CVSS: 7.0EPSS: 0%CPEs: 4EXPL: 1CVE-2018-0492 – GNU Beep 1.3 - 'HoleyBeep' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2018-0492
Johnathan Nightingale beep through 1.3.4, if setuid, has a race condition that allows local privilege escalation. beep, de Johnathan Nightingale, hasta la versión 1.3.4, con el permiso setuid tiene una condición de carrera que permite el escalado local de privilegios. • https://www.exploit-db.com/exploits/44452 https://lists.debian.org/debian-lts-announce/2018/04/msg00002.html https://lists.debian.org/debian-security-announce/2018/msg00089.html https://security-tracker.debian.org/tracker/CVE-2018-0492 https://security.gentoo.org/glsa/201805-15 https://www.debian.org/security/2018/dsa-4163 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.8EPSS: 0%CPEs: 21EXPL: 0CVE-2018-7566 – kernel: race condition in snd_seq_write() may lead to UAF or OOB-access
https://notcve.org/view.php?id=CVE-2018-7566
The Linux kernel 4.15 has a Buffer Overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by a local user. El kernel de Linux 4.15 tiene un desbordamiento de búfer mediante una operación de escritura ioctl SNDRV_SEQ_IOCTL_SET_CLIENT_POOL en /dev/snd/seq por un usuario local. ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user can reset the pool size manually via ioctl concurrently, and this may lead to UAF or out-of-bound access. • http://lists.opensuse.org/opensuse-security-announce/2018-03/msg00067.html http://mailman.alsa-project.org/pipermail/alsa-devel/2018-February/132026.html http://www.securityfocus.com/bid/103605 https://access.redhat.com/errata/RHSA-2018:2384 https://access.redhat.com/errata/RHSA-2018:2390 https://access.redhat.com/errata/RHSA-2018:2395 https://access.redhat.com/errata/RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2019:1483 https://access.redhat.com/errata/RHSA-2019:1487 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 16EXPL: 0CVE-2018-6914 – ruby: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
https://notcve.org/view.php?id=CVE-2018-6914
Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 might allow attackers to create arbitrary directories or files via a .. (dot dot) in the prefix argument. Vulnerabilidad de salto de directorio en el método Dir.mktmpdir en la biblioteca tmpdir en Ruby, en versiones anteriores a la 2.2.10, versiones 2.3.x anteriores a la 2.3.7, versiones 2.4.x anteriores a la 2.4.4, versiones 2.5.x anteriores a la 2.5.1 y la versión 2.6.0-preview1, podría permitir que atacantes creen directorios o archivos arbitrarios mediante un .. (punto punto) en el argumento prefix. It was found that the tmpdir and tempfile modules did not sanitize their file name argument. • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html http://www.securityfocus.com/bid/103686 http://www.securitytracker.com/id/1042004 https://access.redhat.com/errata/RHSA-2018:3729 https://access.redhat.com/errata/RHSA-2018:3730 https://access.redhat.com/errata/RHSA-2018:3731 https://access.redhat.com/errata/RHSA-2019:2028 https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html& • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 16EXPL: 0CVE-2018-8778 – ruby: Buffer under-read in String#unpack
https://notcve.org/view.php?id=CVE-2018-8778
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker controlling the unpacking format (similar to format string vulnerabilities) can trigger a buffer under-read in the String#unpack method, resulting in a massive and controlled information disclosure. En Ruby, en versiones anteriores a la 2.2.10, versiones 2.3.x anteriores a la 2.3.7, versiones 2.4.x anteriores a la 2.4.4, versiones 2.5.x anteriores a la 2.5.1 y la versión 2.6.0-preview1, un atacante que controla el formato de desempaquetado (similar a las vulnerabilidades de cadena de formato) puede desencadenar una sublectura de búfer en el método String#unpack. Esto resulta en una gran divulgación de información controlada. A integer underflow was found in the way String#unpack decodes the unpacking format. An attacker, able to control the unpack format, could use this flaw to disclose arbitrary parts of the application's memory. • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html http://www.securityfocus.com/bid/103693 http://www.securitytracker.com/id/1042004 https://access.redhat.com/errata/RHSA-2018:3729 https://access.redhat.com/errata/RHSA-2018:3730 https://access.redhat.com/errata/RHSA-2018:3731 https://access.redhat.com/errata/RHSA-2019:2028 https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html& • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-134: Use of Externally-Controlled Format String •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2017-17742 – ruby: HTTP response splitting in WEBrick
https://notcve.org/view.php?id=CVE-2017-17742
Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick. Ruby, en versiones anteriores a la 2.2.10, versiones 2.3.x anteriores a la 2.3.7, versiones 2.4.x anteriores a la 2.4.4, versiones 2.5.x anteriores a la 2.5.1 y la versión 2.6.0-preview1, permite un ataque de separación de respuesta HTTP. Un atacante puede inyectar una clave y un valor manipulados en una respuesta HTTP para el servidor HTTP de WEBrick. It was found that WEBrick did not sanitize headers sent back to clients, resulting in a response-splitting vulnerability. • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html http://www.securityfocus.com/bid/103684 http://www.securitytracker.com/id/1042004 https://access.redhat.com/errata/RHSA-2018:3729 https://access.redhat.com/errata/RHSA-2018:3730 https://access.redhat.com/errata/RHSA-2018:3731 https://access.redhat.com/errata/RHSA-2019:2028 https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html& • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •