CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2017-9108
https://notcve.org/view.php?id=CVE-2017-9108
An issue was discovered in adns before 1.5.2. adnshost mishandles a missing final newline on a stdin read. It is wrong to increment used as well as setting r, since used is incremented according to r, later. Rather one should be doing what read() would have done. Without this fix, adnshost may read and process one byte beyond the buffer, perhaps crashing or perhaps somehow leaking the value of that byte. Se detectó un problema en adns versiones anteriores a 1.5.2. adnshost maneja inapropiadamente una falta de una nueva línea final en una lectura estándar. • http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git%3Ba=blob%3Bf=changelog https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRVHN3GGVNQWAOL3PWC5FLAV7HUESLZR https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UGFZ4SPV6KFQK6ZNUZFB5Y32OYFOM5YJ https://www.chiark.greenend.org.uk/pipermail/adns-announce/2020/000004.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-9109
https://notcve.org/view.php?id=CVE-2017-9109
An issue was discovered in adns before 1.5.2. It fails to ignore apparent answers before the first RR that was found the first time. when this is fixed, the second answer scan finds the same RRs at the first. Otherwise, adns can be confused by interleaving answers for the CNAME target, with the CNAME itself. In that case the answer data structure (on the heap) can be overrun. With this fixed, it prefers to look only at the answer RRs which come after the CNAME, which is at least arguably correct. • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00037.html http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git%3Ba=blob%3Bf=changelog https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRVHN3GGVNQWAOL3PWC5FLAV7HUESLZR https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UGFZ4SPV6KFQK6ZNUZFB5Y32OYFOM5YJ https://www.chiark.greenend.org.uk/piper • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 6.3EPSS: 0%CPEs: 11EXPL: 0CVE-2020-3350 – Cisco AMP for Endpoints and ClamAV Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2020-3350
A vulnerability in the endpoint software of Cisco AMP for Endpoints and Clam AntiVirus could allow an authenticated, local attacker to cause the running software to delete arbitrary files on the system. The vulnerability is due to a race condition that could occur when scanning malicious files. An attacker with local shell access could exploit this vulnerability by executing a script that could trigger the race condition. A successful exploit could allow the attacker to delete arbitrary files on the system that the attacker would not normally have privileges to delete, producing system instability or causing the endpoint software to stop working. Una vulnerabilidad en el software de endpoint de Cisco AMP para Endpoints y Clam AntiVirus, podría permitir a un atacante local autenticado causar que el software en ejecución elimine archivos arbitrarios en el sistema. • https://lists.debian.org/debian-lts-announce/2020/08/msg00010.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IJ67VH37NCG25PICGWFWZHSVG7PBT7MC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QM7EXJHDEZJLWM2NKH6TCDXOBP5NNYIN https://security.gentoo.org/glsa/202007-23 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-famp-ZEpdXy https://usn.ubuntu.com/4435-1 https://usn.ubuntu.com/4435-2 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.9EPSS: 1%CPEs: 9EXPL: 0CVE-2020-14422 – python: DoS via inefficiency in IPv{4,6}Interface classes
https://notcve.org/view.php?id=CVE-2020-14422
Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2. La biblioteca Lib/ipaddress.py en Python versiones hasta 3.8.3, calcula inapropiadamente los valores de hash en las clases IPv4Interface e IPv6Interface, lo que podría permitir a un atacante remoto causar una denegación de servicio si una aplicación está afectada por el desempeño de un diccionario que contiene objetos de IPv4Interface o IPv6Interface, y este atacante puede causar que muchas entradas de diccionario sean creadas. Esto esta corregido en las versiones: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2 A vulnerability was found in the way the ipaddress python module computes hash values in the IPv4Interface and IPv6Interface classes. This flaw allows an attacker to create many dictionary entries, due to the performance of a dictionary containing the IPv4Interface or IPv6Interface objects, possibly resulting in a denial of service. • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00041.html https://bugs.python.org/issue41004 https://github.com/python/cpython/pull/20956 https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html https://lists.debian.org/debian-lts-announce/2023/ • CWE-330: Use of Insufficiently Random Values CWE-400: Uncontrolled Resource Consumption CWE-682: Incorrect Calculation •
CVSS: 4.9EPSS: 0%CPEs: 11EXPL: 0CVE-2020-8619 – A buffer boundary check assertion in rdataset.c can fail incorrectly during zone transfer
https://notcve.org/view.php?id=CVE-2020-8619
In ISC BIND9 versions BIND 9.11.14 -> 9.11.19, BIND 9.14.9 -> 9.14.12, BIND 9.16.0 -> 9.16.3, BIND Supported Preview Edition 9.11.14-S1 -> 9.11.19-S1: Unless a nameserver is providing authoritative service for one or more zones and at least one zone contains an empty non-terminal entry containing an asterisk ("*") character, this defect cannot be encountered. A would-be attacker who is allowed to change zone content could theoretically introduce such a record in order to exploit this condition to cause denial of service, though we consider the use of this vector unlikely because any such attack would require a significant privilege level and be easily traceable. En las versiones ISC BIND9 BIND 9.11.14 -> 9.11.19, BIND 9.14.9 -> 9.14.12, BIND 9.16.0 -> 9.16.3, BIND Supported Preview Edition 9.11.14-S1 -> 9.11.19-S1: A menos que un servidor de nombres proporcione un servicio autorizado para una o más zonas y al menos una zona contenga una entrada sin terminal vacía que contenga un carácter asterisco ("*"), este defecto no puede ser encontrado. Un posible atacante al que se le permite cambiar el contenido de la zona, podría introducir teóricamente dicho registro para explotar esta condición y causar una denegación de servicio, aunque consideramos que el uso de este vector es poco probable porque cualquier ataque requeriría de un nivel de privilegio significativo y que sea fácilmente rastreable A flaw was found in bind when an asterisk character is present in an empty non-terminal location within the DNS graph. This flaw could trigger an assertion failure, causing bind to crash. • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html https://kb.isc.org/docs/cve-2020-8619 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CNFTTYJ5JJJJ6QG3AHXJGDIIEYMDFWFW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EIOXMJX4N3LBKC65OXNBE52W4GAS7QEX https://security.netapp.com/advisory/ntap-20200625-0003 https://usn.ubuntu.com/4399-1 • CWE-404: Improper Resource Shutdown or Release CWE-617: Reachable Assertion •