CVE-2021-2147
https://notcve.org/view.php?id=CVE-2021-2147
Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Installation). The supported version that is affected is 8.8. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle ZFS Storage Appliance Kit executes to compromise Oracle ZFS Storage Appliance Kit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle ZFS Storage Appliance Kit accessible data. • https://www.oracle.com/security-alerts/cpuapr2021.html •
CVE-2021-2149
https://notcve.org/view.php?id=CVE-2021-2149
Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Core). The supported version that is affected is 8.8. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle ZFS Storage Appliance Kit executes to compromise Oracle ZFS Storage Appliance Kit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle ZFS Storage Appliance Kit accessible data. CVSS 3.1 Base Score 2.5 (Integrity impacts). • https://www.oracle.com/security-alerts/cpuapr2021.html •
CVE-2021-3449 – NULL pointer deref in signature_algorithms processing
https://notcve.org/view.php?id=CVE-2021-3449
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. • http://www.openwall.com/lists/oss-security/2021/03/27/1 http://www.openwall.com/lists/oss-security/2021/03/27/2 http://www.openwall.com/lists/oss-security/2021/03/28/3 http://www.openwall.com/lists/oss-security/2021/03/28/4 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148 https://kb.pulse • CWE-476: NULL Pointer Dereference •
CVE-2021-28957 – python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS
https://notcve.org/view.php?id=CVE-2021-28957
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3. Se ha descubierto una vulnerabilidad XSS en las versiones del módulo clean de python-lxml anteriores a la versión 4.6.3. • https://bugs.launchpad.net/lxml/+bug/1888153 https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999 https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270 https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ https://security • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-22191
https://notcve.org/view.php?id=CVE-2021-22191
Improper URL handling in Wireshark 3.4.0 to 3.4.3 and 3.2.0 to 3.2.11 could allow remote code execution via via packet injection or crafted capture file. Un manejo inapropiado de la URL en Wireshark versiones 3.4.0 hasta 3.4.3 y versiones 3.2.0 hasta 3.2.1,1 podría permitir una ejecución de código remota por medio de una inyección de paquetes o un archivo de captura diseñado • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22191.json https://gitlab.com/wireshark/wireshark/-/issues/17232 https://lists.debian.org/debian-lts-announce/2022/03/msg00041.html https://security.gentoo.org/glsa/202107-21 https://www.oracle.com/security-alerts/cpuApr2021.html https://www.wireshark.org/security/wnpa-sec-2021-03.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •