CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 3CVE-2019-19203 – oniguruma: Heap-based buffer over-read in function gb18030_mbc_enc_len in file gb18030.c
https://notcve.org/view.php?id=CVE-2019-19203
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read. Se detectó un problema en Oniguruma versiones 6.x anteriores a 6.9.4_rc2. En la función gb18030_mbc_enc_len en el archivo gb18030.c, un puntero UChar es desreferenciado sin comprobar si pasó el final de la cadena coincidente. • https://github.com/ManhNDd/CVE-2019-19203 https://github.com/tarantula-team/CVE-2019-19203 https://github.com/kkos/oniguruma/issues/163 https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3MBNW6Z4DOXSCNWGBLQ7OA3OGUJ44WL https://access.redhat.com/security/cve/CVE-2019-19203 https://bu • CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 3CVE-2019-19204 – oniguruma: Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c
https://notcve.org/view.php?id=CVE-2019-19204
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read. Se detectó un problema en Oniguruma versiones 6.x anteriores a 6.9.4_rc2. En la función fetch_interval_quantifier (anteriormente conocida como fetch_range_quantifier) ?? • https://github.com/ManhNDd/CVE-2019-19204 https://github.com/tarantula-team/CVE-2019-19204 https://github.com/kkos/oniguruma/issues/162 https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2 https://lists.debian.org/debian-lts-announce/2019/12/msg00002.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3MBNW6Z4DOXSCNWGBLQ7OA3OGUJ44WL ht • CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 2%CPEs: 11EXPL: 0CVE-2019-6477 – TCP-pipelined queries can bypass tcp-clients limit
https://notcve.org/view.php?id=CVE-2019-6477
With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem). Con pipelining habilitada, cada consulta entrante en una conexión TCP requiere una asignación de recursos similar a una consulta recibida por medio de UDP o TCP sin pipelining habilitada. • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html https://kb.isc.org/docs/cve-2019-6477 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3DEMNZMKR57VQJCG5ZN55ZGTQRL2TFQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XGURMGQHX45KR4QDRCSUQHODUFOGNGAN https://support.f5.com/csp/article/K15840535?utm_source=f5support&%3Butm_medium=RSS http • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.3EPSS: 0%CPEs: 4EXPL: 1CVE-2019-18934 – unbound: command injection with data coming from a specially crafted IPSECKEY answer
https://notcve.org/view.php?id=CVE-2019-18934
Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration. Unbound versiones 1.6.4 hasta 1.9.4, contiene una vulnerabilidad en el módulo ipsec que puede causar una ejecución de código de shell después de recibir una respuesta especialmente diseñada. Este problema solo puede ser activado si unbound fue compilado con el soporte "--enable-ipsecmod", e ipsecmod está habilitado y usado en la configuración. A shell command injection vulnerability was discovered in the way unbound handles DNS queries for systems with a public key used for IPsec. • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00067.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00069.html http://www.openwall.com/lists/oss-security/2019/11/19/1 https://github.com/NLnetLabs/unbound/blob/release-1.9.5/doc/Changelog https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCR6JP7MSRARTOGEHGST64G4FJGX5VK https://www.nlnetlabs.nl/downloads/unbound/CVE-2019-18934.txt https://www.nlnetlabs.nl/news/2019/No • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.1EPSS: 1%CPEs: 6EXPL: 0CVE-2019-18887
https://notcve.org/view.php?id=CVE-2019-18887
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel. Se detectó un problema en Symfony versiones 2.8.0 hasta 2.8.50, 3.4.0 hasta 3.4.34, 4.2.0 hasta 4.2.11 y 4.3.0 hasta 4.3.7. El UriSigner estaba sujeto a ataques de sincronización. • https://github.com/symfony/symfony/releases/tag/v4.3.8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ https://symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner https://symfony.com/blog/ • CWE-203: Observable Discrepancy •