CVSS: 3.1EPSS: 0%CPEs: 50EXPL: 0CVE-2017-10193 – OpenJDK: incorrect key size constraint check (Security, 8179101)
https://notcve.org/view.php?id=CVE-2017-10193
20 Jul 2017 — Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read acce... • http://www.debian.org/security/2017/dsa-3919 •
CVSS: 6.8EPSS: 0%CPEs: 53EXPL: 0CVE-2017-10198 – OpenJDK: incorrect enforcement of certificate path restrictions (Security, 8179998)
https://notcve.org/view.php?id=CVE-2017-10198
20 Jul 2017 — Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Succ... • http://www.debian.org/security/2017/dsa-3919 •
CVSS: 6.5EPSS: 0%CPEs: 50EXPL: 0CVE-2017-10243 – OpenJDK: insecure XML parsing in wsdlimport (JAX-WS, 8182054)
https://notcve.org/view.php?id=CVE-2017-10243
20 Jul 2017 — Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAX-WS). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded, JRocki... • http://www.debian.org/security/2017/dsa-3954 •
CVSS: 9.6EPSS: 0%CPEs: 51EXPL: 0CVE-2017-10089 – OpenJDK: insufficient access control checks in ServiceRegistry (ImageIO, 8172461)
https://notcve.org/view.php?id=CVE-2017-10089
20 Jul 2017 — Vulnerability in the Java SE component of Oracle Java SE (subcomponent: ImageIO). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can ... • http://www.debian.org/security/2017/dsa-3919 •
CVSS: 7.8EPSS: 79%CPEs: 16EXPL: 5CVE-2017-1000083 – Evince CBT File Command Injection
https://notcve.org/view.php?id=CVE-2017-1000083
14 Jul 2017 — backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename. El archivo backend/comics/comics-document.c (también conocido como comic book backend) en versiones anteriores a la v3.24.1 de GNOME Evince permite que atacantes remoto... • https://packetstorm.news/files/id/150305 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 51%CPEs: 34EXPL: 0CVE-2017-9788 – httpd: Uninitialized memory reflection in mod_auth_digest
https://notcve.org/view.php?id=CVE-2017-9788
13 Jul 2017 — In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service. En Apache httpd, en versiones... • http://www.debian.org/security/2017/dsa-3913 • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-456: Missing Initialization of a Variable •
CVSS: 5.3EPSS: 5%CPEs: 28EXPL: 0CVE-2017-3142 – An error in TSIG authentication can permit unauthorized zone transfers
https://notcve.org/view.php?id=CVE-2017-3142
30 Jun 2017 — An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into: providing an AXFR of a zone to an unauthorized recipient or accepting bogus NOTIFY packets. Affects BIND 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1, 9.11.0... • http://www.securityfocus.com/bid/99339 • CWE-20: Improper Input Validation CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 23%CPEs: 28EXPL: 1CVE-2017-3143 – An error in TSIG authentication can permit unauthorized dynamic updates
https://notcve.org/view.php?id=CVE-2017-3143
30 Jun 2017 — An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update. Affects BIND 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1, 9.11.0->9.11.1-P1, 9.9.3-S1->9.9.10-S2, 9.10.5-S1->9.10.5-S2. Un atacante que pueda enviar y recibir mensajes a un servidor DNS autoritativo y que conozca un nombre de clave TSIG válido para la zona ... • https://github.com/saaph/CVE-2017-3143 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 53%CPEs: 39EXPL: 0CVE-2017-7668 – httpd: ap_find_token() buffer overread
https://notcve.org/view.php?id=CVE-2017-7668
20 Jun 2017 — The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. Los cambios en el análisis sintáctico estricto de HTTP añadidos en las versiones 2.2.32 y 2.4.24 de Apache httpd introdujeron un error en el análisis de listas... • http://www.debian.org/security/2017/dsa-3896 • CWE-122: Heap-based Buffer Overflow CWE-125: Out-of-bounds Read CWE-126: Buffer Over-read •
CVSS: 9.8EPSS: 8%CPEs: 35EXPL: 0CVE-2017-3167 – httpd: ap_get_basic_auth_pw() authentication bypass
https://notcve.org/view.php?id=CVE-2017-3167
20 Jun 2017 — In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. En Apache httpd, en versiones 2.2.x anteriores a la 2.2.33 y versiones 2.4.x anteriores a la 2.4.26, el uso de ap_get_basic_auth_pw() por parte de módulos de terceros fuera de la fase de autenticación puede dar lugar a que se omitan requisitos de autenticación.. It was discovered that the use of httpd... • http://www.debian.org/security/2017/dsa-3896 • CWE-287: Improper Authentication •