CVSS: 9.8EPSS: 1%CPEs: 23EXPL: 1CVE-2017-7786 – Mozilla: Buffer overflow while painting non-displayable SVG (MFSA 2017-19)
https://notcve.org/view.php?id=CVE-2017-7786
A buffer overflow can occur when the image renderer attempts to paint non-displayable SVG elements. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Puede ocurrir un desbordamiento de búfer cuando el renderizador de imagen intenta pintar elementos SVG no mostrables. Esto resulta en un cierre inesperado potencialmente explotable. • http://www.securityfocus.com/bid/100206 http://www.securitytracker.com/id/1039124 https://access.redhat.com/errata/RHSA-2017:2456 https://access.redhat.com/errata/RHSA-2017:2534 https://bugzilla.mozilla.org/show_bug.cgi?id=1365189 https://security.gentoo.org/glsa/201803-14 https://www.debian.org/security/2017/dsa-3928 https://www.debian.org/security/2017/dsa-3968 https://www.mozilla.org/security/advisories/mfsa2017-18 https://www.mozilla.org/security/advisories/mfsa2017-19 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •
CVSS: 8.1EPSS: 0%CPEs: 18EXPL: 1CVE-2017-7807 – Mozilla: Domain hijacking through appcache fallback (MFSA 2017-19)
https://notcve.org/view.php?id=CVE-2017-7807
A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Un mecanismo que utiliza AppCache para secuestrar una URL en un dominio utilizando fallback sirviendo los archivos desde una subruta en el dominio. Esto se ha solucionado al requerir que los archivos fallback estén dentro del directorio manifest. • http://www.securityfocus.com/bid/100242 http://www.securitytracker.com/id/1039124 https://access.redhat.com/errata/RHSA-2017:2456 https://access.redhat.com/errata/RHSA-2017:2534 https://bugzilla.mozilla.org/show_bug.cgi?id=1376459 https://security.gentoo.org/glsa/201803-14 https://www.debian.org/security/2017/dsa-3928 https://www.debian.org/security/2017/dsa-3968 https://www.mozilla.org/security/advisories/mfsa2017-18 https://www.mozilla.org/security/advisories/mfsa2017-19 • CWE-20: Improper Input Validation CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2017-7537 – pki-core: mock CMC authentication plugin with hardcoded secret enabled by default
https://notcve.org/view.php?id=CVE-2017-7537
It was found that a mock CMC authentication plugin with a hardcoded secret was accidentally enabled by default in the pki-core package before 10.6.4. An attacker could potentially use this flaw to bypass the regular authentication process and trick the CA server into issuing certificates. Se ha detectado que un plugin de autenticación CMC simulado con un secreto embebido se ha habilitado por accidente y por defecto en el paquete pki-core en versiones anteriores a la 10.6.4. Un atacante podría utilizar este fallo para omitir el proceso de autenticación regular y engañar al servidor CA para que envíe certificados. It was found that a mock CMC authentication plugin with a hardcoded secret was accidentally enabled by default in the pki-core package. • https://access.redhat.com/errata/RHSA-2017:2335 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7537 https://github.com/dogtagpki/pki/commit/876d13c6d20e7e1235b9 https://access.redhat.com/security/cve/CVE-2017-7537 https://bugzilla.redhat.com/show_bug.cgi?id=1470817 • CWE-287: Improper Authentication CWE-592: DEPRECATED: Authentication Bypass Issues CWE-798: Use of Hard-coded Credentials •
CVSS: 7.5EPSS: 4%CPEs: 25EXPL: 0CVE-2017-10664 – Qemu: qemu-nbd: server breaks with SIGPIPE upon client abort
https://notcve.org/view.php?id=CVE-2017-10664
qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt. qemu-nbd en QEMU (Quick Emulator) no ignora la señal SIGPIPE, lo que permite a atacantes remotos provocar una denegación de servicio desconectando el proceso durante un intento de respuesta de servidor a cliente. Quick Emulator (QEMU) built with the Network Block Device (NBD) Server support is vulnerable to a crash via a SIGPIPE signal. The crash can occur if a client aborts a connection due to any failure during negotiation or read operation. A remote user/process could use this flaw to crash the qemu-nbd server resulting in a Denial of Service (DoS). • http://www.debian.org/security/2017/dsa-3920 http://www.openwall.com/lists/oss-security/2017/06/29/1 http://www.securityfocus.com/bid/99513 https://access.redhat.com/errata/RHSA-2017:2390 https://access.redhat.com/errata/RHSA-2017:2445 https://access.redhat.com/errata/RHSA-2017:3466 https://access.redhat.com/errata/RHSA-2017:3470 https://access.redhat.com/errata/RHSA-2017:3471 https://access.redhat.com/errata/RHSA-2017:3472 https://access.redhat.com/errata/RH • CWE-248: Uncaught Exception •
CVSS: 3.5EPSS: 0%CPEs: 20EXPL: 0CVE-2017-3653 – mysql: Server: DDL unspecified vulnerability (CPU Jul 2017)
https://notcve.org/view.php?id=CVE-2017-3653
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Integrity impacts). • http://www.debian.org/security/2017/dsa-3922 http://www.debian.org/security/2017/dsa-3944 http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.securityfocus.com/bid/99810 http://www.securitytracker.com/id/1038928 https://access.redhat.com/errata/RHSA-2017:2787 https://access.redhat.com/errata/RHSA-2017:2886 https://access.redhat.com/errata/RHSA-2018:0279 https://access.redhat.com/errata/RHSA-2018:0574 https://access.redhat.com/errata/RHSA& •