"READ of size 8\" and libtiff/tif_read.c:523:22.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10270"
},
{
"id": "CVE-2016-10271",
"summary": "tools/tiffcrop.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read and buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to \"READ of size 1\" and libtiff/tif_fax3.c:413:13.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10271"
},
{
"id": "CVE-2016-10272",
"summary": "LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to \"WRITE of size 2048\" and libtiff/tif_next.c:64:9.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10272"
},
{
"id": "CVE-2016-10371",
"summary": "The TIFFWriteDirectoryTagCheckedRational function in tif_dirwrite.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10371"
},
{
"id": "CVE-2016-3186",
"summary": "Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file.",
"scorev2": "5.0",
"scorev3": "6.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3186"
},
{
"id": "CVE-2016-3619",
"summary": "The DumpModeEncode function in tif_dumpmode.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the \"-c none\" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3619"
},
{
"id": "CVE-2016-3620",
"summary": "The ZIPEncode function in tif_zip.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the \"-c zip\" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3620"
},
{
"id": "CVE-2016-3621",
"summary": "The LZWEncode function in tif_lzw.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the \"-c lzw\" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3621"
},
{
"id": "CVE-2016-3622",
"summary": "The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted TIFF image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3622"
},
{
"id": "CVE-2016-3623",
"summary": "The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero) by setting the (1) v or (2) h parameter to 0.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3623"
},
{
"id": "CVE-2016-3624",
"summary": "The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the \"-v\" option to -1.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3624"
},
{
"id": "CVE-2016-3625",
"summary": "tif_read.c in the tiff2bw tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TIFF image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3625"
},
{
"id": "CVE-2016-3631",
"summary": "The (1) cpStrips and (2) cpTiles functions in the thumbnail tool in LibTIFF 4.0.6 and earlier allow remote attackers to cause a denial of service (out-of-bounds read) via vectors related to the bytecounts[] array variable.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3631"
},
{
"id": "CVE-2016-3632",
"summary": "The _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3632"
},
{
"id": "CVE-2016-3633",
"summary": "The setrow function in the thumbnail tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors related to the src variable.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3633"
},
{
"id": "CVE-2016-3634",
"summary": "The tagCompare function in tif_dirinfo.c in the thumbnail tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors related to field_tag matching.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3634"
},
{
"id": "CVE-2016-3658",
"summary": "The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving the ma variable.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3658"
},
{
"id": "CVE-2016-3945",
"summary": "Multiple integer overflows in the (1) cvt_by_strip and (2) cvt_by_tile functions in the tiff2rgba tool in LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image, which triggers an out-of-bounds write.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3945"
},
{
"id": "CVE-2016-3990",
"summary": "Heap-based buffer overflow in the horizontalDifference8 function in tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image to tiffcp.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3990"
},
{
"id": "CVE-2016-3991",
"summary": "Heap-based buffer overflow in the loadImage function in the tiffcrop tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image with zero tiles.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3991"
},
{
"id": "CVE-2016-5102",
"summary": "Buffer overflow in the readgifimage function in gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (segmentation fault) via a crafted gif file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5102"
},
{
"id": "CVE-2016-5314",
"summary": "Buffer overflow in the PixarLogDecode function in tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TIFF image, as demonstrated by overwriting the vgetparent function pointer with rgb2ycbcr.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5314"
},
{
"id": "CVE-2016-5315",
"summary": "The setByteArray function in tif_dir.c in libtiff 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tiff image.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5315"
},
{
"id": "CVE-2016-5316",
"summary": "Out-of-bounds read in the PixarLogCleanup function in tif_pixarlog.c in libtiff 4.0.6 and earlier allows remote attackers to crash the application by sending a crafted TIFF image to the rgb2ycbcr tool.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5316"
},
{
"id": "CVE-2016-5317",
"summary": "Buffer overflow in the PixarLogDecode function in libtiff.so in the PixarLogDecode function in libtiff 4.0.6 and earlier, as used in GNOME nautilus, allows attackers to cause a denial of service attack (crash) via a crafted TIFF file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5317"
},
{
"id": "CVE-2016-5318",
"summary": "Stack-based buffer overflow in the _TIFFVGetField function in libtiff 4.0.6 and earlier allows remote attackers to crash the application via a crafted tiff.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5318"
},
{
"id": "CVE-2016-5319",
"summary": "Heap-based buffer overflow in tif_packbits.c in libtiff 4.0.6 and earlier allows remote attackers to crash the application via a crafted bmp file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5319"
},
{
"id": "CVE-2016-5321",
"summary": "The DumpModeDecode function in libtiff 4.0.6 and earlier allows attackers to cause a denial of service (invalid read and crash) via a crafted tiff image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5321"
},
{
"id": "CVE-2016-5322",
"summary": "The setByteArray function in tif_dir.c in libtiff 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tiff image.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5322"
},
{
"id": "CVE-2016-5323",
"summary": "The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5323"
},
{
"id": "CVE-2016-5652",
"summary": "An exploitable heap-based buffer overflow exists in the handling of TIFF images in LibTIFF's TIFF2PDF tool. A crafted TIFF document can lead to a heap-based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved TIFF file delivered by other means.",
"scorev2": "6.8",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5652"
},
{
"id": "CVE-2016-6223",
"summary": "The TIFFReadRawStrip1 and TIFFReadRawTile1 functions in tif_read.c in libtiff before 4.0.7 allows remote attackers to cause a denial of service (crash) or possibly obtain sensitive information via a negative index in a file-content buffer.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6223"
},
{
"id": "CVE-2016-8331",
"summary": "An exploitable remote code execution vulnerability exists in the handling of TIFF images in LibTIFF version 4.0.6. A crafted TIFF document can lead to a type confusion vulnerability resulting in remote code execution. This vulnerability can be triggered via a TIFF file delivered to the application using LibTIFF's tag extension functionality.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8331"
},
{
"id": "CVE-2016-9273",
"summary": "tiffsplit in libtiff 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file, related to changing td_nstrips in TIFF_STRIPCHOP mode.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9273"
},
{
"id": "CVE-2016-9297",
"summary": "The TIFFFetchNormalTag function in LibTiff 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via crafted TIFF_SETGET_C16ASCII or TIFF_SETGET_C32_ASCII tag values.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9297"
},
{
"id": "CVE-2016-9448",
"summary": "The TIFFFetchNormalTag function in LibTiff 4.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by setting the tags TIFF_SETGET_C16ASCII or TIFF_SETGET_C32_ASCII to values that access 0-byte arrays. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9297.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9448"
},
{
"id": "CVE-2016-9453",
"summary": "The t2p_readwrite_pdf_image_tile function in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a JPEG file with a TIFFTAG_JPEGTABLES of length one.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9453"
},
{
"id": "CVE-2016-9532",
"summary": "Integer overflow in the writeBufferToSeparateStrips function in tiffcrop.c in LibTIFF before 4.0.7 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tif file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9532"
},
{
"id": "CVE-2016-9533",
"summary": "tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers. Reported as MSVR 35094, aka \"PixarLog horizontalDifference heap-buffer-overflow.\"",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9533"
},
{
"id": "CVE-2016-9534",
"summary": "tif_write.c in libtiff 4.0.6 has an issue in the error code path of TIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp members. Reported as MSVR 35095, aka \"TIFFFlushData1 heap-buffer-overflow.\"",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9534"
},
{
"id": "CVE-2016-9535",
"summary": "tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka \"Predictor heap-buffer-overflow.\"",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9535"
},
{
"id": "CVE-2016-9536",
"summary": "tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers in t2p_process_jpeg_strip(). Reported as MSVR 35098, aka \"t2p_process_jpeg_strip heap-buffer-overflow.\"",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9536"
},
{
"id": "CVE-2016-9537",
"summary": "tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in buffers. Reported as MSVR 35093, MSVR 35096, and MSVR 35097.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9537"
},
{
"id": "CVE-2016-9538",
"summary": "tools/tiffcrop.c in libtiff 4.0.6 reads an undefined buffer in readContigStripsIntoBuffer() because of a uint16 integer overflow. Reported as MSVR 35100.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9538"
},
{
"id": "CVE-2016-9539",
"summary": "tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in readContigTilesIntoBuffer(). Reported as MSVR 35092.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9539"
},
{
"id": "CVE-2016-9540",
"summary": "tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled images with odd tile width versus image width. Reported as MSVR 35103, aka \"cpStripToTile heap-buffer-overflow.\"",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9540"
},
{
"id": "CVE-2017-10688",
"summary": "In LibTIFF 4.0.8, there is a assertion abort in the TIFFWriteDirectoryTagCheckedLong8Array function in tif_dirwrite.c. A crafted input will lead to a remote denial of service attack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10688"
},
{
"id": "CVE-2017-11335",
"summary": "There is a heap based buffer overflow in tools/tiff2pdf.c of LibTIFF 4.0.8 via a PlanarConfig=Contig image, which causes a more than one hundred bytes out-of-bounds write (related to the ZIPDecode function in tif_zip.c). A crafted input may lead to a remote denial of service attack or an arbitrary code execution attack.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11335"
},
{
"id": "CVE-2017-11613",
"summary": "In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11613"
},
{
"id": "CVE-2017-12944",
"summary": "The TIFFReadDirEntryArray function in tif_read.c in LibTIFF 4.0.8 mishandles memory allocation for short files, which allows remote attackers to cause a denial of service (allocation failure and application crash) in the TIFFFetchStripThing function in tif_dirread.c during a tiff2pdf invocation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12944"
},
{
"id": "CVE-2017-13726",
"summary": "There is a reachable assertion abort in the function TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13726"
},
{
"id": "CVE-2017-13727",
"summary": "There is a reachable assertion abort in the function TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13727"
},
{
"id": "CVE-2017-16232",
"summary": "LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16232"
},
{
"id": "CVE-2017-17095",
"summary": "tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (TIFFSetupStrips heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17095"
},
{
"id": "CVE-2017-17942",
"summary": "In LibTIFF 4.0.9, there is a heap-based buffer over-read in the function PackBitsEncode in tif_packbits.c.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17942"
},
{
"id": "CVE-2017-17973",
"summary": "In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17973"
},
{
"id": "CVE-2017-18013",
"summary": "In LibTIFF 4.0.9, there is a Null-Pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18013"
},
{
"id": "CVE-2017-5225",
"summary": "LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5225"
},
{
"id": "CVE-2017-5563",
"summary": "LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5563"
},
{
"id": "CVE-2017-7592",
"summary": "The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7592"
},
{
"id": "CVE-2017-7593",
"summary": "tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7593"
},
{
"id": "CVE-2017-7594",
"summary": "The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7594"
},
{
"id": "CVE-2017-7595",
"summary": "The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7595"
},
{
"id": "CVE-2017-7596",
"summary": "LibTIFF 4.0.7 has an \"outside the range of representable values of type float\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7596"
},
{
"id": "CVE-2017-7597",
"summary": "tif_dirread.c in LibTIFF 4.0.7 has an \"outside the range of representable values of type float\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7597"
},
{
"id": "CVE-2017-7598",
"summary": "tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.",
"scorev2": "4.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7598"
},
{
"id": "CVE-2017-7599",
"summary": "LibTIFF 4.0.7 has an \"outside the range of representable values of type short\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7599"
},
{
"id": "CVE-2017-7600",
"summary": "LibTIFF 4.0.7 has an \"outside the range of representable values of type unsigned char\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7600"
},
{
"id": "CVE-2017-7601",
"summary": "LibTIFF 4.0.7 has a \"shift exponent too large for 64-bit type long\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7601"
},
{
"id": "CVE-2017-7602",
"summary": "LibTIFF 4.0.7 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7602"
},
{
"id": "CVE-2017-9117",
"summary": "In LibTIFF 4.0.7, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, leading to a heap-based buffer over-read in bmp2tiff.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9117"
},
{
"id": "CVE-2017-9147",
"summary": "LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField function in tif_dir.c, which might allow remote attackers to cause a denial of service (crash) via a crafted TIFF file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9147"
},
{
"id": "CVE-2017-9403",
"summary": "In LibTIFF 4.0.7, a memory leak vulnerability was found in the function TIFFReadDirEntryLong8Array in tif_dirread.c, which allows attackers to cause a denial of service via a crafted file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9403"
},
{
"id": "CVE-2017-9404",
"summary": "In LibTIFF 4.0.7, a memory leak vulnerability was found in the function OJPEGReadHeaderInfoSecTablesQTable in tif_ojpeg.c, which allows attackers to cause a denial of service via a crafted file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9404"
},
{
"id": "CVE-2017-9815",
"summary": "In LibTIFF 4.0.7, the TIFFReadDirEntryLong8Array function in libtiff/tif_dirread.c mishandles a malloc operation, which allows attackers to cause a denial of service (memory leak within the function _TIFFmalloc in tif_unix.c) via a crafted file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9815"
},
{
"id": "CVE-2017-9935",
"summary": "In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9935"
},
{
"id": "CVE-2017-9936",
"summary": "In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c. A crafted TIFF document can lead to a memory leak resulting in a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9936"
},
{
"id": "CVE-2017-9937",
"summary": "In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9937"
},
{
"id": "CVE-2018-10126",
"summary": "LibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10126"
},
{
"id": "CVE-2018-10779",
"summary": "TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a heap-based buffer over-read, as demonstrated by bmp2tiff.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10779"
},
{
"id": "CVE-2018-10801",
"summary": "TIFFClientOpen in tif_unix.c in LibTIFF 3.8.2 has memory leaks, as demonstrated by bmp2tiff.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10801"
},
{
"id": "CVE-2018-10963",
"summary": "The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10963"
},
{
"id": "CVE-2018-12900",
"summary": "Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0beta7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12900"
},
{
"id": "CVE-2018-15209",
"summary": "ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15209"
},
{
"id": "CVE-2018-16335",
"summary": "newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16335"
},
{
"id": "CVE-2018-17000",
"summary": "A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c (called from TIFFWriteDirectoryTagTransferfunction) in LibTIFF 4.0.9 allows an attacker to cause a denial-of-service through a crafted tiff file. This vulnerability can be triggered by the executable tiffcp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17000"
},
{
"id": "CVE-2018-17100",
"summary": "An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17100"
},
{
"id": "CVE-2018-17101",
"summary": "An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17101"
},
{
"id": "CVE-2018-17795",
"summary": "The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 and earlier allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17795"
},
{
"id": "CVE-2018-18557",
"summary": "LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18557"
},
{
"id": "CVE-2018-18661",
"summary": "An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18661"
},
{
"id": "CVE-2018-19210",
"summary": "In LibTIFF 4.0.9, there is a NULL pointer dereference in the TIFFWriteDirectorySec function in tif_dirwrite.c that will lead to a denial of service attack, as demonstrated by tiffset.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19210"
},
{
"id": "CVE-2018-5360",
"summary": "LibTIFF before 4.0.6 mishandles the reading of TIFF files, as demonstrated by a heap-based buffer over-read in the ReadTIFFImage function in coders/tiff.c in GraphicsMagick 1.3.27.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5360"
},
{
"id": "CVE-2018-5784",
"summary": "In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5784"
},
{
"id": "CVE-2018-7456",
"summary": "A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7456"
},
{
"id": "CVE-2018-8905",
"summary": "In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8905"
},
{
"id": "CVE-2019-14973",
"summary": "_TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through 4.0.10 mishandle Integer Overflow checks because they rely on compiler behavior that is undefined by the applicable C standards. This can, for example, lead to an application crash.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14973"
},
{
"id": "CVE-2019-17546",
"summary": "tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a \"Negative-size-param\" condition.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17546"
},
{
"id": "CVE-2019-6128",
"summary": "The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10 has a memory leak, as demonstrated by pal2rgb.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6128"
},
{
"id": "CVE-2019-7663",
"summary": "An Invalid Address dereference was discovered in TIFFWriteDirectoryTagTransferfunction in libtiff/tif_dirwrite.c in LibTIFF 4.0.10, affecting the cpSeparateBufToContigBuf function in tiffcp.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file. This is different from CVE-2018-12900.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7663"
},
{
"id": "CVE-2020-18768",
"summary": "There exists one heap buffer overflow in _TIFFmemcpy in tif_unix.c in libtiff 4.0.10, which allows an attacker to cause a denial-of-service through a crafted tiff file.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-18768"
},
{
"id": "CVE-2020-19131",
"summary": "Buffer Overflow in LibTiff v4.0.10 allows attackers to cause a denial of service via the \"invertImage()\" function in the component \"tiffcrop\".",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19131"
},
{
"id": "CVE-2020-19143",
"summary": "Buffer Overflow in LibTiff v4.0.10 allows attackers to cause a denial of service via the \"TIFFVGetField\" funtion in the component 'libtiff/tif_dir.c'.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19143"
},
{
"id": "CVE-2020-19144",
"summary": "Buffer Overflow in LibTiff v4.0.10 allows attackers to cause a denial of service via the 'in _TIFFmemcpy' funtion in the component 'tif_unix.c'.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19144"
},
{
"id": "CVE-2020-35521",
"summary": "A flaw was found in libtiff. Due to a memory allocation failure in tif_read.c, a crafted TIFF file can lead to an abort, resulting in denial of service.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35521"
},
{
"id": "CVE-2020-35522",
"summary": "In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35522"
},
{
"id": "CVE-2020-35523",
"summary": "An integer overflow flaw was found in libtiff that exists in the tif_getimage.c file. This flaw allows an attacker to inject and execute arbitrary code when a user opens a crafted TIFF file. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35523"
},
{
"id": "CVE-2020-35524",
"summary": "A heap-based buffer overflow flaw was found in libtiff in the handling of TIFF images in libtiff's TIFF2PDF tool. A specially crafted TIFF file can lead to arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35524"
},
{
"id": "CVE-2022-0561",
"summary": "Null source pointer passed as an argument to memcpy() function within TIFFFetchStripThing() in tif_dirread.c in libtiff versions from 3.9.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, the fix is available with commit eecb0712.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0561"
},
{
"id": "CVE-2022-0562",
"summary": "Null source pointer passed as an argument to memcpy() function within TIFFReadDirectory() in tif_dirread.c in libtiff versions from 4.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, a fix is available with commit 561599c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0562"
},
{
"id": "CVE-2022-0865",
"summary": "Reachable Assertion in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 5e180045.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0865"
},
{
"id": "CVE-2022-0891",
"summary": "A heap buffer overflow in ExtractImageSection function in tiffcrop.c in libtiff library Version 4.3.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact",
"scorev2": "5.8",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0891"
},
{
"id": "CVE-2022-0907",
"summary": "Unchecked Return Value to NULL Pointer Dereference in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f2b656e2.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0907"
},
{
"id": "CVE-2022-0908",
"summary": "Null source pointer passed as an argument to memcpy() function within TIFFFetchNormalTag () in tif_dirread.c in libtiff versions up to 4.3.0 could lead to Denial of Service via crafted TIFF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0908"
},
{
"id": "CVE-2022-0909",
"summary": "Divide By Zero error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f8d0f9aa.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0909"
},
{
"id": "CVE-2022-0924",
"summary": "Out-of-bounds Read error in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 408976c4.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0924"
},
{
"id": "CVE-2022-1056",
"summary": "Out-of-bounds Read error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 46dc8fcd.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1056"
},
{
"id": "CVE-2022-1210",
"summary": "A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1210"
},
{
"id": "CVE-2022-1354",
"summary": "A heap buffer overflow flaw was found in Libtiffs' tiffinfo.c in TIFFReadRawDataStriped() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffinfo tool, triggering a heap buffer overflow issue and causing a crash that leads to a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1354"
},
{
"id": "CVE-2022-1355",
"summary": "A stack buffer overflow flaw was found in Libtiffs' tiffcp.c in main() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffcp tool, triggering a stack buffer overflow issue, possibly corrupting the memory, and causing a crash that leads to a denial of service.",
"scorev2": "0.0",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1355"
},
{
"id": "CVE-2022-1622",
"summary": "LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1622"
},
{
"id": "CVE-2022-1623",
"summary": "LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:624, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1623"
},
{
"id": "CVE-2022-2056",
"summary": "Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2056"
},
{
"id": "CVE-2022-2057",
"summary": "Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2057"
},
{
"id": "CVE-2022-2058",
"summary": "Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2058"
},
{
"id": "CVE-2022-22844",
"summary": "LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22844"
},
{
"id": "CVE-2022-2519",
"summary": "There is a double free or corruption in rotateImage() at tiffcrop.c:8839 found in libtiff 4.4.0rc1",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2519"
},
{
"id": "CVE-2022-2520",
"summary": "A flaw was found in libtiff 4.4.0rc1. There is a sysmalloc assertion fail in rotateImage() at tiffcrop.c:8621 that can cause program crash when reading a crafted input.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2520"
},
{
"id": "CVE-2022-2521",
"summary": "It was found in libtiff 4.4.0rc1 that there is an invalid pointer free operation in TIFFClose() at tif_close.c:131 called by tiffcrop.c:2522 that can cause a program crash and denial of service while processing crafted input.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2521"
},
{
"id": "CVE-2022-2867",
"summary": "libtiff's tiffcrop utility has a uint32_t underflow that can lead to out of bounds read and write. An attacker who supplies a crafted file to tiffcrop (likely via tricking a user to run tiffcrop on it with certain parameters) could cause a crash or in some cases, further exploitation.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2867"
},
{
"id": "CVE-2022-2868",
"summary": "libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2868"
},
{
"id": "CVE-2022-2869",
"summary": "libtiff's tiffcrop tool has a uint32_t underflow which leads to out of bounds read and write in the extractContigSamples8bits routine. An attacker who supplies a crafted file to tiffcrop could trigger this flaw, most likely by tricking a user into opening the crafted file with tiffcrop. Triggering this flaw could cause a crash or potentially further exploitation.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2869"
},
{
"id": "CVE-2022-2953",
"summary": "LibTIFF 4.4.0 has an out-of-bounds read in extractImageSection in tools/tiffcrop.c:6905, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 48d6ece8.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2953"
},
{
"id": "CVE-2022-34266",
"summary": "The libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2 allows attackers to cause a denial of service (application crash), a different vulnerability than CVE-2022-0562. When processing a malicious TIFF file, an invalid range may be passed as an argument to the memset() function within TIFFFetchStripThing() in tif_dirread.c. This will cause TIFFFetchStripThing() to segfault after use of an uninitialized resource.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-34266"
},
{
"id": "CVE-2022-34526",
"summary": "A stack overflow was discovered in the _TIFFVGetField function of Tiffsplit v4.4.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted TIFF file parsed by the \"tiffsplit\" or \"tiffcrop\" utilities.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-34526"
},
{
"id": "CVE-2022-3570",
"summary": "Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3570"
},
{
"id": "CVE-2022-3597",
"summary": "LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6826, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3597"
},
{
"id": "CVE-2022-3598",
"summary": "LibTIFF 4.4.0 has an out-of-bounds write in extractContigSamplesShifted24bits in tools/tiffcrop.c:3604, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit cfbb883b.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3598"
},
{
"id": "CVE-2022-3599",
"summary": "LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in tools/tiffcrop.c:7345, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3599"
},
{
"id": "CVE-2022-3626",
"summary": "LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemset in libtiff/tif_unix.c:340 when called from processCropSelections, tools/tiffcrop.c:7619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3626"
},
{
"id": "CVE-2022-3627",
"summary": "LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6860, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3627"
},
{
"id": "CVE-2022-3970",
"summary": "A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3970"
},
{
"id": "CVE-2022-40090",
"summary": "An issue was discovered in function TIFFReadDirectory libtiff before 4.4.0 allows attackers to cause a denial of service via crafted TIFF file.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40090"
},
{
"id": "CVE-2022-4645",
"summary": "LibTIFF 4.4.0 has an out-of-bounds read in tiffcp in tools/tiffcp.c:948, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4645"
},
{
"id": "CVE-2022-48281",
"summary": "processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g., \"WRITE of size 307203\") via a crafted TIFF image.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48281"
},
{
"id": "CVE-2023-0795",
"summary": "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3488, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0795"
},
{
"id": "CVE-2023-0796",
"summary": "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3592, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0796"
},
{
"id": "CVE-2023-0797",
"summary": "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6921, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0797"
},
{
"id": "CVE-2023-0798",
"summary": "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3400, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0798"
},
{
"id": "CVE-2023-0799",
"summary": "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3701, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0799"
},
{
"id": "CVE-2023-0800",
"summary": "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3502, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0800"
},
{
"id": "CVE-2023-0801",
"summary": "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6778, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0801"
},
{
"id": "CVE-2023-0802",
"summary": "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3724, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0802"
},
{
"id": "CVE-2023-0803",
"summary": "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3516, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0803"
},
{
"id": "CVE-2023-0804",
"summary": "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3609, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0804"
},
{
"id": "CVE-2023-1916",
"summary": "A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.",
"scorev2": "0.0",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1916"
},
{
"id": "CVE-2023-25433",
"summary": "libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25433"
},
{
"id": "CVE-2023-25434",
"summary": "libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesBytes() at /libtiff/tools/tiffcrop.c:3215.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25434"
},
{
"id": "CVE-2023-25435",
"summary": "libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesShifted8bits() at /libtiff/tools/tiffcrop.c:3753.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25435"
},
{
"id": "CVE-2023-26965",
"summary": "loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-26965"
},
{
"id": "CVE-2023-26966",
"summary": "libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-26966"
},
{
"id": "CVE-2023-2731",
"summary": "A NULL pointer dereference flaw was found in Libtiff's LZWDecode() function in the libtiff/tif_lzw.c file. This flaw allows a local attacker to craft specific input data that can cause the program to dereference a NULL pointer when decompressing a TIFF format file, resulting in a program crash or denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2731"
},
{
"id": "CVE-2023-2908",
"summary": "A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2908"
},
{
"id": "CVE-2023-30086",
"summary": "Buffer Overflow vulnerability found in Libtiff V.4.0.7 allows a local attacker to cause a denial of service via the tiffcp function in tiffcp.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-30086"
},
{
"id": "CVE-2023-30774",
"summary": "A vulnerability was found in the libtiff library. This flaw causes a heap buffer overflow issue via the TIFFTAG_INKNAMES and TIFFTAG_NUMBEROFINKS values.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-30774"
},
{
"id": "CVE-2023-30775",
"summary": "A vulnerability was found in the libtiff library. This security flaw causes a heap buffer overflow in extractContigSamples32bits, tiffcrop.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-30775"
},
{
"id": "CVE-2023-3164",
"summary": "A heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection() at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. This flaw allows attackers to cause a denial of service via a crafted tiff file.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3164",
"detail": "cpe-incorrect",
"description": "Issue only affects the tiffcrop tool not compiled by default since 4.6.0"
},
{
"id": "CVE-2023-3316",
"summary": "A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones.\n\n",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3316"
},
{
"id": "CVE-2023-3576",
"summary": "A memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes this memory leak issue, resulting an application crash, eventually leading to a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3576"
},
{
"id": "CVE-2023-3618",
"summary": "A flaw was found in libtiff. A specially crafted tiff file can lead to a segmentation fault due to a buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3618"
},
{
"id": "CVE-2023-40745",
"summary": "LibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-40745"
},
{
"id": "CVE-2023-41175",
"summary": "A vulnerability was found in libtiff due to multiple potential integer overflows in raw2tiff.c. This flaw allows remote attackers to cause a denial of service or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-41175"
},
{
"id": "CVE-2023-52355",
"summary": "An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52355"
},
{
"id": "CVE-2023-52356",
"summary": "A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52356"
},
{
"id": "CVE-2023-6228",
"summary": "An issue was found in the tiffcp utility distributed by the libtiff package where a crafted TIFF file on processing may cause a heap-based buffer overflow leads to an application crash.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6228"
},
{
"id": "CVE-2023-6277",
"summary": "An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6277"
}
]
},
{
"name": "tiff-native",
"layer": "meta",
"version": "4.6.0",
"products": [
{
"product": "libtiff",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-0803",
"summary": "Multiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0803"
},
{
"id": "CVE-2004-0804",
"summary": "Vulnerability in tif_dirread.c for libtiff allows remote attackers to cause a denial of service (application crash) via a TIFF image that causes a divide-by-zero error when the number of row bytes is zero, a different vulnerability than CVE-2005-2452.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0804"
},
{
"id": "CVE-2004-0886",
"summary": "Multiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0886"
},
{
"id": "CVE-2004-0929",
"summary": "Heap-based buffer overflow in the OJPEGVSetField function in tif_ojpeg.c for libtiff 3.6.1 and earlier, when compiled with the OJPEG_SUPPORT (old JPEG support) option, allows remote attackers to execute arbitrary code via a malformed TIFF image.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0929"
},
{
"id": "CVE-2004-1183",
"summary": "Integer overflow in the tiffdump utility for libtiff 3.7.1 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted TIFF file.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1183"
},
{
"id": "CVE-2004-1307",
"summary": "Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1307"
},
{
"id": "CVE-2004-1308",
"summary": "Integer overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff 3.5.7 and 3.7.0 allows remote attackers to execute arbitrary code via a TIFF file containing a TIFF_ASCII or TIFF_UNDEFINED directory entry with a -1 entry count, which leads to a heap-based buffer overflow.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1308"
},
{
"id": "CVE-2005-1544",
"summary": "Stack-based buffer overflow in libTIFF before 3.7.2 allows remote attackers to execute arbitrary code via a TIFF file with a malformed BitsPerSample tag.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1544"
},
{
"id": "CVE-2005-2452",
"summary": "libtiff up to 3.7.0 allows remote attackers to cause a denial of service (application crash) via a TIFF image header with a zero \"YCbCr subsampling\" value, which causes a divide-by-zero error in (1) tif_strip.c and (2) tif_tile.c, a different vulnerability than CVE-2004-0804.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2452"
},
{
"id": "CVE-2006-0405",
"summary": "The TIFFFetchShortPair function in tif_dirread.c in libtiff 3.8.0 allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image that triggers a NULL pointer dereference, possibly due to changes in type declarations and/or the TIFFVSetField function.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0405"
},
{
"id": "CVE-2006-2024",
"summary": "Multiple vulnerabilities in libtiff before 3.8.1 allow context-dependent attackers to cause a denial of service via a TIFF image that triggers errors in (1) the TIFFFetchAnyArray function in (a) tif_dirread.c; (2) certain \"codec cleanup methods\" in (b) tif_lzw.c, (c) tif_pixarlog.c, and (d) tif_zip.c; (3) and improper restoration of setfield and getfield methods in cleanup functions within (e) tif_jpeg.c, tif_pixarlog.c, (f) tif_fax3.c, and tif_zip.c.",
"scorev2": "4.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2024"
},
{
"id": "CVE-2006-2025",
"summary": "Integer overflow in the TIFFFetchData function in tif_dirread.c for libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via a crafted TIFF image.",
"scorev2": "6.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2025"
},
{
"id": "CVE-2006-2026",
"summary": "Double free vulnerability in tif_jpeg.c in libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers errors related to \"setfield/getfield methods in cleanup functions.\"",
"scorev2": "6.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2026"
},
{
"id": "CVE-2006-2120",
"summary": "The TIFFToRGB function in libtiff before 3.8.1 allows remote attackers to cause a denial of service (crash) via a crafted TIFF image with Yr/Yg/Yb values that exceed the YCR/YCG/YCB values, which triggers an out-of-bounds read.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2120"
},
{
"id": "CVE-2006-2193",
"summary": "Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a TIFF file with a DocumentName tag that contains UTF-8 characters, which triggers the overflow when a character is sign extended to an integer that produces more digits than expected in an sprintf call.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2193"
},
{
"id": "CVE-2006-2656",
"summary": "Stack-based buffer overflow in the tiffsplit command in libtiff 3.8.2 and earlier might might allow attackers to execute arbitrary code via a long filename. NOTE: tiffsplit is not setuid. If there is not a common scenario under which tiffsplit is called with attacker-controlled command line arguments, then perhaps this issue should not be included in CVE.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2656"
},
{
"id": "CVE-2006-3459",
"summary": "Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3.8.2, as used in Adobe Reader 9.3.0 and other products, allow context-dependent attackers to execute arbitrary code or cause a denial of service via unspecified vectors, including a large tdir_count value in the TIFFFetchShortPair function in tif_dirread.c.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3459"
},
{
"id": "CVE-2006-3460",
"summary": "Heap-based buffer overflow in the JPEG decoder in the TIFF library (libtiff) before 3.8.2 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via an encoded JPEG stream that is longer than the scan line size (TiffScanLineSize).",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3460"
},
{
"id": "CVE-2006-3461",
"summary": "Heap-based buffer overflow in the PixarLog decoder in the TIFF library (libtiff) before 3.8.2 might allow context-dependent attackers to execute arbitrary code via unknown vectors.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3461"
},
{
"id": "CVE-2006-3462",
"summary": "Heap-based buffer overflow in the NeXT RLE decoder in the TIFF library (libtiff) before 3.8.2 might allow context-dependent attackers to execute arbitrary code via unknown vectors involving decoding large RLE images.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3462"
},
{
"id": "CVE-2006-3463",
"summary": "The EstimateStripByteCounts function in TIFF library (libtiff) before 3.8.2 uses a 16-bit unsigned short when iterating over an unsigned 32-bit value, which allows context-dependent attackers to cause a denial of service via a large td_nstrips value, which triggers an infinite loop.",
"scorev2": "7.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3463"
},
{
"id": "CVE-2006-3464",
"summary": "TIFF library (libtiff) before 3.8.2 allows context-dependent attackers to pass numeric range checks and possibly execute code, and trigger assert errors, via large offset values in a TIFF directory that lead to an integer overflow and other unspecified vectors involving \"unchecked arithmetic operations\".",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3464"
},
{
"id": "CVE-2006-3465",
"summary": "Unspecified vulnerability in the custom tag support for the TIFF library (libtiff) before 3.8.2 allows remote attackers to cause a denial of service (instability or crash) and execute arbitrary code via unknown vectors.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3465"
},
{
"id": "CVE-2008-2327",
"summary": "Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and earlier allow context-dependent attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2327"
},
{
"id": "CVE-2009-2285",
"summary": "Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 allows context-dependent attackers to cause a denial of service (crash) via a crafted TIFF image, a different vulnerability than CVE-2008-2327.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2285"
},
{
"id": "CVE-2009-2347",
"summary": "Multiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent attackers to execute arbitrary code via a TIFF image with large (1) width and (2) height values, which triggers a heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2347"
},
{
"id": "CVE-2009-5022",
"summary": "Heap-based buffer overflow in tif_ojpeg.c in the OJPEG decoder in LibTIFF before 3.9.5 allows remote attackers to execute arbitrary code via a crafted TIFF file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5022"
},
{
"id": "CVE-2010-2065",
"summary": "Integer overflow in the TIFFroundup macro in LibTIFF before 3.9.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TIFF file that triggers a buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2065"
},
{
"id": "CVE-2010-2067",
"summary": "Stack-based buffer overflow in the TIFFFetchSubjectDistance function in tif_dirread.c in LibTIFF before 3.9.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long EXIF SubjectDistance field in a TIFF file.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2067"
},
{
"id": "CVE-2010-2233",
"summary": "tif_getimage.c in LibTIFF 3.9.0 and 3.9.2 on 64-bit platforms, as used in ImageMagick, does not properly perform vertical flips, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TIFF image, related to \"downsampled OJPEG input.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2233"
},
{
"id": "CVE-2010-2443",
"summary": "The OJPEGReadBufferFill function in tif_ojpeg.c in LibTIFF before 3.9.3 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an OJPEG image with undefined strip offsets, related to the TIFFVGetField function.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2443"
},
{
"id": "CVE-2010-2481",
"summary": "The TIFFExtractData macro in LibTIFF before 3.9.4 does not properly handle unknown tag types in TIFF directory entries, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted TIFF file.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2481"
},
{
"id": "CVE-2010-2482",
"summary": "LibTIFF 3.9.4 and earlier does not properly handle an invalid td_stripbytecount field, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted TIFF file, a different vulnerability than CVE-2010-2443.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2482"
},
{
"id": "CVE-2010-2483",
"summary": "The TIFFRGBAImageGet function in LibTIFF 3.9.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a TIFF file with an invalid combination of SamplesPerPixel and Photometric values.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2483"
},
{
"id": "CVE-2010-2595",
"summary": "The TIFFYCbCrtoRGB function in LibTIFF 3.9.0 and 3.9.2, as used in ImageMagick, does not properly handle invalid ReferenceBlackWhite values, which allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image that triggers an array index error, related to \"downsampled OJPEG input.\"",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2595"
},
{
"id": "CVE-2010-2596",
"summary": "The OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and 3.9.2, as used in tiff2ps, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF image, related to \"downsampled OJPEG input.\"",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2596"
},
{
"id": "CVE-2010-2597",
"summary": "The TIFFVStripSize function in tif_strip.c in LibTIFF 3.9.0 and 3.9.2 makes incorrect calls to the TIFFGetField function, which allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image, related to \"downsampled OJPEG input\" and possibly related to a compiler optimization that triggers a divide-by-zero error.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2597"
},
{
"id": "CVE-2010-2630",
"summary": "The TIFFReadDirectory function in LibTIFF 3.9.0 does not properly validate the data types of codec-specific tags that have an out-of-order position in a TIFF file, which allows remote attackers to cause a denial of service (application crash) via a crafted file, a different vulnerability than CVE-2010-2481.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2630"
},
{
"id": "CVE-2010-2631",
"summary": "LibTIFF 3.9.0 ignores tags in certain situations during the first stage of TIFF file processing and does not properly handle this during the second stage, which allows remote attackers to cause a denial of service (application crash) via a crafted file, a different vulnerability than CVE-2010-2481.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2631"
},
{
"id": "CVE-2010-3087",
"summary": "LibTIFF before 3.9.2-5.2.1 in SUSE openSUSE 11.3 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TIFF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3087"
},
{
"id": "CVE-2010-4665",
"summary": "Integer overflow in the ReadDirectory function in tiffdump.c in tiffdump in LibTIFF before 3.9.5 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TIFF file containing a directory data structure with many directory entries.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4665"
},
{
"id": "CVE-2011-1167",
"summary": "Heap-based buffer overflow in the thunder (aka ThunderScan) decoder in tif_thunder.c in LibTIFF 3.9.4 and earlier allows remote attackers to execute arbitrary code via crafted THUNDER_2BITDELTAS data in a .tiff file that has an unexpected BitsPerSample value.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1167"
},
{
"id": "CVE-2012-1173",
"summary": "Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow remote attackers to execute arbitrary code via a crafted tile size in a TIFF file, which is not properly handled by the (1) gtTileSeparate or (2) gtStripSeparate function, leading to a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1173"
},
{
"id": "CVE-2012-2088",
"summary": "Integer signedness error in the TIFFReadDirectory function in tif_dirread.c in libtiff 3.9.4 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a negative tile depth in a tiff image, which triggers an improper conversion between signed and unsigned types, leading to a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2088"
},
{
"id": "CVE-2012-2113",
"summary": "Multiple integer overflows in tiff2pdf in libtiff before 4.0.2 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2113"
},
{
"id": "CVE-2012-3401",
"summary": "The t2p_read_tiff_init function in tiff2pdf (tools/tiff2pdf.c) in LibTIFF 4.0.2 and earlier does not properly initialize the T2P context struct pointer in certain error conditions, which allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3401"
},
{
"id": "CVE-2012-4447",
"summary": "Heap-based buffer overflow in tif_pixarlog.c in LibTIFF before 4.0.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted TIFF image using the PixarLog Compression format.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4447"
},
{
"id": "CVE-2012-4564",
"summary": "ppm2tiff does not check the return value of the TIFFScanlineSize function, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PPM image that triggers an integer overflow, a zero-memory allocation, and a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4564"
},
{
"id": "CVE-2012-5581",
"summary": "Stack-based buffer overflow in tif_dir.c in LibTIFF before 4.0.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DOTRANGE tag in a TIFF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5581"
},
{
"id": "CVE-2013-1960",
"summary": "Heap-based buffer overflow in the t2p_process_jpeg_strip function in tiff2pdf in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1960"
},
{
"id": "CVE-2013-1961",
"summary": "Stack-based buffer overflow in the t2p_write_pdf_page function in tiff2pdf in libtiff before 4.0.3 allows remote attackers to cause a denial of service (application crash) via a crafted image length and resolution in a TIFF image file.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1961"
},
{
"id": "CVE-2013-4231",
"summary": "Multiple buffer overflows in libtiff before 4.0.3 allow remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) extension block in a GIF image or (2) GIF raster image to tools/gif2tiff.c or (3) a long filename for a TIFF image to tools/rgb2ycbcr.c. NOTE: vectors 1 and 3 are disputed by Red Hat, which states that the input cannot exceed the allocated buffer size.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4231"
},
{
"id": "CVE-2013-4232",
"summary": "Use-after-free vulnerability in the t2p_readwrite_pdf_image function in tools/tiff2pdf.c in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted TIFF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4232"
},
{
"id": "CVE-2013-4243",
"summary": "Heap-based buffer overflow in the readgifimage function in the gif2tiff tool in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted height and width values in a GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4243"
},
{
"id": "CVE-2013-4244",
"summary": "The LZW decompressor in the gif2tiff tool in libtiff 4.0.3 and earlier allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a crafted GIF image.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4244"
},
{
"id": "CVE-2014-8127",
"summary": "LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted TIFF image to the (1) checkInkNamesString function in tif_dir.c in the thumbnail tool, (2) compresscontig function in tiff2bw.c in the tiff2bw tool, (3) putcontig8bitCIELab function in tif_getimage.c in the tiff2rgba tool, LZWPreDecode function in tif_lzw.c in the (4) tiff2ps or (5) tiffdither tool, (6) NeXTDecode function in tif_next.c in the tiffmedian tool, or (7) TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8127"
},
{
"id": "CVE-2014-8128",
"summary": "LibTIFF prior to 4.0.4, as used in Apple iOS before 8.4 and OS X before 10.10.4 and other products, allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8128"
},
{
"id": "CVE-2014-8129",
"summary": "LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted TIFF image, as demonstrated by failure of tif_next.c to verify that the BitsPerSample value is 2, and the t2p_sample_lab_signed_to_unsigned function in tiff2pdf.c.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8129"
},
{
"id": "CVE-2014-8130",
"summary": "The _TIFFmalloc function in tif_unix.c in LibTIFF 4.0.3 does not reject a zero size, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image that is mishandled by the TIFFWriteScanline function in tif_write.c, as demonstrated by tiffdither.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8130"
},
{
"id": "CVE-2014-9330",
"summary": "Integer overflow in tif_packbits.c in bmp2tif in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) via crafted BMP image, related to dimensions, which triggers an out-of-bounds read.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9330"
},
{
"id": "CVE-2014-9655",
"summary": "The (1) putcontig8bitYCbCr21tile function in tif_getimage.c or (2) NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff-cvs-1.tif and libtiff-cvs-2.tif.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9655"
},
{
"id": "CVE-2015-1547",
"summary": "The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff5.tif.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1547"
},
{
"id": "CVE-2015-7313",
"summary": "LibTIFF allows remote attackers to cause a denial of service (memory consumption and crash) via a crafted tiff file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7313",
"detail": "fixed-version",
"description": "Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue"
},
{
"id": "CVE-2015-7554",
"summary": "The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7554"
},
{
"id": "CVE-2015-8665",
"summary": "tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via the SamplesPerPixel tag in a TIFF image.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8665"
},
{
"id": "CVE-2015-8668",
"summary": "Heap-based buffer overflow in the PackBitsPreEncode function in tif_packbits.c in bmp2tiff in libtiff 4.0.6 and earlier allows remote attackers to execute arbitrary code or cause a denial of service via a large width field in a BMP image.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8668"
},
{
"id": "CVE-2015-8683",
"summary": "The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a packed TIFF image.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8683"
},
{
"id": "CVE-2015-8781",
"summary": "tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds write) via an invalid number of samples per pixel in a LogL compressed TIFF image, a different vulnerability than CVE-2015-8782.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8781"
},
{
"id": "CVE-2015-8782",
"summary": "tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds writes) via a crafted TIFF image, a different vulnerability than CVE-2015-8781.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8782"
},
{
"id": "CVE-2015-8783",
"summary": "tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds reads) via a crafted TIFF image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8783"
},
{
"id": "CVE-2015-8784",
"summary": "The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image, as demonstrated by libtiff5.tif.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8784"
},
{
"id": "CVE-2015-8870",
"summary": "Integer overflow in tools/bmp2tiff.c in LibTIFF before 4.0.4 allows remote attackers to cause a denial of service (heap-based buffer over-read), or possibly obtain sensitive information from process memory, via crafted width and length values in RLE4 or RLE8 data in a BMP file.",
"scorev2": "5.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8870"
},
{
"id": "CVE-2016-10092",
"summary": "Heap-based buffer overflow in the readContigStripsIntoBuffer function in tif_unix.c in LibTIFF 4.0.7, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5 and 4.0.6 allows remote attackers to have unspecified impact via a crafted image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10092"
},
{
"id": "CVE-2016-10093",
"summary": "Integer overflow in tools/tiffcp.c in LibTIFF 4.0.7, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5 and 4.0.6 allows remote attackers to have unspecified impact via a crafted image, which triggers a heap-based buffer overflow.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10093"
},
{
"id": "CVE-2016-10094",
"summary": "Off-by-one error in the t2p_readwrite_pdf_image_tile function in tools/tiff2pdf.c in LibTIFF 4.0.7 allows remote attackers to have unspecified impact via a crafted image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10094"
},
{
"id": "CVE-2016-10095",
"summary": "Stack-based buffer overflow in the _TIFFVGetField function in tif_dir.c in LibTIFF 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7 and 4.0.8 allows remote attackers to cause a denial of service (crash) via a crafted TIFF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10095"
},
{
"id": "CVE-2016-10266",
"summary": "LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10266"
},
{
"id": "CVE-2016-10267",
"summary": "LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10267"
},
{
"id": "CVE-2016-10268",
"summary": "tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (integer underflow and heap-based buffer under-read) or possibly have unspecified other impact via a crafted TIFF image, related to \"READ of size 78490\" and libtiff/tif_unix.c:115:23.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10268"
},
{
"id": "CVE-2016-10269",
"summary": "LibTIFF 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6 and 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to \"READ of size 512\" and libtiff/tif_unix.c:340:2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10269"
},
{
"id": "CVE-2016-10270",
"summary": "LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to \"READ of size 8\" and libtiff/tif_read.c:523:22.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10270"
},
{
"id": "CVE-2016-10271",
"summary": "tools/tiffcrop.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read and buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to \"READ of size 1\" and libtiff/tif_fax3.c:413:13.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10271"
},
{
"id": "CVE-2016-10272",
"summary": "LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to \"WRITE of size 2048\" and libtiff/tif_next.c:64:9.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10272"
},
{
"id": "CVE-2016-10371",
"summary": "The TIFFWriteDirectoryTagCheckedRational function in tif_dirwrite.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10371"
},
{
"id": "CVE-2016-3186",
"summary": "Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file.",
"scorev2": "5.0",
"scorev3": "6.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3186"
},
{
"id": "CVE-2016-3619",
"summary": "The DumpModeEncode function in tif_dumpmode.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the \"-c none\" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3619"
},
{
"id": "CVE-2016-3620",
"summary": "The ZIPEncode function in tif_zip.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the \"-c zip\" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3620"
},
{
"id": "CVE-2016-3621",
"summary": "The LZWEncode function in tif_lzw.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the \"-c lzw\" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3621"
},
{
"id": "CVE-2016-3622",
"summary": "The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted TIFF image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3622"
},
{
"id": "CVE-2016-3623",
"summary": "The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero) by setting the (1) v or (2) h parameter to 0.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3623"
},
{
"id": "CVE-2016-3624",
"summary": "The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the \"-v\" option to -1.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3624"
},
{
"id": "CVE-2016-3625",
"summary": "tif_read.c in the tiff2bw tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TIFF image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3625"
},
{
"id": "CVE-2016-3631",
"summary": "The (1) cpStrips and (2) cpTiles functions in the thumbnail tool in LibTIFF 4.0.6 and earlier allow remote attackers to cause a denial of service (out-of-bounds read) via vectors related to the bytecounts[] array variable.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3631"
},
{
"id": "CVE-2016-3632",
"summary": "The _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3632"
},
{
"id": "CVE-2016-3633",
"summary": "The setrow function in the thumbnail tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors related to the src variable.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3633"
},
{
"id": "CVE-2016-3634",
"summary": "The tagCompare function in tif_dirinfo.c in the thumbnail tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors related to field_tag matching.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3634"
},
{
"id": "CVE-2016-3658",
"summary": "The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving the ma variable.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3658"
},
{
"id": "CVE-2016-3945",
"summary": "Multiple integer overflows in the (1) cvt_by_strip and (2) cvt_by_tile functions in the tiff2rgba tool in LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image, which triggers an out-of-bounds write.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3945"
},
{
"id": "CVE-2016-3990",
"summary": "Heap-based buffer overflow in the horizontalDifference8 function in tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image to tiffcp.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3990"
},
{
"id": "CVE-2016-3991",
"summary": "Heap-based buffer overflow in the loadImage function in the tiffcrop tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image with zero tiles.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3991"
},
{
"id": "CVE-2016-5102",
"summary": "Buffer overflow in the readgifimage function in gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (segmentation fault) via a crafted gif file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5102"
},
{
"id": "CVE-2016-5314",
"summary": "Buffer overflow in the PixarLogDecode function in tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TIFF image, as demonstrated by overwriting the vgetparent function pointer with rgb2ycbcr.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5314"
},
{
"id": "CVE-2016-5315",
"summary": "The setByteArray function in tif_dir.c in libtiff 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tiff image.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5315"
},
{
"id": "CVE-2016-5316",
"summary": "Out-of-bounds read in the PixarLogCleanup function in tif_pixarlog.c in libtiff 4.0.6 and earlier allows remote attackers to crash the application by sending a crafted TIFF image to the rgb2ycbcr tool.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5316"
},
{
"id": "CVE-2016-5317",
"summary": "Buffer overflow in the PixarLogDecode function in libtiff.so in the PixarLogDecode function in libtiff 4.0.6 and earlier, as used in GNOME nautilus, allows attackers to cause a denial of service attack (crash) via a crafted TIFF file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5317"
},
{
"id": "CVE-2016-5318",
"summary": "Stack-based buffer overflow in the _TIFFVGetField function in libtiff 4.0.6 and earlier allows remote attackers to crash the application via a crafted tiff.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5318"
},
{
"id": "CVE-2016-5319",
"summary": "Heap-based buffer overflow in tif_packbits.c in libtiff 4.0.6 and earlier allows remote attackers to crash the application via a crafted bmp file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5319"
},
{
"id": "CVE-2016-5321",
"summary": "The DumpModeDecode function in libtiff 4.0.6 and earlier allows attackers to cause a denial of service (invalid read and crash) via a crafted tiff image.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5321"
},
{
"id": "CVE-2016-5322",
"summary": "The setByteArray function in tif_dir.c in libtiff 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tiff image.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5322"
},
{
"id": "CVE-2016-5323",
"summary": "The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5323"
},
{
"id": "CVE-2016-5652",
"summary": "An exploitable heap-based buffer overflow exists in the handling of TIFF images in LibTIFF's TIFF2PDF tool. A crafted TIFF document can lead to a heap-based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved TIFF file delivered by other means.",
"scorev2": "6.8",
"scorev3": "7.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5652"
},
{
"id": "CVE-2016-6223",
"summary": "The TIFFReadRawStrip1 and TIFFReadRawTile1 functions in tif_read.c in libtiff before 4.0.7 allows remote attackers to cause a denial of service (crash) or possibly obtain sensitive information via a negative index in a file-content buffer.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6223"
},
{
"id": "CVE-2016-8331",
"summary": "An exploitable remote code execution vulnerability exists in the handling of TIFF images in LibTIFF version 4.0.6. A crafted TIFF document can lead to a type confusion vulnerability resulting in remote code execution. This vulnerability can be triggered via a TIFF file delivered to the application using LibTIFF's tag extension functionality.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8331"
},
{
"id": "CVE-2016-9273",
"summary": "tiffsplit in libtiff 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file, related to changing td_nstrips in TIFF_STRIPCHOP mode.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9273"
},
{
"id": "CVE-2016-9297",
"summary": "The TIFFFetchNormalTag function in LibTiff 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via crafted TIFF_SETGET_C16ASCII or TIFF_SETGET_C32_ASCII tag values.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9297"
},
{
"id": "CVE-2016-9448",
"summary": "The TIFFFetchNormalTag function in LibTiff 4.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by setting the tags TIFF_SETGET_C16ASCII or TIFF_SETGET_C32_ASCII to values that access 0-byte arrays. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9297.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9448"
},
{
"id": "CVE-2016-9453",
"summary": "The t2p_readwrite_pdf_image_tile function in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a JPEG file with a TIFFTAG_JPEGTABLES of length one.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9453"
},
{
"id": "CVE-2016-9532",
"summary": "Integer overflow in the writeBufferToSeparateStrips function in tiffcrop.c in LibTIFF before 4.0.7 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tif file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9532"
},
{
"id": "CVE-2016-9533",
"summary": "tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers. Reported as MSVR 35094, aka \"PixarLog horizontalDifference heap-buffer-overflow.\"",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9533"
},
{
"id": "CVE-2016-9534",
"summary": "tif_write.c in libtiff 4.0.6 has an issue in the error code path of TIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp members. Reported as MSVR 35095, aka \"TIFFFlushData1 heap-buffer-overflow.\"",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9534"
},
{
"id": "CVE-2016-9535",
"summary": "tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka \"Predictor heap-buffer-overflow.\"",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9535"
},
{
"id": "CVE-2016-9536",
"summary": "tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers in t2p_process_jpeg_strip(). Reported as MSVR 35098, aka \"t2p_process_jpeg_strip heap-buffer-overflow.\"",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9536"
},
{
"id": "CVE-2016-9537",
"summary": "tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in buffers. Reported as MSVR 35093, MSVR 35096, and MSVR 35097.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9537"
},
{
"id": "CVE-2016-9538",
"summary": "tools/tiffcrop.c in libtiff 4.0.6 reads an undefined buffer in readContigStripsIntoBuffer() because of a uint16 integer overflow. Reported as MSVR 35100.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9538"
},
{
"id": "CVE-2016-9539",
"summary": "tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in readContigTilesIntoBuffer(). Reported as MSVR 35092.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9539"
},
{
"id": "CVE-2016-9540",
"summary": "tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled images with odd tile width versus image width. Reported as MSVR 35103, aka \"cpStripToTile heap-buffer-overflow.\"",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9540"
},
{
"id": "CVE-2017-10688",
"summary": "In LibTIFF 4.0.8, there is a assertion abort in the TIFFWriteDirectoryTagCheckedLong8Array function in tif_dirwrite.c. A crafted input will lead to a remote denial of service attack.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10688"
},
{
"id": "CVE-2017-11335",
"summary": "There is a heap based buffer overflow in tools/tiff2pdf.c of LibTIFF 4.0.8 via a PlanarConfig=Contig image, which causes a more than one hundred bytes out-of-bounds write (related to the ZIPDecode function in tif_zip.c). A crafted input may lead to a remote denial of service attack or an arbitrary code execution attack.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11335"
},
{
"id": "CVE-2017-11613",
"summary": "In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11613"
},
{
"id": "CVE-2017-12944",
"summary": "The TIFFReadDirEntryArray function in tif_read.c in LibTIFF 4.0.8 mishandles memory allocation for short files, which allows remote attackers to cause a denial of service (allocation failure and application crash) in the TIFFFetchStripThing function in tif_dirread.c during a tiff2pdf invocation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12944"
},
{
"id": "CVE-2017-13726",
"summary": "There is a reachable assertion abort in the function TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13726"
},
{
"id": "CVE-2017-13727",
"summary": "There is a reachable assertion abort in the function TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13727"
},
{
"id": "CVE-2017-16232",
"summary": "LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16232"
},
{
"id": "CVE-2017-17095",
"summary": "tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (TIFFSetupStrips heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17095"
},
{
"id": "CVE-2017-17942",
"summary": "In LibTIFF 4.0.9, there is a heap-based buffer over-read in the function PackBitsEncode in tif_packbits.c.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17942"
},
{
"id": "CVE-2017-17973",
"summary": "In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17973"
},
{
"id": "CVE-2017-18013",
"summary": "In LibTIFF 4.0.9, there is a Null-Pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18013"
},
{
"id": "CVE-2017-5225",
"summary": "LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5225"
},
{
"id": "CVE-2017-5563",
"summary": "LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5563"
},
{
"id": "CVE-2017-7592",
"summary": "The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7592"
},
{
"id": "CVE-2017-7593",
"summary": "tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7593"
},
{
"id": "CVE-2017-7594",
"summary": "The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7594"
},
{
"id": "CVE-2017-7595",
"summary": "The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7595"
},
{
"id": "CVE-2017-7596",
"summary": "LibTIFF 4.0.7 has an \"outside the range of representable values of type float\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7596"
},
{
"id": "CVE-2017-7597",
"summary": "tif_dirread.c in LibTIFF 4.0.7 has an \"outside the range of representable values of type float\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7597"
},
{
"id": "CVE-2017-7598",
"summary": "tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.",
"scorev2": "4.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7598"
},
{
"id": "CVE-2017-7599",
"summary": "LibTIFF 4.0.7 has an \"outside the range of representable values of type short\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7599"
},
{
"id": "CVE-2017-7600",
"summary": "LibTIFF 4.0.7 has an \"outside the range of representable values of type unsigned char\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7600"
},
{
"id": "CVE-2017-7601",
"summary": "LibTIFF 4.0.7 has a \"shift exponent too large for 64-bit type long\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7601"
},
{
"id": "CVE-2017-7602",
"summary": "LibTIFF 4.0.7 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7602"
},
{
"id": "CVE-2017-9117",
"summary": "In LibTIFF 4.0.7, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, leading to a heap-based buffer over-read in bmp2tiff.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9117"
},
{
"id": "CVE-2017-9147",
"summary": "LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField function in tif_dir.c, which might allow remote attackers to cause a denial of service (crash) via a crafted TIFF file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9147"
},
{
"id": "CVE-2017-9403",
"summary": "In LibTIFF 4.0.7, a memory leak vulnerability was found in the function TIFFReadDirEntryLong8Array in tif_dirread.c, which allows attackers to cause a denial of service via a crafted file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9403"
},
{
"id": "CVE-2017-9404",
"summary": "In LibTIFF 4.0.7, a memory leak vulnerability was found in the function OJPEGReadHeaderInfoSecTablesQTable in tif_ojpeg.c, which allows attackers to cause a denial of service via a crafted file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9404"
},
{
"id": "CVE-2017-9815",
"summary": "In LibTIFF 4.0.7, the TIFFReadDirEntryLong8Array function in libtiff/tif_dirread.c mishandles a malloc operation, which allows attackers to cause a denial of service (memory leak within the function _TIFFmalloc in tif_unix.c) via a crafted file.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9815"
},
{
"id": "CVE-2017-9935",
"summary": "In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9935"
},
{
"id": "CVE-2017-9936",
"summary": "In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c. A crafted TIFF document can lead to a memory leak resulting in a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9936"
},
{
"id": "CVE-2017-9937",
"summary": "In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9937"
},
{
"id": "CVE-2018-10126",
"summary": "LibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10126"
},
{
"id": "CVE-2018-10779",
"summary": "TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a heap-based buffer over-read, as demonstrated by bmp2tiff.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10779"
},
{
"id": "CVE-2018-10801",
"summary": "TIFFClientOpen in tif_unix.c in LibTIFF 3.8.2 has memory leaks, as demonstrated by bmp2tiff.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10801"
},
{
"id": "CVE-2018-10963",
"summary": "The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10963"
},
{
"id": "CVE-2018-12900",
"summary": "Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0beta7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12900"
},
{
"id": "CVE-2018-15209",
"summary": "ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15209"
},
{
"id": "CVE-2018-16335",
"summary": "newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16335"
},
{
"id": "CVE-2018-17000",
"summary": "A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c (called from TIFFWriteDirectoryTagTransferfunction) in LibTIFF 4.0.9 allows an attacker to cause a denial-of-service through a crafted tiff file. This vulnerability can be triggered by the executable tiffcp.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17000"
},
{
"id": "CVE-2018-17100",
"summary": "An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17100"
},
{
"id": "CVE-2018-17101",
"summary": "An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17101"
},
{
"id": "CVE-2018-17795",
"summary": "The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 and earlier allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17795"
},
{
"id": "CVE-2018-18557",
"summary": "LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18557"
},
{
"id": "CVE-2018-18661",
"summary": "An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18661"
},
{
"id": "CVE-2018-19210",
"summary": "In LibTIFF 4.0.9, there is a NULL pointer dereference in the TIFFWriteDirectorySec function in tif_dirwrite.c that will lead to a denial of service attack, as demonstrated by tiffset.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19210"
},
{
"id": "CVE-2018-5360",
"summary": "LibTIFF before 4.0.6 mishandles the reading of TIFF files, as demonstrated by a heap-based buffer over-read in the ReadTIFFImage function in coders/tiff.c in GraphicsMagick 1.3.27.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5360"
},
{
"id": "CVE-2018-5784",
"summary": "In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5784"
},
{
"id": "CVE-2018-7456",
"summary": "A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7456"
},
{
"id": "CVE-2018-8905",
"summary": "In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8905"
},
{
"id": "CVE-2019-14973",
"summary": "_TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through 4.0.10 mishandle Integer Overflow checks because they rely on compiler behavior that is undefined by the applicable C standards. This can, for example, lead to an application crash.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14973"
},
{
"id": "CVE-2019-17546",
"summary": "tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a \"Negative-size-param\" condition.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17546"
},
{
"id": "CVE-2019-6128",
"summary": "The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10 has a memory leak, as demonstrated by pal2rgb.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6128"
},
{
"id": "CVE-2019-7663",
"summary": "An Invalid Address dereference was discovered in TIFFWriteDirectoryTagTransferfunction in libtiff/tif_dirwrite.c in LibTIFF 4.0.10, affecting the cpSeparateBufToContigBuf function in tiffcp.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file. This is different from CVE-2018-12900.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7663"
},
{
"id": "CVE-2020-18768",
"summary": "There exists one heap buffer overflow in _TIFFmemcpy in tif_unix.c in libtiff 4.0.10, which allows an attacker to cause a denial-of-service through a crafted tiff file.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-18768"
},
{
"id": "CVE-2020-19131",
"summary": "Buffer Overflow in LibTiff v4.0.10 allows attackers to cause a denial of service via the \"invertImage()\" function in the component \"tiffcrop\".",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19131"
},
{
"id": "CVE-2020-19143",
"summary": "Buffer Overflow in LibTiff v4.0.10 allows attackers to cause a denial of service via the \"TIFFVGetField\" funtion in the component 'libtiff/tif_dir.c'.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19143"
},
{
"id": "CVE-2020-19144",
"summary": "Buffer Overflow in LibTiff v4.0.10 allows attackers to cause a denial of service via the 'in _TIFFmemcpy' funtion in the component 'tif_unix.c'.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-19144"
},
{
"id": "CVE-2020-35521",
"summary": "A flaw was found in libtiff. Due to a memory allocation failure in tif_read.c, a crafted TIFF file can lead to an abort, resulting in denial of service.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35521"
},
{
"id": "CVE-2020-35522",
"summary": "In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35522"
},
{
"id": "CVE-2020-35523",
"summary": "An integer overflow flaw was found in libtiff that exists in the tif_getimage.c file. This flaw allows an attacker to inject and execute arbitrary code when a user opens a crafted TIFF file. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35523"
},
{
"id": "CVE-2020-35524",
"summary": "A heap-based buffer overflow flaw was found in libtiff in the handling of TIFF images in libtiff's TIFF2PDF tool. A specially crafted TIFF file can lead to arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35524"
},
{
"id": "CVE-2022-0561",
"summary": "Null source pointer passed as an argument to memcpy() function within TIFFFetchStripThing() in tif_dirread.c in libtiff versions from 3.9.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, the fix is available with commit eecb0712.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0561"
},
{
"id": "CVE-2022-0562",
"summary": "Null source pointer passed as an argument to memcpy() function within TIFFReadDirectory() in tif_dirread.c in libtiff versions from 4.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, a fix is available with commit 561599c.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0562"
},
{
"id": "CVE-2022-0865",
"summary": "Reachable Assertion in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 5e180045.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0865"
},
{
"id": "CVE-2022-0891",
"summary": "A heap buffer overflow in ExtractImageSection function in tiffcrop.c in libtiff library Version 4.3.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact",
"scorev2": "5.8",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0891"
},
{
"id": "CVE-2022-0907",
"summary": "Unchecked Return Value to NULL Pointer Dereference in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f2b656e2.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0907"
},
{
"id": "CVE-2022-0908",
"summary": "Null source pointer passed as an argument to memcpy() function within TIFFFetchNormalTag () in tif_dirread.c in libtiff versions up to 4.3.0 could lead to Denial of Service via crafted TIFF file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0908"
},
{
"id": "CVE-2022-0909",
"summary": "Divide By Zero error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f8d0f9aa.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0909"
},
{
"id": "CVE-2022-0924",
"summary": "Out-of-bounds Read error in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 408976c4.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0924"
},
{
"id": "CVE-2022-1056",
"summary": "Out-of-bounds Read error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 46dc8fcd.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1056"
},
{
"id": "CVE-2022-1210",
"summary": "A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1210"
},
{
"id": "CVE-2022-1354",
"summary": "A heap buffer overflow flaw was found in Libtiffs' tiffinfo.c in TIFFReadRawDataStriped() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffinfo tool, triggering a heap buffer overflow issue and causing a crash that leads to a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1354"
},
{
"id": "CVE-2022-1355",
"summary": "A stack buffer overflow flaw was found in Libtiffs' tiffcp.c in main() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffcp tool, triggering a stack buffer overflow issue, possibly corrupting the memory, and causing a crash that leads to a denial of service.",
"scorev2": "0.0",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1355"
},
{
"id": "CVE-2022-1622",
"summary": "LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1622"
},
{
"id": "CVE-2022-1623",
"summary": "LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:624, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1623"
},
{
"id": "CVE-2022-2056",
"summary": "Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2056"
},
{
"id": "CVE-2022-2057",
"summary": "Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2057"
},
{
"id": "CVE-2022-2058",
"summary": "Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2058"
},
{
"id": "CVE-2022-22844",
"summary": "LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22844"
},
{
"id": "CVE-2022-2519",
"summary": "There is a double free or corruption in rotateImage() at tiffcrop.c:8839 found in libtiff 4.4.0rc1",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2519"
},
{
"id": "CVE-2022-2520",
"summary": "A flaw was found in libtiff 4.4.0rc1. There is a sysmalloc assertion fail in rotateImage() at tiffcrop.c:8621 that can cause program crash when reading a crafted input.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2520"
},
{
"id": "CVE-2022-2521",
"summary": "It was found in libtiff 4.4.0rc1 that there is an invalid pointer free operation in TIFFClose() at tif_close.c:131 called by tiffcrop.c:2522 that can cause a program crash and denial of service while processing crafted input.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2521"
},
{
"id": "CVE-2022-2867",
"summary": "libtiff's tiffcrop utility has a uint32_t underflow that can lead to out of bounds read and write. An attacker who supplies a crafted file to tiffcrop (likely via tricking a user to run tiffcrop on it with certain parameters) could cause a crash or in some cases, further exploitation.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2867"
},
{
"id": "CVE-2022-2868",
"summary": "libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2868"
},
{
"id": "CVE-2022-2869",
"summary": "libtiff's tiffcrop tool has a uint32_t underflow which leads to out of bounds read and write in the extractContigSamples8bits routine. An attacker who supplies a crafted file to tiffcrop could trigger this flaw, most likely by tricking a user into opening the crafted file with tiffcrop. Triggering this flaw could cause a crash or potentially further exploitation.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2869"
},
{
"id": "CVE-2022-2953",
"summary": "LibTIFF 4.4.0 has an out-of-bounds read in extractImageSection in tools/tiffcrop.c:6905, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 48d6ece8.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2953"
},
{
"id": "CVE-2022-34266",
"summary": "The libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2 allows attackers to cause a denial of service (application crash), a different vulnerability than CVE-2022-0562. When processing a malicious TIFF file, an invalid range may be passed as an argument to the memset() function within TIFFFetchStripThing() in tif_dirread.c. This will cause TIFFFetchStripThing() to segfault after use of an uninitialized resource.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-34266"
},
{
"id": "CVE-2022-34526",
"summary": "A stack overflow was discovered in the _TIFFVGetField function of Tiffsplit v4.4.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted TIFF file parsed by the \"tiffsplit\" or \"tiffcrop\" utilities.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-34526"
},
{
"id": "CVE-2022-3570",
"summary": "Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3570"
},
{
"id": "CVE-2022-3597",
"summary": "LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6826, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3597"
},
{
"id": "CVE-2022-3598",
"summary": "LibTIFF 4.4.0 has an out-of-bounds write in extractContigSamplesShifted24bits in tools/tiffcrop.c:3604, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit cfbb883b.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3598"
},
{
"id": "CVE-2022-3599",
"summary": "LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in tools/tiffcrop.c:7345, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3599"
},
{
"id": "CVE-2022-3626",
"summary": "LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemset in libtiff/tif_unix.c:340 when called from processCropSelections, tools/tiffcrop.c:7619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3626"
},
{
"id": "CVE-2022-3627",
"summary": "LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6860, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3627"
},
{
"id": "CVE-2022-3970",
"summary": "A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3970"
},
{
"id": "CVE-2022-40090",
"summary": "An issue was discovered in function TIFFReadDirectory libtiff before 4.4.0 allows attackers to cause a denial of service via crafted TIFF file.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40090"
},
{
"id": "CVE-2022-4645",
"summary": "LibTIFF 4.4.0 has an out-of-bounds read in tiffcp in tools/tiffcp.c:948, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4645"
},
{
"id": "CVE-2022-48281",
"summary": "processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g., \"WRITE of size 307203\") via a crafted TIFF image.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48281"
},
{
"id": "CVE-2023-0795",
"summary": "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3488, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0795"
},
{
"id": "CVE-2023-0796",
"summary": "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3592, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0796"
},
{
"id": "CVE-2023-0797",
"summary": "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6921, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0797"
},
{
"id": "CVE-2023-0798",
"summary": "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3400, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0798"
},
{
"id": "CVE-2023-0799",
"summary": "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3701, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0799"
},
{
"id": "CVE-2023-0800",
"summary": "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3502, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0800"
},
{
"id": "CVE-2023-0801",
"summary": "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6778, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0801"
},
{
"id": "CVE-2023-0802",
"summary": "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3724, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0802"
},
{
"id": "CVE-2023-0803",
"summary": "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3516, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0803"
},
{
"id": "CVE-2023-0804",
"summary": "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3609, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0804"
},
{
"id": "CVE-2023-1916",
"summary": "A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.",
"scorev2": "0.0",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1916"
},
{
"id": "CVE-2023-25433",
"summary": "libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25433"
},
{
"id": "CVE-2023-25434",
"summary": "libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesBytes() at /libtiff/tools/tiffcrop.c:3215.",
"scorev2": "0.0",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25434"
},
{
"id": "CVE-2023-25435",
"summary": "libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesShifted8bits() at /libtiff/tools/tiffcrop.c:3753.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25435"
},
{
"id": "CVE-2023-26965",
"summary": "loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-26965"
},
{
"id": "CVE-2023-26966",
"summary": "libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-26966"
},
{
"id": "CVE-2023-2731",
"summary": "A NULL pointer dereference flaw was found in Libtiff's LZWDecode() function in the libtiff/tif_lzw.c file. This flaw allows a local attacker to craft specific input data that can cause the program to dereference a NULL pointer when decompressing a TIFF format file, resulting in a program crash or denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2731"
},
{
"id": "CVE-2023-2908",
"summary": "A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2908"
},
{
"id": "CVE-2023-30086",
"summary": "Buffer Overflow vulnerability found in Libtiff V.4.0.7 allows a local attacker to cause a denial of service via the tiffcp function in tiffcp.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-30086"
},
{
"id": "CVE-2023-30774",
"summary": "A vulnerability was found in the libtiff library. This flaw causes a heap buffer overflow issue via the TIFFTAG_INKNAMES and TIFFTAG_NUMBEROFINKS values.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-30774"
},
{
"id": "CVE-2023-30775",
"summary": "A vulnerability was found in the libtiff library. This security flaw causes a heap buffer overflow in extractContigSamples32bits, tiffcrop.c.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-30775"
},
{
"id": "CVE-2023-3164",
"summary": "A heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection() at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. This flaw allows attackers to cause a denial of service via a crafted tiff file.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3164",
"detail": "cpe-incorrect",
"description": "Issue only affects the tiffcrop tool not compiled by default since 4.6.0"
},
{
"id": "CVE-2023-3316",
"summary": "A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones.\n\n",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3316"
},
{
"id": "CVE-2023-3576",
"summary": "A memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes this memory leak issue, resulting an application crash, eventually leading to a denial of service.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3576"
},
{
"id": "CVE-2023-3618",
"summary": "A flaw was found in libtiff. A specially crafted tiff file can lead to a segmentation fault due to a buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3618"
},
{
"id": "CVE-2023-40745",
"summary": "LibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-40745"
},
{
"id": "CVE-2023-41175",
"summary": "A vulnerability was found in libtiff due to multiple potential integer overflows in raw2tiff.c. This flaw allows remote attackers to cause a denial of service or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-41175"
},
{
"id": "CVE-2023-52355",
"summary": "An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52355"
},
{
"id": "CVE-2023-52356",
"summary": "A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52356"
},
{
"id": "CVE-2023-6228",
"summary": "An issue was found in the tiffcp utility distributed by the libtiff package where a crafted TIFF file on processing may cause a heap-based buffer overflow leads to an application crash.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6228"
},
{
"id": "CVE-2023-6277",
"summary": "An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6277"
}
]
},
{
"name": "ttf-bitstream-vera",
"layer": "meta",
"version": "1.10",
"products": [
{
"product": "ttf-bitstream-vera",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "ttf-dejavu",
"layer": "meta-oe",
"version": "2.37",
"products": [
{
"product": "ttf-dejavu",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "ttf-noto-emoji",
"layer": "meta-oe",
"version": "20200916",
"products": [
{
"product": "ttf-noto-emoji",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "tzcode-native",
"layer": "meta",
"version": "2024a",
"products": [
{
"product": "tzcode",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "tzdata",
"layer": "meta",
"version": "2024a",
"products": [
{
"product": "tzdata",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "udisks2",
"layer": "meta-oe",
"version": "2.10.1",
"products": [
{
"product": "udisks",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2010-1149",
"summary": "probers/udisks-dm-export.c in udisks before 1.0.1 exports UDISKS_DM_TARGETS_PARAMS information to udev even for a crypt UDISKS_DM_TARGETS_TYPE, which allows local users to discover encryption keys by (1) running a certain udevadm command or (2) reading a certain file under /dev/.udev/db/.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1149"
},
{
"id": "CVE-2010-4661",
"summary": "udisks before 1.0.3 allows a local user to load arbitrary Linux kernel modules.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4661"
},
{
"id": "CVE-2014-0004",
"summary": "Stack-based buffer overflow in udisks before 1.0.5 and 2.x before 2.1.3 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long mount point.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0004"
},
{
"id": "CVE-2018-17336",
"summary": "UDisks 2.8.0 has a format string vulnerability in udisks_log in udiskslogging.c, allowing attackers to obtain sensitive information (stack contents), cause a denial of service (memory corruption), or possibly have unspecified other impact via a malformed filesystem label, as demonstrated by %d or %n substrings.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17336"
},
{
"id": "CVE-2021-3802",
"summary": "A vulnerability found in udisks2. This flaw allows an attacker to input a specially crafted image file/USB leading to kernel panic. The highest threat from this vulnerability is to system availability.",
"scorev2": "6.3",
"scorev3": "4.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3802"
}
]
},
{
"name": "unifdef-native",
"layer": "meta",
"version": "2.12",
"products": [
{
"product": "unifdef",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "unzip",
"layer": "meta",
"version": "1_6.0",
"products": [
{
"product": "unzip",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2001-1268",
"summary": "Directory traversal vulnerability in Info-ZIP UnZip 5.42 and earlier allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1268"
},
{
"id": "CVE-2001-1269",
"summary": "Info-ZIP UnZip 5.42 and earlier allows attackers to overwrite arbitrary files during archive extraction via filenames in the archive that begin with the '/' (slash) character.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1269"
},
{
"id": "CVE-2003-0282",
"summary": "Directory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a \"..\" sequence.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0282"
},
{
"id": "CVE-2005-0602",
"summary": "Unzip 5.51 and earlier does not properly warn the user when extracting setuid or setgid files, which may allow local users to gain privileges.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0602"
},
{
"id": "CVE-2005-2475",
"summary": "Race condition in Unzip 5.52 allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by Unzip after the decompression is complete.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2475"
},
{
"id": "CVE-2005-4667",
"summary": "Buffer overflow in UnZip 5.50 and earlier allows user-assisted attackers to execute arbitrary code via a long filename command line argument. NOTE: since the overflow occurs in a non-setuid program, there are not many scenarios under which it poses a vulnerability, unless unzip is passed long arguments when it is invoked from other programs.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4667"
},
{
"id": "CVE-2008-0888",
"summary": "The NEEDBITS macro in the inflate_dynamic function in inflate.c for unzip can be invoked using invalid buffers, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a free of uninitialized or previously-freed data.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0888",
"detail": "fixed-version",
"description": "Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source"
},
{
"id": "CVE-2014-8139",
"summary": "Heap-based buffer overflow in the CRC32 verification in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8139"
},
{
"id": "CVE-2014-8140",
"summary": "Heap-based buffer overflow in the test_compr_eb function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8140"
},
{
"id": "CVE-2014-8141",
"summary": "Heap-based buffer overflow in the getZip64Data function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8141"
},
{
"id": "CVE-2014-9636",
"summary": "unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9636"
},
{
"id": "CVE-2014-9913",
"summary": "Buffer overflow in the list_files function in list.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via vectors related to the compression method.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9913"
},
{
"id": "CVE-2015-1315",
"summary": "Buffer overflow in the charset_to_intern function in unix/unix.c in Info-Zip UnZip 6.10b allows remote attackers to execute arbitrary code via a crafted string, as demonstrated by converting a string from CP866 to UTF-8.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1315"
},
{
"id": "CVE-2015-7696",
"summary": "Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly execute arbitrary code via a crafted password-protected ZIP archive, possibly related to an Extra-Field size value.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7696"
},
{
"id": "CVE-2015-7697",
"summary": "Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (infinite loop) via empty bzip2 data in a ZIP archive.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7697"
},
{
"id": "CVE-2016-9844",
"summary": "Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory file header.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9844"
},
{
"id": "CVE-2018-1000031",
"summary": "A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service or to possibly achieve code execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000031"
},
{
"id": "CVE-2018-1000032",
"summary": "A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service or to possibly achieve code execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000032"
},
{
"id": "CVE-2018-1000033",
"summary": "An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service and read sensitive memory.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000033"
},
{
"id": "CVE-2018-1000034",
"summary": "An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service and read sensitive memory.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000034"
},
{
"id": "CVE-2018-1000035",
"summary": "A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000035"
},
{
"id": "CVE-2018-18384",
"summary": "Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value, because a buffer size is 10 and is supposed to be 12.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18384"
},
{
"id": "CVE-2019-13232",
"summary": "Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a \"better zip bomb\" issue.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13232"
},
{
"id": "CVE-2020-36561",
"summary": "Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.",
"scorev2": "0.0",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36561"
},
{
"id": "CVE-2021-4217",
"summary": "A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.",
"scorev2": "0.0",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4217"
},
{
"id": "CVE-2022-0529",
"summary": "A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0529"
},
{
"id": "CVE-2022-0530",
"summary": "A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0530"
}
]
},
{
"name": "unzip-native",
"layer": "meta",
"version": "1_6.0",
"products": [
{
"product": "unzip",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2001-1268",
"summary": "Directory traversal vulnerability in Info-ZIP UnZip 5.42 and earlier allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1268"
},
{
"id": "CVE-2001-1269",
"summary": "Info-ZIP UnZip 5.42 and earlier allows attackers to overwrite arbitrary files during archive extraction via filenames in the archive that begin with the '/' (slash) character.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1269"
},
{
"id": "CVE-2003-0282",
"summary": "Directory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a \"..\" sequence.",
"scorev2": "2.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0282"
},
{
"id": "CVE-2005-0602",
"summary": "Unzip 5.51 and earlier does not properly warn the user when extracting setuid or setgid files, which may allow local users to gain privileges.",
"scorev2": "6.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0602"
},
{
"id": "CVE-2005-2475",
"summary": "Race condition in Unzip 5.52 allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by Unzip after the decompression is complete.",
"scorev2": "1.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2475"
},
{
"id": "CVE-2005-4667",
"summary": "Buffer overflow in UnZip 5.50 and earlier allows user-assisted attackers to execute arbitrary code via a long filename command line argument. NOTE: since the overflow occurs in a non-setuid program, there are not many scenarios under which it poses a vulnerability, unless unzip is passed long arguments when it is invoked from other programs.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4667"
},
{
"id": "CVE-2008-0888",
"summary": "The NEEDBITS macro in the inflate_dynamic function in inflate.c for unzip can be invoked using invalid buffers, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a free of uninitialized or previously-freed data.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0888",
"detail": "fixed-version",
"description": "Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source"
},
{
"id": "CVE-2014-8139",
"summary": "Heap-based buffer overflow in the CRC32 verification in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8139"
},
{
"id": "CVE-2014-8140",
"summary": "Heap-based buffer overflow in the test_compr_eb function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8140"
},
{
"id": "CVE-2014-8141",
"summary": "Heap-based buffer overflow in the getZip64Data function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8141"
},
{
"id": "CVE-2014-9636",
"summary": "unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9636"
},
{
"id": "CVE-2014-9913",
"summary": "Buffer overflow in the list_files function in list.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via vectors related to the compression method.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9913"
},
{
"id": "CVE-2015-1315",
"summary": "Buffer overflow in the charset_to_intern function in unix/unix.c in Info-Zip UnZip 6.10b allows remote attackers to execute arbitrary code via a crafted string, as demonstrated by converting a string from CP866 to UTF-8.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1315"
},
{
"id": "CVE-2015-7696",
"summary": "Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly execute arbitrary code via a crafted password-protected ZIP archive, possibly related to an Extra-Field size value.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7696"
},
{
"id": "CVE-2015-7697",
"summary": "Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (infinite loop) via empty bzip2 data in a ZIP archive.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7697"
},
{
"id": "CVE-2016-9844",
"summary": "Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory file header.",
"scorev2": "2.1",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9844"
},
{
"id": "CVE-2018-1000031",
"summary": "A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service or to possibly achieve code execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000031"
},
{
"id": "CVE-2018-1000032",
"summary": "A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service or to possibly achieve code execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000032"
},
{
"id": "CVE-2018-1000033",
"summary": "An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service and read sensitive memory.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000033"
},
{
"id": "CVE-2018-1000034",
"summary": "An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service and read sensitive memory.",
"scorev2": "6.4",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000034"
},
{
"id": "CVE-2018-1000035",
"summary": "A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000035"
},
{
"id": "CVE-2018-18384",
"summary": "Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value, because a buffer size is 10 and is supposed to be 12.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18384"
},
{
"id": "CVE-2019-13232",
"summary": "Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a \"better zip bomb\" issue.",
"scorev2": "2.1",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13232"
},
{
"id": "CVE-2020-36561",
"summary": "Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.",
"scorev2": "0.0",
"scorev3": "9.1",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36561"
},
{
"id": "CVE-2021-4217",
"summary": "A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.",
"scorev2": "0.0",
"scorev3": "3.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4217"
},
{
"id": "CVE-2022-0529",
"summary": "A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0529"
},
{
"id": "CVE-2022-0530",
"summary": "A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0530"
}
]
},
{
"name": "update-rc.d",
"layer": "meta",
"version": "0.8+git",
"products": [
{
"product": "update-rc.d",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "update-rc.d-native",
"layer": "meta",
"version": "0.8+git",
"products": [
{
"product": "update-rc.d",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "usbutils",
"layer": "meta",
"version": "017",
"products": [
{
"product": "usbutils",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "utfcpp",
"layer": "meta",
"version": "4.0.5",
"products": [
{
"product": "utfcpp",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "uthash-native",
"layer": "meta-oe",
"version": "2.3.0",
"products": [
{
"product": "uthash",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "util-linux",
"layer": "meta",
"version": "2.39.3",
"products": [
{
"product": "util-linux",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2001-1147",
"summary": "The PAM implementation in /bin/login of the util-linux package before 2.11 causes a password entry to be rewritten across multiple PAM calls, which could provide the credentials of one user to a different user, when used in certain PAM modules such as pam_limits.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1147"
},
{
"id": "CVE-2001-1175",
"summary": "vipw in the util-linux package before 2.10 causes /etc/shadow to be world-readable in some cases, which would make it easier for local users to perform brute force password guessing.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1175"
},
{
"id": "CVE-2001-1494",
"summary": "script command in the util-linux package before 2.11n allows local users to overwrite arbitrary files by setting a hardlink from the typescript log file to any file on the system, then having root execute the script command.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1494"
},
{
"id": "CVE-2003-0094",
"summary": "A patch for mcookie in the util-linux package for Mandrake Linux 8.2 and 9.0 uses /dev/urandom instead of /dev/random, which causes mcookie to use an entropy source that is more predictable than expected, which may make it easier for certain types of attacks to succeed.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0094"
},
{
"id": "CVE-2004-0080",
"summary": "The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0080"
},
{
"id": "CVE-2005-2876",
"summary": "umount in util-linux 2.8 to 2.12q, 2.13-pre1, and 2.13-pre2, and other packages such as loop-aes-utils, allows local users with unmount permissions to gain privileges via the -r (remount) option, which causes the file system to be remounted with just the read-only flag, which effectively clears the nosuid, nodev, and other flags.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2876"
},
{
"id": "CVE-2006-7108",
"summary": "login in util-linux-2.12a skips pam_acct_mgmt and chauth_tok when authentication is skipped, such as when a Kerberos krlogin session has been established, which might allow users to bypass intended access policies that would be enforced by pam_acct_mgmt and chauth_tok.",
"scorev2": "4.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7108"
},
{
"id": "CVE-2007-5191",
"summary": "mount and umount in util-linux and loop-aes-utils call the setuid and setgid functions in the wrong order and do not check the return values, which might allow attackers to gain privileges via helpers such as mount.nfs.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5191"
},
{
"id": "CVE-2008-1926",
"summary": "Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an \"addr=\" statement to the login name, aka \"audit log injection.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1926"
},
{
"id": "CVE-2011-1675",
"summary": "mount in util-linux 2.19 and earlier attempts to append to the /etc/mtab.tmp file without first checking whether resource limits would interfere, which allows local users to trigger corruption of the /etc/mtab file via a process with a small RLIMIT_FSIZE value, a related issue to CVE-2011-1089.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1675"
},
{
"id": "CVE-2011-1676",
"summary": "mount in util-linux 2.19 and earlier does not remove the /etc/mtab.tmp file after a failed attempt to add a mount entry, which allows local users to trigger corruption of the /etc/mtab file via multiple invocations.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1676"
},
{
"id": "CVE-2011-1677",
"summary": "mount in util-linux 2.19 and earlier does not remove the /etc/mtab~ lock file after a failed attempt to add a mount entry, which has unspecified impact and local attack vectors.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1677"
},
{
"id": "CVE-2013-0157",
"summary": "(a) mount and (b) umount in util-linux 2.14.1, 2.17.2, and probably other versions allow local users to determine the existence of restricted directories by (1) using the --guess-fstype command-line option or (2) attempting to mount a non-existent device, which generates different error messages depending on whether the directory exists.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0157"
},
{
"id": "CVE-2014-9114",
"summary": "Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9114"
},
{
"id": "CVE-2015-5218",
"summary": "Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5218"
},
{
"id": "CVE-2015-5224",
"summary": "The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5224"
},
{
"id": "CVE-2016-2779",
"summary": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2779"
},
{
"id": "CVE-2016-5011",
"summary": "The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5011"
},
{
"id": "CVE-2017-2616",
"summary": "A race condition was found in util-linux before 2.32.1 in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2616"
},
{
"id": "CVE-2018-7738",
"summary": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7738"
},
{
"id": "CVE-2020-21583",
"summary": "An issue was discovered in hwclock.13-v2.27 allows attackers to gain escalated privlidges or execute arbitrary commands via the path parameter when setting the date.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-21583"
},
{
"id": "CVE-2021-37600",
"summary": "An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments.",
"scorev2": "1.2",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37600"
},
{
"id": "CVE-2021-3995",
"summary": "A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows an unprivileged local attacker to unmount FUSE filesystems that belong to certain other users who have a UID that is a prefix of the UID of the attacker in its string form. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3995"
},
{
"id": "CVE-2021-3996",
"summary": "A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows a local user on a vulnerable system to unmount other users' filesystems that are either world-writable themselves (like /tmp) or mounted in a world-writable directory. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3996"
},
{
"id": "CVE-2022-0563",
"summary": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0563"
}
]
},
{
"name": "util-linux-libuuid",
"layer": "meta",
"version": "2.39.3",
"products": [
{
"product": "util-linux-libuuid",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "util-linux-libuuid-native",
"layer": "meta",
"version": "2.39.3",
"products": [
{
"product": "util-linux-libuuid",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "util-linux-native",
"layer": "meta",
"version": "2.39.3",
"products": [
{
"product": "util-linux",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2001-1147",
"summary": "The PAM implementation in /bin/login of the util-linux package before 2.11 causes a password entry to be rewritten across multiple PAM calls, which could provide the credentials of one user to a different user, when used in certain PAM modules such as pam_limits.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1147"
},
{
"id": "CVE-2001-1175",
"summary": "vipw in the util-linux package before 2.10 causes /etc/shadow to be world-readable in some cases, which would make it easier for local users to perform brute force password guessing.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1175"
},
{
"id": "CVE-2001-1494",
"summary": "script command in the util-linux package before 2.11n allows local users to overwrite arbitrary files by setting a hardlink from the typescript log file to any file on the system, then having root execute the script command.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1494"
},
{
"id": "CVE-2003-0094",
"summary": "A patch for mcookie in the util-linux package for Mandrake Linux 8.2 and 9.0 uses /dev/urandom instead of /dev/random, which causes mcookie to use an entropy source that is more predictable than expected, which may make it easier for certain types of attacks to succeed.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0094"
},
{
"id": "CVE-2004-0080",
"summary": "The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0080"
},
{
"id": "CVE-2005-2876",
"summary": "umount in util-linux 2.8 to 2.12q, 2.13-pre1, and 2.13-pre2, and other packages such as loop-aes-utils, allows local users with unmount permissions to gain privileges via the -r (remount) option, which causes the file system to be remounted with just the read-only flag, which effectively clears the nosuid, nodev, and other flags.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2876"
},
{
"id": "CVE-2006-7108",
"summary": "login in util-linux-2.12a skips pam_acct_mgmt and chauth_tok when authentication is skipped, such as when a Kerberos krlogin session has been established, which might allow users to bypass intended access policies that would be enforced by pam_acct_mgmt and chauth_tok.",
"scorev2": "4.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7108"
},
{
"id": "CVE-2007-5191",
"summary": "mount and umount in util-linux and loop-aes-utils call the setuid and setgid functions in the wrong order and do not check the return values, which might allow attackers to gain privileges via helpers such as mount.nfs.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5191"
},
{
"id": "CVE-2008-1926",
"summary": "Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an \"addr=\" statement to the login name, aka \"audit log injection.\"",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1926"
},
{
"id": "CVE-2011-1675",
"summary": "mount in util-linux 2.19 and earlier attempts to append to the /etc/mtab.tmp file without first checking whether resource limits would interfere, which allows local users to trigger corruption of the /etc/mtab file via a process with a small RLIMIT_FSIZE value, a related issue to CVE-2011-1089.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1675"
},
{
"id": "CVE-2011-1676",
"summary": "mount in util-linux 2.19 and earlier does not remove the /etc/mtab.tmp file after a failed attempt to add a mount entry, which allows local users to trigger corruption of the /etc/mtab file via multiple invocations.",
"scorev2": "3.3",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1676"
},
{
"id": "CVE-2011-1677",
"summary": "mount in util-linux 2.19 and earlier does not remove the /etc/mtab~ lock file after a failed attempt to add a mount entry, which has unspecified impact and local attack vectors.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1677"
},
{
"id": "CVE-2013-0157",
"summary": "(a) mount and (b) umount in util-linux 2.14.1, 2.17.2, and probably other versions allow local users to determine the existence of restricted directories by (1) using the --guess-fstype command-line option or (2) attempting to mount a non-existent device, which generates different error messages depending on whether the directory exists.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0157"
},
{
"id": "CVE-2014-9114",
"summary": "Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9114"
},
{
"id": "CVE-2015-5218",
"summary": "Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5218"
},
{
"id": "CVE-2015-5224",
"summary": "The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5224"
},
{
"id": "CVE-2016-2779",
"summary": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2779"
},
{
"id": "CVE-2016-5011",
"summary": "The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.",
"scorev2": "4.9",
"scorev3": "4.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5011"
},
{
"id": "CVE-2017-2616",
"summary": "A race condition was found in util-linux before 2.32.1 in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions.",
"scorev2": "4.7",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2616"
},
{
"id": "CVE-2018-7738",
"summary": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.",
"scorev2": "7.2",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7738"
},
{
"id": "CVE-2020-21583",
"summary": "An issue was discovered in hwclock.13-v2.27 allows attackers to gain escalated privlidges or execute arbitrary commands via the path parameter when setting the date.",
"scorev2": "0.0",
"scorev3": "6.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-21583"
},
{
"id": "CVE-2021-37600",
"summary": "An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments.",
"scorev2": "1.2",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37600"
},
{
"id": "CVE-2021-3995",
"summary": "A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows an unprivileged local attacker to unmount FUSE filesystems that belong to certain other users who have a UID that is a prefix of the UID of the attacker in its string form. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3995"
},
{
"id": "CVE-2021-3996",
"summary": "A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows a local user on a vulnerable system to unmount other users' filesystems that are either world-writable themselves (like /tmp) or mounted in a world-writable directory. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3996"
},
{
"id": "CVE-2022-0563",
"summary": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.",
"scorev2": "1.9",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0563"
}
]
},
{
"name": "util-macros",
"layer": "meta",
"version": "1_1.20.0",
"products": [
{
"product": "util-macros",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "util-macros-native",
"layer": "meta",
"version": "1_1.20.0",
"products": [
{
"product": "util-macros",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "v4l-utils",
"layer": "meta-oe",
"version": "1.26.1+git",
"products": [
{
"product": "v4l-utils",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "vala",
"layer": "meta",
"version": "0.56.15",
"products": [
{
"product": "vala",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2014-8154",
"summary": "The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8154"
}
]
},
{
"name": "vala-native",
"layer": "meta",
"version": "0.56.15",
"products": [
{
"product": "vala",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2014-8154",
"summary": "The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overflow.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8154"
}
]
},
{
"name": "vim",
"layer": "meta",
"version": "9.1.0114",
"products": [
{
"product": "vim",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2001-0408",
"summary": "vim (aka gvim) processes VIM control codes that are embedded in a file, which could allow attackers to execute arbitrary commands when another user opens a file containing malicious VIM control codes.",
"scorev2": "5.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0408"
},
{
"id": "CVE-2001-0409",
"summary": "vim (aka gvim) allows local users to modify files being edited by other users via a symlink attack on the backup and swap files, when the victim is editing the file in a world writable directory.",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0409"
},
{
"id": "CVE-2002-1377",
"summary": "vim 6.0 and 6.1, and possibly other versions, allows attackers to execute arbitrary commands using the libcall feature in modelines, which are not sandboxed but may be executed when vim is used to edit a malicious file, as demonstrated using mutt.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1377"
},
{
"id": "CVE-2004-1138",
"summary": "VIM before 6.3 and gVim before 6.3 allow local users to execute arbitrary commands via a file containing a crafted modeline that is executed when the file is viewed using options such as (1) termcap, (2) printdevice, (3) titleold, (4) filetype, (5) syntax, (6) backupext, (7) keymap, (8) patchmode, or (9) langmenu.",
"scorev2": "7.2",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1138"
},
{
"id": "CVE-2005-0069",
"summary": "The (1) tcltags or (2) vimspell.sh scripts in vim 6.3 allow local users to overwrite or create arbitrary files via a symlink attack on temporary files.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0069"
},
{
"id": "CVE-2005-2368",
"summary": "vim 6.3 before 6.3.082, with modelines enabled, allows external user-assisted attackers to execute arbitrary commands via shell metacharacters in the (1) glob or (2) expand commands of a foldexpr expression for calculating fold levels.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2368"
},
{
"id": "CVE-2007-2438",
"summary": "The sandbox for vim allows dangerous functions such as (1) writefile, (2) feedkeys, and (3) system, which might allow user-assisted attackers to execute shell commands and write files via modelines.",
"scorev2": "7.6",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2438"
},
{
"id": "CVE-2007-2953",
"summary": "Format string vulnerability in the helptags_one function in src/ex_cmds.c in Vim 6.4 and earlier, and 7.x up to 7.1, allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a help-tags tag in a help file, related to the helptags command.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2953"
},
{
"id": "CVE-2008-2712",
"summary": "Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2712"
},
{
"id": "CVE-2008-3074",
"summary": "The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the \"!\" (exclamation point) shell metacharacter in (1) the filename of a tar archive and possibly (2) the filename of the first file in a tar archive, which is not properly handled by the VIM TAR plugin (tar.vim) v.10 through v.22, as demonstrated by the shellescape, tarplugin.v2, tarplugin, and tarplugin.updated test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3075. NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this CVE description and in external mappings to this identifier.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3074"
},
{
"id": "CVE-2008-3075",
"summary": "The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the \"!\" (exclamation point) shell metacharacter in (1) the filename of a ZIP archive and possibly (2) the filename of the first file in a ZIP archive, which is not properly handled by zip.vim in the VIM ZIP plugin (zipPlugin.vim) v.11 through v.21, as demonstrated by the zipplugin and zipplugin.v2 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3074. NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this CVE description and in external mappings to this identifier.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3075"
},
{
"id": "CVE-2008-3076",
"summary": "The Netrw plugin 125 in netrw.vim in Vim 7.2a.10 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames used by the execute and system functions within the (1) mz and (2) mc commands, as demonstrated by the netrw.v2 and netrw.v3 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3076"
},
{
"id": "CVE-2008-3294",
"summary": "src/configure.in in Vim 5.0 through 7.1, when used for a build with Python support, does not ensure that the Makefile-conf temporary file has the intended ownership and permissions, which allows local users to execute arbitrary code by modifying this file during a time window, or by creating it ahead of time with permissions that prevent its modification by configure.",
"scorev2": "3.7",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3294"
},
{
"id": "CVE-2008-3432",
"summary": "Heap-based buffer overflow in the mch_expand_wildcards function in os_unix.c in Vim 6.2 and 6.3 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames, as demonstrated by the netrw.v3 test case.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3432"
},
{
"id": "CVE-2008-4101",
"summary": "Vim 3.0 through 7.x before 7.2.010 does not properly escape characters, which allows user-assisted attackers to (1) execute arbitrary shell commands by entering a K keystroke on a line that contains a \";\" (semicolon) followed by a command, or execute arbitrary Ex commands by entering an argument after a (2) \"Ctrl-]\" (control close-square-bracket) or (3) \"g]\" (g close-square-bracket) keystroke sequence, a different issue than CVE-2008-2712.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4101"
},
{
"id": "CVE-2008-6235",
"summary": "The Netrw plugin (netrw.vim) in Vim 7.0 and 7.1 allows user-assisted attackers to execute arbitrary commands via shell metacharacters in a filename used by the (1) \"D\" (delete) command or (2) b:netrw_curdir variable, as demonstrated using the netrw.v4 and netrw.v5 test cases.",
"scorev2": "9.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2008-6235"
},
{
"id": "CVE-2009-0316",
"summary": "Untrusted search path vulnerability in src/if_python.c in the Python interface in Vim before 7.2.045 allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983), as demonstrated by an erroneous search path for plugin/bike.vim in bicyclerepair.",
"scorev2": "6.9",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0316"
},
{
"id": "CVE-2016-1248",
"summary": "vim before patch 8.0.0056 does not properly validate values for the 'filetype', 'syntax' and 'keymap' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1248"
},
{
"id": "CVE-2017-1000382",
"summary": "VIM version 8.0.1187 (and other versions most likely) ignores umask when creating a swap file (\"[ORIGINAL_FILENAME].swp\") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the vi binary.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000382"
},
{
"id": "CVE-2017-11109",
"summary": "Vim 8.0 allows attackers to cause a denial of service (invalid free) or possibly have unspecified other impact via a crafted source (aka -S) file. NOTE: there might be a limited number of scenarios in which this has security relevance.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11109"
},
{
"id": "CVE-2017-17087",
"summary": "fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor's primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17087"
},
{
"id": "CVE-2017-5953",
"summary": "vim before patch 8.0.0322 does not properly validate values for tree length when handling a spell file, which may result in an integer overflow at a memory allocation site and a resultant buffer overflow.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5953"
},
{
"id": "CVE-2017-6349",
"summary": "An integer overflow at a u_read_undo memory allocation site would occur for vim before patch 8.0.0377, if it does not properly validate values for tree length when reading a corrupted undo file, which may lead to resultant buffer overflows.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6349"
},
{
"id": "CVE-2017-6350",
"summary": "An integer overflow at an unserialize_uep memory allocation site would occur for vim before patch 8.0.0378, if it does not properly validate values for tree length when reading a corrupted undo file, which may lead to resultant buffer overflows.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6350"
},
{
"id": "CVE-2019-12735",
"summary": "getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.",
"scorev2": "9.3",
"scorev3": "8.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12735"
},
{
"id": "CVE-2019-14957",
"summary": "The JetBrains Vim plugin before version 0.52 was storing individual project data in the global vim_settings.xml file. This xml file could be synchronized to a publicly accessible GitHub repository.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14957"
},
{
"id": "CVE-2019-20079",
"summary": "The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20079"
},
{
"id": "CVE-2019-20807",
"summary": "In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua).",
"scorev2": "4.6",
"scorev3": "5.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20807"
},
{
"id": "CVE-2020-20703",
"summary": "Buffer Overflow vulnerability in VIM v.8.1.2135 allows a remote attacker to execute arbitrary code via the operand parameter.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-20703"
},
{
"id": "CVE-2021-28832",
"summary": "VSCodeVim before 1.19.0 allows attackers to execute arbitrary code via a crafted workspace configuration.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28832"
},
{
"id": "CVE-2021-3236",
"summary": "vim 8.2.2348 is affected by null pointer dereference, allows local attackers to cause a denial of service (DoS) via the ex_buffer_all method.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3236"
},
{
"id": "CVE-2021-3770",
"summary": "vim is vulnerable to Heap-based Buffer Overflow",
"scorev2": "4.6",
"scorev3": "8.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3770"
},
{
"id": "CVE-2021-3778",
"summary": "vim is vulnerable to Heap-based Buffer Overflow",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3778"
},
{
"id": "CVE-2021-3796",
"summary": "vim is vulnerable to Use After Free",
"scorev2": "6.8",
"scorev3": "8.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3796"
},
{
"id": "CVE-2021-3872",
"summary": "vim is vulnerable to Heap-based Buffer Overflow",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3872"
},
{
"id": "CVE-2021-3875",
"summary": "vim is vulnerable to Heap-based Buffer Overflow",
"scorev2": "4.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3875"
},
{
"id": "CVE-2021-3903",
"summary": "vim is vulnerable to Heap-based Buffer Overflow",
"scorev2": "4.6",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3903"
},
{
"id": "CVE-2021-3927",
"summary": "vim is vulnerable to Heap-based Buffer Overflow",
"scorev2": "6.8",
"scorev3": "7.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3927"
},
{
"id": "CVE-2021-3928",
"summary": "vim is vulnerable to Use of Uninitialized Variable",
"scorev2": "4.6",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3928"
},
{
"id": "CVE-2021-3968",
"summary": "vim is vulnerable to Heap-based Buffer Overflow",
"scorev2": "8.5",
"scorev3": "8.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3968"
},
{
"id": "CVE-2021-3973",
"summary": "vim is vulnerable to Heap-based Buffer Overflow",
"scorev2": "9.3",
"scorev3": "7.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3973"
},
{
"id": "CVE-2021-3974",
"summary": "vim is vulnerable to Use After Free",
"scorev2": "6.8",
"scorev3": "7.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3974"
},
{
"id": "CVE-2021-3984",
"summary": "vim is vulnerable to Heap-based Buffer Overflow",
"scorev2": "6.8",
"scorev3": "7.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3984"
},
{
"id": "CVE-2021-4019",
"summary": "vim is vulnerable to Heap-based Buffer Overflow",
"scorev2": "6.8",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4019"
},
{
"id": "CVE-2021-4069",
"summary": "vim is vulnerable to Use After Free",
"scorev2": "6.8",
"scorev3": "7.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4069"
},
{
"id": "CVE-2021-4136",
"summary": "vim is vulnerable to Heap-based Buffer Overflow",
"scorev2": "6.8",
"scorev3": "7.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4136"
},
{
"id": "CVE-2021-4166",
"summary": "vim is vulnerable to Out-of-bounds Read",
"scorev2": "5.8",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4166"
},
{
"id": "CVE-2021-4173",
"summary": "vim is vulnerable to Use After Free",
"scorev2": "6.8",
"scorev3": "6.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4173"
},
{
"id": "CVE-2021-4187",
"summary": "vim is vulnerable to Use After Free",
"scorev2": "6.8",
"scorev3": "6.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4187"
},
{
"id": "CVE-2021-4192",
"summary": "vim is vulnerable to Use After Free",
"scorev2": "6.8",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4192"
},
{
"id": "CVE-2021-4193",
"summary": "vim is vulnerable to Out-of-bounds Read",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4193"
},
{
"id": "CVE-2022-0128",
"summary": "vim is vulnerable to Out-of-bounds Read",
"scorev2": "6.8",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0128"
},
{
"id": "CVE-2022-0156",
"summary": "vim is vulnerable to Use After Free",
"scorev2": "4.3",
"scorev3": "6.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0156"
},
{
"id": "CVE-2022-0158",
"summary": "vim is vulnerable to Heap-based Buffer Overflow",
"scorev2": "4.3",
"scorev3": "6.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0158"
},
{
"id": "CVE-2022-0213",
"summary": "vim is vulnerable to Heap-based Buffer Overflow",
"scorev2": "6.8",
"scorev3": "6.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0213"
},
{
"id": "CVE-2022-0261",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0261"
},
{
"id": "CVE-2022-0318",
"summary": "Heap-based Buffer Overflow in vim/vim prior to 8.2.",
"scorev2": "7.5",
"scorev3": "6.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0318"
},
{
"id": "CVE-2022-0319",
"summary": "Out-of-bounds Read in vim/vim prior to 8.2.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0319"
},
{
"id": "CVE-2022-0351",
"summary": "Access of Memory Location Before Start of Buffer in GitHub repository vim/vim prior to 8.2.",
"scorev2": "4.6",
"scorev3": "8.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0351"
},
{
"id": "CVE-2022-0359",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0359"
},
{
"id": "CVE-2022-0361",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "8.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0361"
},
{
"id": "CVE-2022-0368",
"summary": "Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0368"
},
{
"id": "CVE-2022-0392",
"summary": "Heap-based Buffer Overflow in GitHub repository vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0392"
},
{
"id": "CVE-2022-0393",
"summary": "Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.",
"scorev2": "5.8",
"scorev3": "8.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0393"
},
{
"id": "CVE-2022-0407",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "5.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0407"
},
{
"id": "CVE-2022-0408",
"summary": "Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "8.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0408"
},
{
"id": "CVE-2022-0413",
"summary": "Use After Free in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "8.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0413"
},
{
"id": "CVE-2022-0417",
"summary": "Heap-based Buffer Overflow GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "8.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0417"
},
{
"id": "CVE-2022-0443",
"summary": "Use After Free in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "8.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0443"
},
{
"id": "CVE-2022-0554",
"summary": "Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "8.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0554"
},
{
"id": "CVE-2022-0572",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "8.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0572"
},
{
"id": "CVE-2022-0629",
"summary": "Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "8.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0629"
},
{
"id": "CVE-2022-0685",
"summary": "Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4418.",
"scorev2": "6.8",
"scorev3": "8.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0685"
},
{
"id": "CVE-2022-0696",
"summary": "NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.4428.",
"scorev2": "4.3",
"scorev3": "6.2",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0696"
},
{
"id": "CVE-2022-0714",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4436.",
"scorev2": "4.3",
"scorev3": "8.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0714"
},
{
"id": "CVE-2022-0729",
"summary": "Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440.",
"scorev2": "6.5",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0729"
},
{
"id": "CVE-2022-0943",
"summary": "Heap-based Buffer Overflow occurs in vim in GitHub repository vim/vim prior to 8.2.4563.",
"scorev2": "4.6",
"scorev3": "8.4",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0943"
},
{
"id": "CVE-2022-1154",
"summary": "Use after free in utf_ptr2char in GitHub repository vim/vim prior to 8.2.4646.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1154"
},
{
"id": "CVE-2022-1160",
"summary": "heap buffer overflow in get_one_sourceline in GitHub repository vim/vim prior to 8.2.4647.",
"scorev2": "6.8",
"scorev3": "7.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1160"
},
{
"id": "CVE-2022-1381",
"summary": "global heap buffer overflow in skip_range in GitHub repository vim/vim prior to 8.2.4763. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1381"
},
{
"id": "CVE-2022-1420",
"summary": "Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4774.",
"scorev2": "4.3",
"scorev3": "6.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1420"
},
{
"id": "CVE-2022-1616",
"summary": "Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution",
"scorev2": "6.8",
"scorev3": "7.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1616"
},
{
"id": "CVE-2022-1619",
"summary": "Heap-based Buffer Overflow in function cmdline_erase_chars in GitHub repository vim/vim prior to 8.2.4899. This vulnerabilities are capable of crashing software, modify memory, and possible remote execution",
"scorev2": "6.8",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1619"
},
{
"id": "CVE-2022-1620",
"summary": "NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.",
"scorev2": "5.0",
"scorev3": "6.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1620"
},
{
"id": "CVE-2022-1621",
"summary": "Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution",
"scorev2": "6.8",
"scorev3": "7.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1621"
},
{
"id": "CVE-2022-1629",
"summary": "Buffer Over-read in function find_next_quote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution",
"scorev2": "6.8",
"scorev3": "6.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1629"
},
{
"id": "CVE-2022-1674",
"summary": "NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 in GitHub repository vim/vim prior to 8.2.4938. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 allows attackers to cause a denial of service (application crash) via a crafted input.",
"scorev2": "4.3",
"scorev3": "6.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1674"
},
{
"id": "CVE-2022-1720",
"summary": "Buffer Over-read in function grab_file_name in GitHub repository vim/vim prior to 8.2.4956. This vulnerability is capable of crashing the software, memory modification, and possible remote execution.",
"scorev2": "6.8",
"scorev3": "6.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1720"
},
{
"id": "CVE-2022-1725",
"summary": "NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.4959.",
"scorev2": "0.0",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1725"
},
{
"id": "CVE-2022-1733",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4968.",
"scorev2": "4.6",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1733"
},
{
"id": "CVE-2022-1735",
"summary": "Classic Buffer Overflow in GitHub repository vim/vim prior to 8.2.4969.",
"scorev2": "6.8",
"scorev3": "6.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1735"
},
{
"id": "CVE-2022-1769",
"summary": "Buffer Over-read in GitHub repository vim/vim prior to 8.2.4974.",
"scorev2": "4.6",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1769"
},
{
"id": "CVE-2022-1771",
"summary": "Uncontrolled Recursion in GitHub repository vim/vim prior to 8.2.4975.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1771"
},
{
"id": "CVE-2022-1785",
"summary": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977.",
"scorev2": "4.6",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1785"
},
{
"id": "CVE-2022-1796",
"summary": "Use After Free in GitHub repository vim/vim prior to 8.2.4979.",
"scorev2": "6.8",
"scorev3": "6.6",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1796"
},
{
"id": "CVE-2022-1851",
"summary": "Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1851"
},
{
"id": "CVE-2022-1886",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1886"
},
{
"id": "CVE-2022-1897",
"summary": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1897"
},
{
"id": "CVE-2022-1898",
"summary": "Use After Free in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1898"
},
{
"id": "CVE-2022-1927",
"summary": "Buffer Over-read in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1927"
},
{
"id": "CVE-2022-1942",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1942"
},
{
"id": "CVE-2022-1968",
"summary": "Use After Free in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1968"
},
{
"id": "CVE-2022-2000",
"summary": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2000"
},
{
"id": "CVE-2022-2042",
"summary": "Use After Free in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.4",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2042"
},
{
"id": "CVE-2022-2124",
"summary": "Buffer Over-read in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2124"
},
{
"id": "CVE-2022-2125",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2125"
},
{
"id": "CVE-2022-2126",
"summary": "Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2126"
},
{
"id": "CVE-2022-2129",
"summary": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2129"
},
{
"id": "CVE-2022-2175",
"summary": "Buffer Over-read in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2175"
},
{
"id": "CVE-2022-2182",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2182"
},
{
"id": "CVE-2022-2183",
"summary": "Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2183"
},
{
"id": "CVE-2022-2206",
"summary": "Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2206"
},
{
"id": "CVE-2022-2207",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2207"
},
{
"id": "CVE-2022-2208",
"summary": "NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.5163.",
"scorev2": "4.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2208"
},
{
"id": "CVE-2022-2210",
"summary": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2210"
},
{
"id": "CVE-2022-2231",
"summary": "NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.",
"scorev2": "4.3",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2231"
},
{
"id": "CVE-2022-2257",
"summary": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2257"
},
{
"id": "CVE-2022-2264",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2264"
},
{
