CVSS: 8.8EPSS: 1%CPEs: 9EXPL: 0CVE-2017-5062 – chromium-browser: use after free in chrome apps
https://notcve.org/view.php?id=CVE-2017-5062
A use after free in Chrome Apps in Google Chrome prior to 58.0.3029.81 for Mac, Windows, and Linux, and 58.0.3029.83 for Android, allowed a remote attacker to potentially perform out of bounds memory access via a crafted Chrome extension. Un uso de memoria previamente liberada en Chrome Apps en Google Chrome, en versiones anteriores a la 58.0.3029.81 para Mac, Windows y Linux y a la 58.0.3029.83 para Android, permitía que un atacante remoto pudiese realizar un acceso a la memoria fuera de límites mediante una extensión de Chrome manipulada. • http://www.securityfocus.com/bid/97939 http://www.securitytracker.com/id/1038317 https://access.redhat.com/errata/RHSA-2017:1124 https://chromereleases.googleblog.com/2017/04/stable-channel-update-for-desktop.html https://crbug.com/702896 https://security.gentoo.org/glsa/201705-02 https://access.redhat.com/security/cve/CVE-2017-5062 https://bugzilla.redhat.com/show_bug.cgi?id=1443840 • CWE-416: Use After Free •
CVSS: 3.1EPSS: 0%CPEs: 24EXPL: 0CVE-2017-3539 – OpenJDK: MD5 allowed for jar verification (Security, 8171121)
https://notcve.org/view.php?id=CVE-2017-3539
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u141, 7u131 and 8u121; Java SE Embedded: 8u121. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. • http://www.debian.org/security/2017/dsa-3858 http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html http://www.securityfocus.com/bid/97752 http://www.securitytracker.com/id/1038286 https://access.redhat.com/errata/RHSA-2017:1108 https://access.redhat.com/errata/RHSA-2017:1109 https://access.redhat.com/errata/RHSA-2017:1117 https://access.redhat.com/errata/RHSA-2017:1118 https://access.redhat.com/errata/RHSA-2017:1119 https://access.redhat.com/errata/RHS • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 4.3EPSS: 0%CPEs: 33EXPL: 0CVE-2017-3544 – OpenJDK: newline injection in the SMTP client (Networking, 8171533)
https://notcve.org/view.php?id=CVE-2017-3544
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u141, 7u131 and 8u121; Java SE Embedded: 8u121; JRockit: R28.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SMTP to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data. Note: Applies to client and server deployment of Java. • http://www.debian.org/security/2017/dsa-3858 http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html http://www.securityfocus.com/bid/97745 http://www.securitytracker.com/id/1038286 https://access.redhat.com/errata/RHSA-2017:1108 https://access.redhat.com/errata/RHSA-2017:1109 https://access.redhat.com/errata/RHSA-2017:1117 https://access.redhat.com/errata/RHSA-2017:1118 https://access.redhat.com/errata/RHSA-2017:1119 https://access.redhat.com/errata/RHS • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 25EXPL: 0CVE-2017-3533 – OpenJDK: newline injection in the FTP client (Networking, 8170222)
https://notcve.org/view.php?id=CVE-2017-3533
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u141, 7u131 and 8u121; Java SE Embedded: 8u121; JRockit: R28.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via FTP to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data. Note: Applies to client and server deployment of Java. • http://www.debian.org/security/2017/dsa-3858 http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html http://www.securityfocus.com/bid/97740 http://www.securitytracker.com/id/1038286 https://access.redhat.com/errata/RHSA-2017:1108 https://access.redhat.com/errata/RHSA-2017:1109 https://access.redhat.com/errata/RHSA-2017:1117 https://access.redhat.com/errata/RHSA-2017:1118 https://access.redhat.com/errata/RHSA-2017:1119 https://access.redhat.com/errata/RHS • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 16EXPL: 0CVE-2017-5454 – Mozilla: Sandbox escape allowing file system read access through file picker (MFSA 2017-12)
https://notcve.org/view.php?id=CVE-2017-5454
A mechanism to bypass file system access protections in the sandbox to use the file picker to access different files than those selected in the file picker through the use of relative paths. This allows for read only access to the local file system. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. Mecanismo para omitir las protecciones de acceso al sistema de archivos en el sandbox para emplear el picker de archivos para acceder a diferentes archivos que los seleccionados en el picker mediante el uso de rutas relativas. Esto permite acceso de solo lectura en el sistema de archivos local. • http://www.securityfocus.com/bid/97940 http://www.securitytracker.com/id/1038320 https://access.redhat.com/errata/RHSA-2017:1106 https://access.redhat.com/errata/RHSA-2017:1201 https://bugzilla.mozilla.org/show_bug.cgi?id=1349276 https://www.mozilla.org/security/advisories/mfsa2017-10 https://www.mozilla.org/security/advisories/mfsa2017-12 https://www.mozilla.org/security/advisories/mfsa2017-13 https://access.redhat.com/security/cve/CVE-2017-5454 https://bugzilla.redhat.com/sho • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •