CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 1CVE-2021-20291 – containers/storage: DoS via malicious image
https://notcve.org/view.php?id=CVE-2021-20291
A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a malicious image, which when downloaded and stored by an application using containers/storage, would then cause a deadlock leading to a Denial of Service (DoS). Se encontró una vulnerabilidad de interbloqueo en "github.com/containers/storage" en versiones anteriores a 1.28.1. • https://bugzilla.redhat.com/show_bug.cgi?id=1939485 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5D7XL7FL24TWFMGQ3K2S72EOUSLZMKL https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPYOHNG2Q7DCAQZMGYLMENLKALGDLG3X https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WX24EITRXVHDM5M223BVTJA2ODF2FSHI https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNMB7O2UIXE34PGSCSOULGHPX5LIJBMM https:&#x • CWE-667: Improper Locking •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2021-20270 – python-pygments: Infinite loop in SML lexer may lead to DoS
https://notcve.org/view.php?id=CVE-2021-20270
An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. Un bucle infinito en SMLLexer en Pygments versiones 1.5 hasta 2.7.3, puede conllevar a una denegación de servicio cuando se lleva a cabo el resaltado de sintaxis de un archivo fuente de Standard ML (SML), como es demostrado por la entrada que solo contiene la palabra clave "exception" • https://bugzilla.redhat.com/show_bug.cgi?id=1922136 https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html https://www.debian.org/security/2021/dsa-4889 https://www.oracle.com/security-alerts/cpuoct2021.html https://access.redhat.com/security/cve/CVE-2021-20270 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.5EPSS: 0%CPEs: 37EXPL: 0CVE-2020-27827 – lldp/openvswitch: denial of service via externally triggered memory leak
https://notcve.org/view.php?id=CVE-2020-27827
A flaw was found in multiple versions of OpenvSwitch. Specially crafted LLDP packets can cause memory to be lost when allocating data to handle specific optional TLVs, potentially causing a denial of service. The highest threat from this vulnerability is to system availability. Se encontró un fallo en múltiples versiones de OpenvSwitch. Los paquetes LLDP especialmente diseñados pueden causar que una memoria se pierda cuando se asignan datos para manejar TLV opcionales específicos, potencialmente causando una denegación de servicio. • https://bugzilla.redhat.com/show_bug.cgi?id=1921438 https://cert-portal.siemens.com/productcert/pdf/ssa-941426.pdf https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3T5XHPOGIPWCRRPJUE6P3HVC5PTSD5JS https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JYA4AMJXCNF6UPFG36L2TPPT32C242SP https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SKQWHG2SZJZSGC7PXVDAEJYBN7ESDR7D https://mail.openvswitch.org/pipermail/ovs-dev/2021&# • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2020-25657 – m2crypto: bleichenbacher timing attacks in the RSA decryption API
https://notcve.org/view.php?id=CVE-2020-25657
A flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS#1 v1.5 Ciphertext. The highest threat from this vulnerability is to confidentiality. Se encontró un fallo en todas las versiones publicadas de m2crypto, donde son vulnerables a ataques de sincronización de Bleichenbacher en la API de descifrado RSA por medio del procesamiento cronometrado de texto cifrado PKCS#1 versión v1.5 válido. La mayor amenaza de esta vulnerabilidad es la confidencialidad • https://bugzilla.redhat.com/show_bug.cgi?id=1889823 https://access.redhat.com/security/cve/CVE-2020-25657 • CWE-203: Observable Discrepancy CWE-385: Covert Timing Channel •
CVSS: 10.0EPSS: 1%CPEs: 10EXPL: 1CVE-2020-27846 – crewjam/saml: authentication bypass in saml authentication
https://notcve.org/view.php?id=CVE-2020-27846
A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Se presenta una vulnerabilidad de verificación de firmas en crewjam/saml. Este fallo permite a un atacante omitir la autenticación SAML. • https://bugzilla.redhat.com/show_bug.cgi?id=1907670 https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9 https://grafana.com/blog/2020/12/17/grafana-6.7.5-7.2.3-and-7.3.6-released-with-important-security-fix-for-grafana-enterprise https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YUTKIRWT6TWU7DS6GF3EOANVQBFQZYI https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ICP3YRY2VUCNCF2VFUSK77ZMRIC77FEM https://mattermos • CWE-115: Misinterpretation of Input •