"id": "CVE-2022-2284",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2284"
},
{
"id": "CVE-2022-2285",
"summary": "Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2285"
},
{
"id": "CVE-2022-2286",
"summary": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2286"
},
{
"id": "CVE-2022-2287",
"summary": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.",
"scorev2": "5.8",
"scorev3": "8.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2287"
},
{
"id": "CVE-2022-2288",
"summary": "Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2288"
},
{
"id": "CVE-2022-2289",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2289"
},
{
"id": "CVE-2022-2304",
"summary": "Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2304"
},
{
"id": "CVE-2022-2343",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0044.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2343"
},
{
"id": "CVE-2022-2344",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2344"
},
{
"id": "CVE-2022-2345",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.0046.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2345"
},
{
"id": "CVE-2022-2522",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0061.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2522"
},
{
"id": "CVE-2022-2571",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0101.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2571"
},
{
"id": "CVE-2022-2580",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0102.",
"scorev2": "0.0",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2580"
},
{
"id": "CVE-2022-2581",
"summary": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0104.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2581"
},
{
"id": "CVE-2022-2598",
"summary": "Out-of-bounds Write to API in GitHub repository vim/vim prior to 9.0.0100.\n\n",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2598"
},
{
"id": "CVE-2022-2816",
"summary": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0212.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2816"
},
{
"id": "CVE-2022-2817",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.0213.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2817"
},
{
"id": "CVE-2022-2819",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0211.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2819"
},
{
"id": "CVE-2022-2845",
"summary": "Improper Validation of Specified Quantity in Input in GitHub repository vim/vim prior to 9.0.0218.\n\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2845"
},
{
"id": "CVE-2022-2849",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0220.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2849"
},
{
"id": "CVE-2022-2862",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.0221.",
"scorev2": "0.0",
"scorev3": "7.6",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2862"
},
{
"id": "CVE-2022-2874",
"summary": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0224.",
"scorev2": "0.0",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2874"
},
{
"id": "CVE-2022-2889",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.0225.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2889"
},
{
"id": "CVE-2022-2923",
"summary": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240.",
"scorev2": "0.0",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2923"
},
{
"id": "CVE-2022-2946",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.0246.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2946"
},
{
"id": "CVE-2022-2980",
"summary": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0259.",
"scorev2": "0.0",
"scorev3": "6.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2980"
},
{
"id": "CVE-2022-2982",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.0260.",
"scorev2": "0.0",
"scorev3": "7.6",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2982"
},
{
"id": "CVE-2022-3016",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.0286.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3016"
},
{
"id": "CVE-2022-3037",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.0322.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3037"
},
{
"id": "CVE-2022-3099",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.0360.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3099"
},
{
"id": "CVE-2022-3134",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.0389.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3134"
},
{
"id": "CVE-2022-3153",
"summary": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404.",
"scorev2": "0.0",
"scorev3": "6.1",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3153"
},
{
"id": "CVE-2022-3234",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3234"
},
{
"id": "CVE-2022-3235",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.0490.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3235"
},
{
"id": "CVE-2022-3256",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.0530.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3256"
},
{
"id": "CVE-2022-3278",
"summary": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0552.",
"scorev2": "0.0",
"scorev3": "6.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3278"
},
{
"id": "CVE-2022-3296",
"summary": "Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3296"
},
{
"id": "CVE-2022-3297",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.0579.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3297"
},
{
"id": "CVE-2022-3324",
"summary": "Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3324"
},
{
"id": "CVE-2022-3352",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.0614.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3352"
},
{
"id": "CVE-2022-3491",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0742.",
"scorev2": "0.0",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3491"
},
{
"id": "CVE-2022-3520",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3520"
},
{
"id": "CVE-2022-3591",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.0789.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3591"
},
{
"id": "CVE-2022-3705",
"summary": "A vulnerability was found in vim and classified as problematic. Affected by this issue is the function qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this issue. The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-212324.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3705"
},
{
"id": "CVE-2022-4141",
"summary": "Heap based buffer overflow in vim/vim 9.0.0946 and below by allowing an attacker to CTRL-W gf in the expression used in the RHS of the substitute command.",
"scorev2": "0.0",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4141"
},
{
"id": "CVE-2022-4292",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.0882.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4292"
},
{
"id": "CVE-2022-4293",
"summary": "Floating Point Comparison with Incorrect Operator in GitHub repository vim/vim prior to 9.0.0804.",
"scorev2": "0.0",
"scorev3": "6.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4293"
},
{
"id": "CVE-2022-47024",
"summary": "A null pointer dereference issue was discovered in function gui_x11_create_blank_mouse in gui_x11.c in vim 8.1.2269 thru 9.0.0339 allows attackers to cause denial of service or other unspecified impacts.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47024"
},
{
"id": "CVE-2023-0049",
"summary": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143.",
"scorev2": "0.0",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0049"
},
{
"id": "CVE-2023-0051",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144.",
"scorev2": "0.0",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0051"
},
{
"id": "CVE-2023-0054",
"summary": "Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145.",
"scorev2": "0.0",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0054"
},
{
"id": "CVE-2023-0288",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1189.",
"scorev2": "0.0",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0288"
},
{
"id": "CVE-2023-0433",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0433"
},
{
"id": "CVE-2023-0512",
"summary": "Divide By Zero in GitHub repository vim/vim prior to 9.0.1247.",
"scorev2": "0.0",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0512"
},
{
"id": "CVE-2023-1127",
"summary": "Divide By Zero in GitHub repository vim/vim prior to 9.0.1367.",
"scorev2": "0.0",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1127"
},
{
"id": "CVE-2023-1170",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1376.",
"scorev2": "0.0",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1170"
},
{
"id": "CVE-2023-1175",
"summary": "Incorrect Calculation of Buffer Size in GitHub repository vim/vim prior to 9.0.1378.",
"scorev2": "0.0",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1175"
},
{
"id": "CVE-2023-1264",
"summary": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392.",
"scorev2": "0.0",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1264"
},
{
"id": "CVE-2023-1355",
"summary": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1402.",
"scorev2": "0.0",
"scorev3": "8.4",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1355"
},
{
"id": "CVE-2023-2426",
"summary": "Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499.",
"scorev2": "0.0",
"scorev3": "6.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2426"
},
{
"id": "CVE-2023-2609",
"summary": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1531.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2609"
},
{
"id": "CVE-2023-2610",
"summary": "Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2610"
},
{
"id": "CVE-2023-3896",
"summary": "Divide By Zero in vim/vim from\u00a09.0.1367-1 to\u00a09.0.1367-3\n",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3896"
},
{
"id": "CVE-2023-46246",
"summary": "Vim is an improved version of the good old UNIX editor Vi. Heap-use-after-free in memory allocated in the function `ga_grow_inner` in in the file `src/alloc.c` at line 748, which is freed in the file `src/ex_docmd.c` in the function `do_cmdline` at line 1010 and then used again in `src/cmdhist.c` at line 759. When using the `:history` command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This vulnerability has been patched in version 9.0.2068.\n",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-46246"
},
{
"id": "CVE-2023-4733",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.1840.",
"scorev2": "0.0",
"scorev3": "7.3",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4733"
},
{
"id": "CVE-2023-4734",
"summary": "Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4734"
},
{
"id": "CVE-2023-4735",
"summary": "Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847.",
"scorev2": "0.0",
"scorev3": "4.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4735"
},
{
"id": "CVE-2023-4736",
"summary": "Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4736"
},
{
"id": "CVE-2023-4738",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4738"
},
{
"id": "CVE-2023-4750",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.1857.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4750"
},
{
"id": "CVE-2023-4751",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1331.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4751"
},
{
"id": "CVE-2023-4752",
"summary": "Use After Free in GitHub repository vim/vim prior to 9.0.1858.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4752"
},
{
"id": "CVE-2023-4781",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4781"
},
{
"id": "CVE-2023-48231",
"summary": "Vim is an open source command line text editor. When closing a window, vim may try to access already freed window structure. Exploitation beyond crashing the application has not been shown to be viable. This issue has been addressed in commit `25aabc2b` which has been included in release version 9.0.2106. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"scorev2": "0.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-48231"
},
{
"id": "CVE-2023-48232",
"summary": "Vim is an open source command line text editor. A floating point exception may occur when calculating the line offset for overlong lines and smooth scrolling is enabled and the cpo-settings include the 'n' flag. This may happen when a window border is present and when the wrapped line continues on the next physical line directly in the window border because the 'cpo' setting includes the 'n' flag. Only users with non-default settings are affected and the exception should only result in a crash. This issue has been addressed in commit `cb0b99f0` which has been included in release version 9.0.2107. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"scorev2": "0.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-48232"
},
{
"id": "CVE-2023-48233",
"summary": "Vim is an open source command line text editor. If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `ac6378773` which has been included in release version 9.0.2108. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"scorev2": "0.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-48233"
},
{
"id": "CVE-2023-48234",
"summary": "Vim is an open source command line text editor. When getting the count for a normal mode z command, it may overflow for large counts given. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `58f9befca1` which has been included in release version 9.0.2109. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"scorev2": "0.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-48234"
},
{
"id": "CVE-2023-48235",
"summary": "Vim is an open source command line text editor. When parsing relative ex addresses one may unintentionally cause an\noverflow. Ironically this happens in the existing overflow check, because the line number becomes negative and LONG_MAX - lnum will cause the overflow. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `060623e` which has been included in release version 9.0.2110. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"scorev2": "0.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-48235"
},
{
"id": "CVE-2023-48236",
"summary": "Vim is an open source command line text editor. When using the z= command, the user may overflow the count with values larger\nthan MAX_INT. Impact is low, user interaction is required and a crash may not even happen in all situations. This vulnerability has been addressed in commit `73b2d379` which has been included in release version 9.0.2111. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"scorev2": "0.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-48236"
},
{
"id": "CVE-2023-48237",
"summary": "Vim is an open source command line text editor. In affected versions when shifting lines in operator pending mode and using a very large value, it may be possible to overflow the size of integer. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `6bf131888` which has been included in version 9.0.2112. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"scorev2": "0.0",
"scorev3": "4.3",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-48237"
},
{
"id": "CVE-2023-48706",
"summary": "Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.",
"scorev2": "0.0",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-48706"
},
{
"id": "CVE-2023-5344",
"summary": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969.",
"scorev2": "0.0",
"scorev3": "4.0",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5344"
},
{
"id": "CVE-2023-5441",
"summary": "NULL Pointer Dereference in GitHub repository vim/vim prior to 20d161ace307e28690229b68584f2d84556f8960.",
"scorev2": "0.0",
"scorev3": "6.2",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5441"
},
{
"id": "CVE-2023-5535",
"summary": "Use After Free in GitHub repository vim/vim prior to v9.0.2010.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5535"
},
{
"id": "CVE-2024-22667",
"summary": "Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-22667"
}
]
},
{
"name": "volatile-binds",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "volatile-binds",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "volume-key",
"layer": "meta-oe",
"version": "0.3.12",
"products": [
{
"product": "volume-key",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "vss-agl",
"layer": "meta-agl-demo",
"version": "4.2",
"products": [
{
"product": "vss-agl",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "vss-tools-native",
"layer": "meta-agl-kuksa-val",
"version": "4.2",
"products": [
{
"product": "vss-tools",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "wavpack",
"layer": "meta-oe",
"version": "5.6.0",
"products": [
{
"product": "wavpack",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2016-10169",
"summary": "The read_code function in read_words.c in Wavpack before 5.1.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WV file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10169"
},
{
"id": "CVE-2016-10170",
"summary": "The WriteCaffHeader function in cli/caff.c in Wavpack before 5.1.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WV file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10170"
},
{
"id": "CVE-2016-10171",
"summary": "The unreorder_channels function in cli/wvunpack.c in Wavpack before 5.1.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WV file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10171"
},
{
"id": "CVE-2016-10172",
"summary": "The read_new_config_info function in open_utils.c in Wavpack before 5.1.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WV file.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10172"
},
{
"id": "CVE-2018-10536",
"summary": "An issue was discovered in WavPack 5.1.0 and earlier. The WAV parser component contains a vulnerability that allows writing to memory because ParseRiffHeaderConfig in riff.c does not reject multiple format chunks.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10536"
},
{
"id": "CVE-2018-10537",
"summary": "An issue was discovered in WavPack 5.1.0 and earlier. The W64 parser component contains a vulnerability that allows writing to memory because ParseWave64HeaderConfig in wave64.c does not reject multiple format chunks.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10537"
},
{
"id": "CVE-2018-10538",
"summary": "An issue was discovered in WavPack 5.1.0 and earlier for WAV input. Out-of-bounds writes can occur because ParseRiffHeaderConfig in riff.c does not validate the sizes of unknown chunks before attempting memory allocation, related to a lack of integer-overflow protection within a bytes_to_copy calculation and subsequent malloc call, leading to insufficient memory allocation.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10538"
},
{
"id": "CVE-2018-10539",
"summary": "An issue was discovered in WavPack 5.1.0 and earlier for DSDiff input. Out-of-bounds writes can occur because ParseDsdiffHeaderConfig in dsdiff.c does not validate the sizes of unknown chunks before attempting memory allocation, related to a lack of integer-overflow protection within a bytes_to_copy calculation and subsequent malloc call, leading to insufficient memory allocation.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10539"
},
{
"id": "CVE-2018-10540",
"summary": "An issue was discovered in WavPack 5.1.0 and earlier for W64 input. Out-of-bounds writes can occur because ParseWave64HeaderConfig in wave64.c does not validate the sizes of unknown chunks before attempting memory allocation, related to a lack of integer-overflow protection within a bytes_to_copy calculation and subsequent malloc call, leading to insufficient memory allocation.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10540"
},
{
"id": "CVE-2018-19840",
"summary": "The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused by an infinite loop) via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19840"
},
{
"id": "CVE-2018-19841",
"summary": "The function WavpackVerifySingleBlock in open_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (out-of-bounds read and application crash) via a crafted WavPack Lossless Audio file, as demonstrated by wvunpack.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19841"
},
{
"id": "CVE-2018-6767",
"summary": "A stack-based buffer over-read in the ParseRiffHeaderConfig function of cli/riff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service attack or possibly have unspecified other impact via a maliciously crafted RF64 file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6767"
},
{
"id": "CVE-2018-7253",
"summary": "The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (heap-based buffer over-read) or possibly overwrite the heap via a maliciously crafted DSDIFF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7253"
},
{
"id": "CVE-2018-7254",
"summary": "The ParseCaffHeaderConfig function of the cli/caff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (global buffer over-read), or possibly trigger a buffer overflow or incorrect memory allocation, via a maliciously crafted CAF file.",
"scorev2": "6.8",
"scorev3": "7.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7254"
},
{
"id": "CVE-2019-1010315",
"summary": "WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. The impact is: Divide by zero can lead to sudden crash of a software/service that tries to parse a .wav file. The component is: ParseDsdiffHeaderConfig (dsdiff.c:282). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010315"
},
{
"id": "CVE-2019-1010317",
"summary": "WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010317"
},
{
"id": "CVE-2019-1010319",
"summary": "WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseWave64HeaderConfig (wave64.c:211). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010319"
},
{
"id": "CVE-2019-11498",
"summary": "WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack through 5.1.0 has a \"Conditional jump or move depends on uninitialised value\" condition, which might allow attackers to cause a denial of service (application crash) via a DFF file that lacks valid sample-rate data.",
"scorev2": "4.3",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11498"
},
{
"id": "CVE-2020-35738",
"summary": "WavPack 5.3.0 has an out-of-bounds write in WavpackPackSamples in pack_utils.c because of an integer overflow in a malloc argument. NOTE: some third-parties claim that there are later \"unofficial\" releases through 5.3.2, which are also affected.",
"scorev2": "5.8",
"scorev3": "6.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35738"
},
{
"id": "CVE-2021-44269",
"summary": "An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This issue triggered in function WavpackPackSamples of file src/pack_utils.c, tainted variable cnt is too large, that makes pointer sptr read beyond heap bound.",
"scorev2": "4.3",
"scorev3": "5.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-44269"
},
{
"id": "CVE-2022-2476",
"summary": "A null pointer dereference bug was found in wavpack-5.4.0 The results from the ASAN log: AddressSanitizer:DEADLYSIGNAL ===================================================================84257==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x561b47a970c6 bp 0x7fff13952fb0 sp 0x7fff1394fca0 T0) ==84257==The signal is caused by a WRITE memory access. ==84257==Hint: address points to the zero page. #0 0x561b47a970c5 in main cli/wvunpack.c:834 #1 0x7efc4f5c0082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #2 0x561b47a945ed in _start (/usr/local/bin/wvunpack+0xa5ed) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV cli/wvunpack.c:834 in main ==84257==ABORTING",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2476"
}
]
},
{
"name": "wayland",
"layer": "meta",
"version": "1.22.0",
"products": [
{
"product": "wayland",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2021-3782",
"summary": "An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wl_shm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time.",
"scorev2": "0.0",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3782"
}
]
},
{
"name": "wayland-native",
"layer": "meta",
"version": "1.22.0",
"products": [
{
"product": "wayland",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2021-3782",
"summary": "An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wl_shm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time.",
"scorev2": "0.0",
"scorev3": "6.6",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3782"
}
]
},
{
"name": "wayland-protocols",
"layer": "meta",
"version": "1.33",
"products": [
{
"product": "wayland-protocols",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "weston",
"layer": "meta",
"version": "13.0.0",
"products": [
{
"product": "weston",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "weston-ini-conf",
"layer": "meta-agl-core",
"version": "1.0",
"products": [
{
"product": "weston-ini-conf",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "weston-init",
"layer": "meta",
"version": "1.0",
"products": [
{
"product": "weston-init",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "weston-terminal-conf",
"layer": "meta-agl-demo",
"version": "1.0",
"products": [
{
"product": "weston-terminal-conf",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "which",
"layer": "meta",
"version": "2.21",
"products": [
{
"product": "which",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "window-management-client-grpc",
"layer": "meta-agl-demo",
"version": "2.0+git",
"products": [
{
"product": "window-management-client-grpc",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "wireless-regdb",
"layer": "meta",
"version": "2024.01.23",
"products": [
{
"product": "wireless-regdb",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "wireplumber",
"layer": "meta-pipewire",
"version": "0.4.17",
"products": [
{
"product": "wireplumber",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "wireplumber-config-agl",
"layer": "meta-pipewire",
"version": "git",
"products": [
{
"product": "wireplumber-config-agl",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "wireplumber-policy-config-agl",
"layer": "meta-pipewire",
"version": "git",
"products": [
{
"product": "wireplumber-policy-config-agl",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "wpa-supplicant",
"layer": "meta",
"version": "2.10",
"products": [
{
"product": "wpa_supplicant",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2005-0470",
"summary": "Buffer overflow in wpa_supplicant before 0.2.7 allows remote attackers to cause a denial of service (segmentation fault) via invalid EAPOL-Key packet data.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0470"
},
{
"id": "CVE-2007-6025",
"summary": "Stack-based buffer overflow in driver_wext.c in wpa_supplicant 0.6.0 and earlier allows remote attackers to cause a denial of service (crash) via crafted TSF data.",
"scorev2": "7.1",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6025"
},
{
"id": "CVE-2014-3686",
"summary": "wpa_supplicant and hostapd 0.7.2 through 2.2, when running with certain configurations and using wpa_cli or hostapd_cli with action scripts, allows remote attackers to execute arbitrary commands via a crafted frame.",
"scorev2": "6.8",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3686"
},
{
"id": "CVE-2015-0210",
"summary": "wpa_supplicant 2.0-16 does not properly check certificate subject name, which allows remote attackers to cause a man-in-the-middle attack.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0210"
},
{
"id": "CVE-2015-1863",
"summary": "Heap-based buffer overflow in wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (crash), read memory, or possibly execute arbitrary code via crafted SSID information in a management frame when creating or updating P2P entries.",
"scorev2": "5.8",
"scorev3": "0.0",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1863"
},
{
"id": "CVE-2015-4141",
"summary": "The WPS UPnP function in hostapd, when using WPS AP, and wpa_supplicant, when using WPS external registrar (ER), 0.7.0 through 2.4 allows remote attackers to cause a denial of service (crash) via a negative chunk length, which triggers an out-of-bounds read or heap-based buffer overflow.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4141"
},
{
"id": "CVE-2015-4142",
"summary": "Integer underflow in the WMM Action frame parser in hostapd 0.5.5 through 2.4 and wpa_supplicant 0.7.0 through 2.4, when used for AP mode MLME/SME functionality, allows remote attackers to cause a denial of service (crash) via a crafted frame, which triggers an out-of-bounds read.",
"scorev2": "4.3",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4142"
},
{
"id": "CVE-2015-4143",
"summary": "The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted (1) Commit or (2) Confirm message payload.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4143"
},
{
"id": "CVE-2015-4144",
"summary": "The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate that a message is long enough to contain the Total-Length field, which allows remote attackers to cause a denial of service (crash) via a crafted message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4144"
},
{
"id": "CVE-2015-4145",
"summary": "The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate a fragment is already being processed, which allows remote attackers to cause a denial of service (memory leak) via a crafted message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4145"
},
{
"id": "CVE-2015-4146",
"summary": "The EAP-pwd peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not clear the L (Length) and M (More) flags before determining if a response should be fragmented, which allows remote attackers to cause a denial of service (crash) via a crafted message.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4146"
},
{
"id": "CVE-2015-5314",
"summary": "The eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when used with (1) an internal EAP server or (2) a RADIUS server and EAP-pwd is enabled in a runtime configuration, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5314"
},
{
"id": "CVE-2015-5315",
"summary": "The eap_pwd_process function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when EAP-pwd is enabled in a network configuration profile, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5315"
},
{
"id": "CVE-2015-5316",
"summary": "The eap_pwd_perform_confirm_exchange function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before 2.6, when EAP-pwd is enabled in a network configuration profile, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an EAP-pwd Confirm message followed by the Identity exchange.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5316"
},
{
"id": "CVE-2015-8041",
"summary": "Multiple integer overflows in the NDEF record parser in hostapd before 2.5 and wpa_supplicant before 2.5 allow remote attackers to cause a denial of service (process crash or infinite loop) via a large payload length field value in an (1) WPS or (2) P2P NFC NDEF record, which triggers an out-of-bounds read.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8041"
},
{
"id": "CVE-2016-4476",
"summary": "hostapd 0.6.7 through 2.5 and wpa_supplicant 0.6.7 through 2.5 do not reject \\n and \\r characters in passphrase parameters, which allows remote attackers to cause a denial of service (daemon outage) via a crafted WPS operation.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4476"
},
{
"id": "CVE-2017-13077",
"summary": "Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the four-way handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.",
"scorev2": "5.4",
"scorev3": "6.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13077"
},
{
"id": "CVE-2017-13078",
"summary": "Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points to clients.",
"scorev2": "2.9",
"scorev3": "5.3",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13078"
},
{
"id": "CVE-2017-13079",
"summary": "Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients.",
"scorev2": "2.9",
"scorev3": "5.3",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13079"
},
{
"id": "CVE-2017-13080",
"summary": "Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients.",
"scorev2": "2.9",
"scorev3": "5.3",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13080"
},
{
"id": "CVE-2017-13081",
"summary": "Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients.",
"scorev2": "2.9",
"scorev3": "5.3",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13081"
},
{
"id": "CVE-2017-13082",
"summary": "Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11r allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the fast BSS transmission (FT) handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.",
"scorev2": "5.8",
"scorev3": "8.1",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13082"
},
{
"id": "CVE-2017-13084",
"summary": "Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Station-To-Station-Link (STSL) Transient Key (STK) during the PeerKey handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.",
"scorev2": "5.4",
"scorev3": "6.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13084"
},
{
"id": "CVE-2017-13086",
"summary": "Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Tunneled Direct-Link Setup (TDLS) Peer Key (TPK) during the TDLS handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.",
"scorev2": "5.4",
"scorev3": "6.8",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13086"
},
{
"id": "CVE-2017-13087",
"summary": "Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Group Temporal Key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients.",
"scorev2": "2.9",
"scorev3": "5.3",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13087"
},
{
"id": "CVE-2017-13088",
"summary": "Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Integrity Group Temporal Key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients.",
"scorev2": "2.9",
"scorev3": "5.3",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13088"
},
{
"id": "CVE-2018-14526",
"summary": "An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive information.",
"scorev2": "3.3",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14526"
},
{
"id": "CVE-2019-11555",
"summary": "The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to a NULL pointer dereference (denial of service). This affects eap_server/eap_server_pwd.c and eap_peer/eap_pwd.c.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11555"
},
{
"id": "CVE-2019-16275",
"summary": "hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication of disconnection in certain situations because source address validation is mishandled. This is a denial of service that should have been prevented by PMF (aka management frame protection). The attacker must send a crafted 802.11 frame from a location that is within the 802.11 communications range.",
"scorev2": "3.3",
"scorev3": "6.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16275"
},
{
"id": "CVE-2019-9494",
"summary": "The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.",
"scorev2": "4.3",
"scorev3": "5.9",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9494"
},
{
"id": "CVE-2019-9495",
"summary": "The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side-channel attacks as a result of cache access patterns. All versions of hostapd and wpa_supplicant with EAP-PWD support are vulnerable. The ability to install and execute applications is necessary for a successful attack. Memory access patterns are visible in a shared cache. Weak passwords may be cracked. Versions of hostapd/wpa_supplicant 2.7 and newer, are not vulnerable to the timing attack described in CVE-2019-9494. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.",
"scorev2": "4.3",
"scorev3": "3.7",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9495"
},
{
"id": "CVE-2019-9496",
"summary": "An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode. All version of hostapd with SAE support are vulnerable. An attacker may force the hostapd process to terminate, performing a denial of service attack. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9496"
},
{
"id": "CVE-2019-9497",
"summary": "The implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit. This vulnerability may allow an attacker to complete EAP-PWD authentication without knowing the password. However, unless the crypto library does not implement additional checks for the EC point, the attacker will not be able to derive the session key or complete the key exchange. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9497"
},
{
"id": "CVE-2019-9498",
"summary": "The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may be able to use invalid scalar/element values to complete authentication, gaining session key and network access without needing or learning the password. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9498"
},
{
"id": "CVE-2019-9499",
"summary": "The implementations of EAP-PWD in wpa_supplicant EAP Peer, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may complete authentication, session key and control of the data connection with a client. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9499"
},
{
"id": "CVE-2021-27803",
"summary": "A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.",
"scorev2": "5.4",
"scorev3": "7.5",
"vector": "ADJACENT_NETWORK",
"vectorString": "AV:A/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27803"
},
{
"id": "CVE-2021-30004",
"summary": "In wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c.",
"scorev2": "5.0",
"scorev3": "5.3",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-30004"
},
{
"id": "CVE-2022-23303",
"summary": "The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9494.",
"scorev2": "6.8",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23303"
},
{
"id": "CVE-2022-23304",
"summary": "The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side-channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9495.",
"scorev2": "6.8",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23304"
},
{
"id": "CVE-2023-52160",
"summary": "The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52160"
}
]
},
{
"name": "xcb-proto-native",
"layer": "meta",
"version": "1.16.0",
"products": [
{
"product": "xcb-proto",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "xkeyboard-config",
"layer": "meta",
"version": "2.41",
"products": [
{
"product": "xkeyboard-config",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2012-0064",
"summary": "xkeyboard-config before 2.5 in X.Org before 7.6 enables certain XKB debugging functions by default, which allows physically proximate attackers to bypass an X screen lock via keyboard combinations that break the input grab.",
"scorev2": "4.6",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0064"
}
]
},
{
"name": "xmlsec1",
"layer": "meta-oe",
"version": "1.3.4",
"products": [
{
"product": "xmlsec1",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "xmlto-native",
"layer": "meta",
"version": "0.0.28+0.0.29+git",
"products": [
{
"product": "xmlto",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "xorgproto-native",
"layer": "meta",
"version": "2023.2",
"products": [
{
"product": "xorgproto",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "xtrans-native",
"layer": "meta",
"version": "1_1.5.0",
"products": [
{
"product": "xtrans",
"cvesInRecord": "No"
}
],
"issue": []
},
{
"name": "xz",
"layer": "meta",
"version": "5.4.6",
"products": [
{
"product": "xz",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-4035",
"summary": "scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4035"
},
{
"id": "CVE-2020-22916",
"summary": "An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of \"endless output\" and \"denial of service\" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-22916"
},
{
"id": "CVE-2021-29482",
"summary": "xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29482"
},
{
"id": "CVE-2024-3094",
"summary": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. \r\nThrough a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.",
"scorev2": "0.0",
"scorev3": "10.0",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-3094"
}
]
},
{
"name": "xz-native",
"layer": "meta",
"version": "5.4.6",
"products": [
{
"product": "xz",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2015-4035",
"summary": "scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.",
"scorev2": "4.6",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4035"
},
{
"id": "CVE-2020-22916",
"summary": "An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of \"endless output\" and \"denial of service\" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-22916"
},
{
"id": "CVE-2021-29482",
"summary": "xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29482"
},
{
"id": "CVE-2024-3094",
"summary": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. \r\nThrough a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.",
"scorev2": "0.0",
"scorev3": "10.0",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-3094"
}
]
},
{
"name": "yajl",
"layer": "meta-oe",
"version": "2.1.0",
"products": [
{
"product": "yajl",
"cvesInRecord": "No"
}
],
"issue": [
{
"id": "CVE-2017-16516",
"summary": "In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results in the whole ruby process terminating and potentially a denial of service.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16516"
},
{
"id": "CVE-2022-24795",
"summary": "yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-24795"
},
{
"id": "CVE-2023-33460",
"summary": "There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash.",
"scorev2": "0.0",
"scorev3": "6.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33460"
}
]
},
{
"name": "zip",
"layer": "meta",
"version": "3.0",
"products": [
{
"product": "zip",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2004-1010",
"summary": "Buffer overflow in Info-Zip 2.3 and possibly earlier versions, when using recursive folder compression, allows remote attackers to execute arbitrary code via a ZIP file containing a long pathname.",
"scorev2": "10.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1010"
},
{
"id": "CVE-2018-13410",
"summary": "Info-ZIP Zip 3.0, when the -T and -TT command-line options are used, allows attackers to cause a denial of service (invalid free and application crash) or possibly have unspecified other impact because of an off-by-one error. NOTE: it is unclear whether there are realistic scenarios in which an untrusted party controls the -TT value, given that the entire purpose of -TT is execution of arbitrary commands",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13410",
"detail": "disputed",
"description": "Disputed and also Debian doesn't consider a vulnerability"
},
{
"id": "CVE-2018-13684",
"summary": "The mintToken function of a smart contract implementation for ZIP, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13684",
"detail": "cpe-incorrect",
"description": "Not for zip but for smart contract implementation for it"
},
{
"id": "CVE-2023-39135",
"summary": "An issue in Zip Swift v2.1.2 allows attackers to execute a path traversal attack via a crafted zip entry.",
"scorev2": "0.0",
"scorev3": "7.8",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39135"
}
]
},
{
"name": "zlib",
"layer": "meta",
"version": "1.3.1",
"products": [
{
"product": "zlib",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2002-0059",
"summary": "The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a \"double free\"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0059"
},
{
"id": "CVE-2003-0107",
"summary": "Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0107"
},
{
"id": "CVE-2004-0797",
"summary": "The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash).",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0797"
},
{
"id": "CVE-2005-1849",
"summary": "inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (application crash) via an invalid file that causes a large dynamic tree to be produced.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1849"
},
{
"id": "CVE-2005-2096",
"summary": "zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2096"
},
{
"id": "CVE-2016-9840",
"summary": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9840"
},
{
"id": "CVE-2016-9841",
"summary": "inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9841"
},
{
"id": "CVE-2016-9842",
"summary": "The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9842"
},
{
"id": "CVE-2016-9843",
"summary": "The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9843"
},
{
"id": "CVE-2018-25032",
"summary": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-25032"
},
{
"id": "CVE-2022-37434",
"summary": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434"
},
{
"id": "CVE-2023-45853",
"summary": "MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-45853",
"detail": "not-applicable-config",
"description": "we don't build minizip"
},
{
"id": "CVE-2023-6992",
"summary": "Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). The issues resulted from improper input validation and heap-based buffer overflow.\nA local attacker could exploit the problem during compression using a crafted malicious file potentially leading to denial of service of the software.\nPatches: The issue has been patched in commit 8352d10 https://github.com/cloudflare/zlib/commit/8352d108c05db1bdc5ac3bdf834dad641694c13c . The upstream repository is not affected.\n",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6992",
"detail": "cpe-incorrect",
"description": "this CVE is for cloudflare zlib"
}
]
},
{
"name": "zlib-native",
"layer": "meta",
"version": "1.3.1",
"products": [
{
"product": "zlib",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2002-0059",
"summary": "The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a \"double free\"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0059"
},
{
"id": "CVE-2003-0107",
"summary": "Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0107"
},
{
"id": "CVE-2004-0797",
"summary": "The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash).",
"scorev2": "2.1",
"scorev3": "0.0",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0797"
},
{
"id": "CVE-2005-1849",
"summary": "inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (application crash) via an invalid file that causes a large dynamic tree to be produced.",
"scorev2": "5.0",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1849"
},
{
"id": "CVE-2005-2096",
"summary": "zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.",
"scorev2": "7.5",
"scorev3": "0.0",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2096"
},
{
"id": "CVE-2016-9840",
"summary": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9840"
},
{
"id": "CVE-2016-9841",
"summary": "inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9841"
},
{
"id": "CVE-2016-9842",
"summary": "The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.",
"scorev2": "6.8",
"scorev3": "8.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9842"
},
{
"id": "CVE-2016-9843",
"summary": "The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.",
"scorev2": "7.5",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9843"
},
{
"id": "CVE-2018-25032",
"summary": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.",
"scorev2": "5.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-25032"
},
{
"id": "CVE-2022-37434",
"summary": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434"
},
{
"id": "CVE-2023-45853",
"summary": "MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.",
"scorev2": "0.0",
"scorev3": "9.8",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-45853",
"detail": "not-applicable-config",
"description": "we don't build minizip"
},
{
"id": "CVE-2023-6992",
"summary": "Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). The issues resulted from improper input validation and heap-based buffer overflow.\nA local attacker could exploit the problem during compression using a crafted malicious file potentially leading to denial of service of the software.\nPatches: The issue has been patched in commit 8352d10 https://github.com/cloudflare/zlib/commit/8352d108c05db1bdc5ac3bdf834dad641694c13c . The upstream repository is not affected.\n",
"scorev2": "0.0",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6992",
"detail": "cpe-incorrect",
"description": "this CVE is for cloudflare zlib"
}
]
},
{
"name": "zstd",
"layer": "meta",
"version": "1.5.5",
"products": [
{
"product": "zstandard",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2019-11922",
"summary": "A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11922"
},
{
"id": "CVE-2021-24031",
"summary": "In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-24031"
},
{
"id": "CVE-2021-24032",
"summary": "Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-24032"
},
{
"id": "CVE-2022-4899",
"summary": "A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4899"
}
]
},
{
"name": "zstd-native",
"layer": "meta",
"version": "1.5.5",
"products": [
{
"product": "zstandard",
"cvesInRecord": "Yes"
}
],
"issue": [
{
"id": "CVE-2019-11922",
"summary": "A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.",
"scorev2": "6.8",
"scorev3": "8.1",
"vector": "NETWORK",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11922"
},
{
"id": "CVE-2021-24031",
"summary": "In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.",
"scorev2": "2.1",
"scorev3": "5.5",
"vector": "LOCAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-24031"
},
{
"id": "CVE-2021-24032",
"summary": "Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.",
"scorev2": "1.9",
"scorev3": "4.7",
"vector": "LOCAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-24032"
},
{
"id": "CVE-2022-4899",
"summary": "A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.",
"scorev2": "0.0",
"scorev3": "7.5",
"vector": "NETWORK",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"status": "Patched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4899"
}
]
}
]
}